Advanced Threat Protection: Intrusion Detection Solution

Next-generation intrusion detection solution that detects Advanced Threat at the delivery stage of the attack chain, with 99% efficiency. Government agencies within the US Intelligence Community originally curated these advanced detection algorithms. BluVector detects zero-day malware threats pre-breach, on premises, and at wire speed.


  • AI Machine-learning powered detection of advanced threats
  • Realtime analysis of all content entering/leaving enterprise
  • Speculative code execution detects emerging file-less malware technique
  • Comprehensive logging of network and applications sessions via Zeek
  • In situ retraining of machine learning algorithms increases cyber resilience
  • Leverages open-source solutions, open API, open logging
  • Integrates with existing customer SIEM and endpoint protections
  • Detection enabled with cloud based sandbox capabilities
  • On premise capability ensures client completely controls detection accuracy
  • Modular processing capability allows rapid scaling of increased throughput requirements


  • Previously unknown zero-day malware is detected prior to breach
  • Malware in all file types are detected, not just executables
  • File-less malware is detected prior to execution
  • Network traffic visibility to detect malicious activity
  • Perimeter-based defence prevents accidental phishing
  • Open API ensures client is not "locked in" to technology
  • Open API allows for immediate integration with pre-existing security stack
  • Provides client with additional malware protection
  • Ever-increasing detection accuracy improves analyst response and decision making
  • Client can scale up detection capacity as their network grows


£27,812 a unit a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.nayee@64teq.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 8 0 7 7 7 2 3 3 7 6 3 3 3 2


64TEQ Michelle Nayee
Telephone: 02038580264
Email: michelle.nayee@64teq.com

Service scope

Service constraints
For cloud deployments we require a virtual tap of network data. Additionally, our current hardware infrastructure is based on commodity Dell products. For "non-Dell" deployments we would need to re-configure our software interfaces.
System requirements
  • Tap or span port access
  • ESXi required for VM deployments

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLAs vary with client and the level of responsiveness they require. Level 1 is typically immediately. Level 2 within 4 hours. Technical Support means the service provided to analyse or reproduce an error or bug in the Licensed Software or to determine that the error or bug is not reproducible. Level 3 within 12 hours. However, on weekends, the response time for Level 3 issues is 18 hours. On the weekend, Level 1 response times remains immediate.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
"Call BluVector Radio Button" in the U/I.
Call BluVector allows analysts the ability to interact directly with BluVector staff through a U/I located radio button.
Web chat accessibility testing
We have not yet completed chat testing for assistive technology users.
Onsite support
Support levels
We tailor support levels to the user requirements. Costs vary, detailed in our pricing document. We do assign a technical account manager for each client.
Support available to third parties

Onboarding and offboarding

Getting started
BluVector provides “cradle to grave” onboarding and offboarding of our capabilities; we engage the client early, through multiple media to ensure an issue-free transition of our capabilities. In person training includes validation of client use cases and performance objectives. A baseline is taken of the current, “As Is,” performance standard for a given use case. We then train the client and their staff, in person, with our detection capability. We help the client learn how to “tune” and configure the analytic engines to drive toward the desired performance standard. In person training includes a “sign off” by the client staff on their training. Post deployment, we arrange at least weekly “refresher sessions” and Q&A to reinforce the learning and address any possible issues or questions the team may have. Per client, at least one tech session a quarter is spent validating the set of original use cases, and evaluating potential new use cases. The weekly sessions are typically done online and the quarterly session done in person.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
All data is exportable. Logs created by Zeek can be copied off the service. Event alerts can be forwarded to 3rd party systems via syslog, TCP/UDP pipes, SMTP, or Kafka. Alternatively, the database can be copied as a file.
End-of-contract process
Our off-boarding/end-of-contract process starts with receipt/acknowledgement that the client chooses not to renew their service license. If the license is a subscription, we work the client to return the appliance to BluVector. The end-of-contract process includes the client removing the hard drive. The clients have to attest to the destruction of the hard drive. For a perpetual license, the clients own the hardware. They acknowledge that they will no longer receive maintenance and software upgrades. As part of the end-of-contract process, we conduct exit interviews. Ideally interviewees include the head of cyber security, the SOC manager, and 3-5 analysts.

Using the service

Web browser interface
Using the web interface
All configurations are made through the web interface. Once the BluVector solution is deployed and the network tap configured, all operations and mantenance is via a web interface or, alternatively, via RESTful APIs.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
"Call BluVector Radio Button" in the U/I.
Call BluVector allows analysts the ability to interact directly with BluVector staff through a U/I located radio button.
Web interface accessibility testing
BluVector has self-tested our web interface to be compliant with Web Content Accessibility Guidelines (WCAG) 2.1
What users can and can't do using the API
BluVector’s use of Application Programming Interfaces (API) enables clients to quickly integrate the detection engines in their pre-existing security stack. Security stacks typically include the following functionality: SEIM, Endpoint Detection Response, Indicators of Compromise, Firewalls, Behavior Anomaly Detection, and a variety of threat intel feeds. The use of BluVector’s APIs ensure immediate, “frictionless” integration with pre-existing capabilities in the enterprise. BluVector is not a “rip and replace” capability, but rather a focused capability that quickly offers pre-breach detection of zero day malware to the security stack.
Our reliance on APIs also ensures that BluVector is not a “black box.” RESTful APIs ensure much of the integration with other open-standards based technology can be done automatically. We do not require any proprietary development to integrate into other open standards environments. The delivery of our analytic services is automated and more flexible for a given security environment.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
API documentation
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • ODF
  • PDF
  • Other
Command line interface
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
  • Other
Using the command line interface
BluVector enables direct user interaction with our analytic engines and workflow processes in multiple ways. Widgets and graphical images are one way in which the user can represent their desired configuration and display of detection information and analytics. The other is through direct interaction with the capability through access to the command line interface.
BluVector is UNIX-based and offers both a command line interface and a graphical user interface. The BluVector CLI capability is a means of interacting with a computer program where the security analysts and support team issues commands to the program in the form of successive lines of text.
Users access BluVector Shells, which are the outermost layer of the OS. . A shell operates like an application and can be replaced. Because the shell is only one layer above the OS, users can perform operations that are not available in other interface types, such as moving files within system folders and deleting locked files.
Shells require users to know the syntax of a scripting language. Most command line shells save sequences of commands for reuse in a script, which is the foundation of basic systems management automation. This is a key advantage for BluVector users.


