Network Security & Threats

Network Security

Network security audits let you enforce network configuration standards across your fleet — ensuring devices use approved DNS servers, maintain VPN connections, and don't have unauthorized network interfaces.

Network Policy

Define your organisation's network policy with three rule types:

Approved DNS Servers

Specify which DNS servers your devices should be using. Devices using other DNS servers will be flagged as non-compliant. Useful for ensuring all traffic flows through your managed DNS (e.g., for content filtering or security logging).

Required VPN

Define VPN interface name patterns that should be present on devices. Devices without a matching VPN connection will be flagged. Useful for remote work policies that require VPN connectivity.

Approved Interfaces

Control which network interfaces are allowed. You can run in allowlist mode (only these interfaces are permitted) or blocklist mode (these interfaces are not allowed). Useful for detecting unauthorized network adapters, rogue Wi-Fi connections, or USB tethering.

Network Audit Results

For each device, the network audit shows:

• DNS compliance — Whether the device's DNS servers match your approved list
• VPN status — Whether a required VPN connection is present
• Rogue interfaces — Any network interfaces that violate your policy
• DNS servers currently in use
• VPN interfaces detected
• Flagged interfaces with reasons

Fleet Network Overview

The fleet-wide view aggregates network data across all devices:

• DNS server distribution — which DNS servers are being used and how many devices use each
• DNS compliance rate
• VPN connection rate and VPN types in use
• Rogue interface summary — which unapproved interfaces appear and on how many devices

Network Change Detection

When a device's network configuration changes, Kudu Cloud detects the difference and can fire alerts for:

• Interfaces appearing, disappearing, going up or down, or changing IP
• DNS servers being added or removed
• Default gateway changes

This gives you visibility into network configuration drift across your fleet.

---

Threat Monitoring

Kudu Cloud provides threat intelligence distribution and real-time network threat detection.

How It Works

1. Kudu Cloud compiles a threat blacklist daily from multiple public threat intelligence feeds
2. The blacklist is distributed to all connected devices automatically
3. Agents monitor network connections and DNS queries in real time, matching against the blacklist
4. Matches are reported back to the dashboard as threat events

Threat Categories

Threats are categorized by type:

Category	Description
Botnet C2	Command-and-control servers for botnets
Ransomware	Known ransomware infrastructure
Malware	Malware distribution and communication
Crime Infrastructure	Infrastructure used for cybercrime
Phishing	Phishing domains and servers
Attacks	Active attack infrastructure
Compromised	Known compromised hosts

Threat Events

Each threat event captures:

• Whether it was a network connection or DNS query
• The remote address, port, and process involved
• The domain (for DNS events)
• Which blacklist rule matched
• The threat category
• When it was detected

Fleet Threat Overview

The threat dashboard shows:

• Total threat events in the last 24 hours
• Number of affected devices
• Breakdown by match type (IP, domain, CIDR range)
• Breakdown by threat category
• Most frequently matched rules
• Per-device threat counts

Threat Alerts

Active threat detections trigger alerts automatically. Critical threats like botnets, ransomware, and malware generate higher-severity alerts than informational categories. Threats also impact the device's health score.

Blacklist Updates

• The blacklist is recompiled daily at 04:00 from public feeds
• When a device comes online, the system checks if its blacklist is outdated
• If it is, an update command is sent automatically
• Agents support ETag-based caching so they only download when the blacklist has actually changed