Arc overview

Arc is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.


When detecting cyberthreats, identifying vulnerabilities, or analyzing anomalies in your processes, it is critical to have as much detailed network and system information as possible. More accurate and timely access to data leads to better diagnostics and a faster time to repair.

Arc gives you enhanced endpoint data collection and asset visibility for your networks. This enhanced visibility gives you more:
  • Vulnerability assessment capabilities
  • Endpoint protection
  • Traffic analysis capabilities
  • Accurate diagnostics of in-progress threats and anomalies
Arc lets you easily identify compromised hosts that have:
Arc sensors are endpoint executables that run on hosts on these operating systems:
  • Microsoft Windows
  • Linux
  • Apple macOS
The data that is collected can be sent to either Guardian or Vantage.

Use cases and deployment scenarios

Arc lets you:

  • Incorporate air-gapped devices into the analysis and reporting system
  • Gain deeper intelligence or insight on critical endpoint devices
  • Continuously monitor endpoints
  • Automatically deploy sensors across thousands of devices
  • Use a low-impact process to scan air-gapped networks
  • Deploy with mobile device management (MDM) solutions

Continuous monitoring

Because the Arc sensor is on the host, it can monitor traffic continuously, even when the device is not sending or receiving traffic.

User-specific activity monitoring

With more access to endpoint data, Arc lets you connect network traffic and anomalies with specific users. This helps to identify potential insider threats and makes corrective actions both easier and quicker.

Sigma rules

Sigma is a common open-source standard that lets you analyze log files to identify malicious events. They are not necessarily related to network artifacts, and as such, would not be detected without residing on a machine. Nozomi Networks Labs curates all the Sigma rules that are loaded into Arc. A Threat Intelligence (TI) active license is needed to receive curated rules from the upstream Nozomi endpoint.

Temporary deployment

It is not necessary to keep the Arc executable on a host after you have collected information. This means that you can remove it after data has been collected to conserve host resources, and maintain a clean host environment.