Scaling available
Scaling type
  • Automatic
  • Manual
Independence of resources
We support on an aggregated throughput basis. We typically size our appliance as a function of sustained throughput. Our clients typically want 20-25% excess capacity available. If capacity starts approaching 90% of max throughput we would simply add another appliance (and load balancer) in the network. That process (to install another appliance for scaling purposes) typically takes 60 mins or less.
Usage notifications
Usage reporting
  • API
  • Email
  • SMS
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Encryption of all physical media.
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
  • Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
All files and VMs
Backup controls
Users have the ability to tailor back up process per their priorities.
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection within supplier network
All interactions with the web-based GUI are protected by TLS leveraging a FIPS 140-2 compliant encryption engine. All data exports are encrypted by TLS as well.

Availability and resilience

Guaranteed availability
Our SLAs are with the US government and they vary from client to client. We do guarantee 99.999% or "five nines" availability and work with clients individually on their SLA requirements.
Approach to resilience
Available on request.
Outage reporting
Throughout all of the above - a central management function/GUI acts as a public dashboard. In case of outages, or warnings, APIs, emails, SMS are sent the appropriate people.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Through multi factor authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
You control when users can access audit information
How long user audit data is stored for
Access to supplier activity audit information
No audit information available
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
BluVector adheres to the US DoD Instructions and Policy for the governance and maintenance of its information security policies. The confidentiality, integrity and availability of information, in all its forms, are critical to ongoing functioning and good cyber hygiene.
Failure to adequately secure information increases the risk of government information and reputational losses from which it may be difficult to recover. Our information security policy outlines our approach to information security management. It provides the principles and responsibilities necessary to safeguard the security of information systems. Supporting policies, codes of practice, procedures and guidelines provide further details.
BluVector is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined will be applied to all of the physical and electronic information assets. The Head, IT is responsible for overseeing all facets of Information Security. BluVector is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001 and DoD Instruction 5200.01.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
BluVector relies on a software-based configuration management process which links all software code upgrades to all hardware component configurations and updates. Our appliance represents, essentially, our code base on a TAA compliant Dell infrastructure. Dell updates changes to its component base to the same software application our software team uses for DEVSECOPS. Testing of all updates to either the HW or SW baseline require a security certification for supply chain integrity. At any given point of time for an appliance, BluVector is able to assess the state of the underlying code-base and HW components, and sub components.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Our vulnerability assessment team performs aperiodic tests of new and potentially new threats to our product and cyber threats to our clients. This assessment includes vulnerability aspects across technology, process, and the staff who uses them. Depending on an assessment of the vulnerability, patches can be deployed (“pushed”) immediately. Otherwise, an improvements in “standard vulnerability practices” are sent in the monthly patch updates. For an assessment of potential threats, we rely on our internal threat intelligence team, standard open source threat intelligence sites, evaluations of trends on the dark web, and feedback from our clients.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
BluVector systems are metered for user and device management, establishing “patterns of life” and setting baselines for the alerting of anomalies. Protective monitoring is conducted 24 x 7 by our systems and staff. Potential compromises are identified as a function of anomalies as well as volume, timing, and classification of any related content/attachments. Upon identification of a security incident, parties are notified of the compromise. In the event of an exfil of data, that data is assessed to determine its sensitivity. The exfil path is isolated and contained. Associate behaviors are also analyzed to determine the extent of the compromise.
Incident management type
Supplier-defined controls
Incident management approach
BluVector is defining its incident response processes. We have an initial set of incident response processes for common events. The first goal of the incident management process is to restore a normal service operation as quickly as possible and to minimize the impact on business operations, thus ensuring that the best possible levels of service quality and availability. Users report incidents via our web-based ticketing system or our “Dial BluVector” feature. Monthly incident reports are shared with all clients and anonymized. Our incident response processes are a service operation within the service-level agreement (SLA).

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
Other virtualisation technology used
Vmware, Hyper-V, Citrix XenServer, Oracle VM, Red Hat Virtualisation, KVM hypervisor
How shared infrastructure is kept separate
Separation is required to support multiple clients and multiple pilots. Depending on the size and complexity of the pilot, different infrastructure separation strategies are employed. Many pilots require limited bandwidth. In these cases, a virtual machine is configured, logically separated from the infrastructure and provisioned with sufficient memory and processing resources. Access to this environment is controlled.
For larger engagements a physical appliance is set up, and isolated with either simulated traffic, or direct tap of the clients own network. In this case, BluVector provisions a dedicate server and processing capacity, separate from the rest of the data center.

Energy efficiency

Energy-efficient datacentres


£27,812 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Up to six months free to test VM or appliance based versions.
Link to free trial

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at michelle.nayee@64teq.com. Tell them what format you need. It will help if you say what assistive technology you use.