Tell a Salesforce call from a data heist.
STACK Cipher fingerprints every outbound flow at the VPC boundary — even encrypted SNI, DNS-over-HTTPS, and agent-driven HTTPS — and tags it with business purpose so you know which egress is yours.
DLP can't see encrypted SNI. Cipher can.
Inline proxies break TLS or miss agent traffic. We're passive, kernel-level, agent-aware — and privacy-preserving by design.
eBPF Kernel Probes
Process-attributed flow capture without TLS interception. Every outbound packet tied to the binary that sent it.
JA4/JA4S Fingerprinting
Identify destinations and clients without decrypting payload. SaaS, LLM API, and CDN signatures built in.
Business-Purpose Tagging
Train tags from your existing SaaS inventory and IT catalog. Flag the unknowns; explain the knowns.
Encrypted SNI / DoH Resolution
Behavioral inference resolves real destinations behind privacy-preserving DNS. No payload required.
Agent Egress Attribution
Specifically catch LLM API calls, MCP server outbound, IDE telemetry, and unsanctioned AI assistants.
Volume + Cadence Anomaly
Statistical outliers on destination, time, byte-count, and burst pattern. Tuned for slow-and-low exfil.
Questions teams ask before deploying
Straightforward answers about scope, integration, data handling, and rollout.
Do you break TLS?
Never. eBPF kernel probes plus JA4 fingerprints plus DNS-context inference. No man-in-the-middle, no certificate dance, no privacy concerns.
What does it run on?
Linux 5.10+ via eBPF, Windows via ETW, Kubernetes as a DaemonSet. macOS via system extension for dev laptops.
How is this different from Zscaler or Netskope?
Inline proxies break TLS or miss agent traffic. We're passive and kernel-level — we see every flow including the ones that bypass the proxy.
Privacy and works-council story?
Metadata only. No payload capture, no decryption, no source-code reading. Per-process logs with audit-grade access controls.