How Cato Threat Protection Protects Your Network

Cato's security engines work together in a single cloud-native service to deliver more accurate detections, more consistent enforcement, and stronger protection across the full threat lifecycle. Rather than making isolated decisions, the engines inspect the same traffic and build on shared analysis across multiple protection layers. This unified architecture improves coordination between security controls and helps stop threats before they can spread or cause damage.

Cato Threat Prevention also uses AI and machine learning as part of the service infrastructure to improve threat intelligence and strengthen detection quality. This includes AI-based IOC classification, machine learning analysis of traffic metadata, machine learning protections in IPS for threats, and proactive behavior-based analysis in Dynamic Prevention. Together, these capabilities strengthen detection across protection engines and help Cato identify both known and unknown threats more effectively.

Threat Prevention engines run in the PoPs in the Cato Cloud and only inspect traffic that passes through them. Traffic that bypasses the Cato Cloud, such as MPLS traffic or traffic from sites and Clients that egress directly to the public Internet, is not inspected by Threat Prevention or Advanced Threat Prevention services. This traffic is outside the scope of Cato’s inline threat inspection.

Cato IPS inspects inbound, outbound, and WAN traffic to protect applications, devices, and network services against known vulnerabilities, bots, malicious traffic, and other network-based attacks. The service includes multiple protection layers such as reputation analysis, known vulnerability protections, anti-bot detection, network behavioral analysis, protocol validation, geo restriction, and tunneling attack detection.

IPS signatures are continuously updated by Cato security research, and IPS policies are designed to balance security coverage with operational stability. IPS can enforce protections in block mode or monitor traffic without blocking, and it helps prevent exploitation of known vulnerabilities across traffic that passes through the Cato Cloud.

The IPS service includes DNS Protection to enforce DNS security for traffic in your account. DNS Protection blocks DNS requests to malicious domains before a connection is established to the destination, which helps stop threats such as phishing, malware delivery, and command-and-control communication earlier in the attack flow. By blocking malicious requests at the DNS layer, DNS Protection helps stop attacks before payload delivery and provides visibility that supports broader threat investigation.

You can enable or disable specific DNS protections and define actions such as Allow, Block, or Sinkhole for each protection. The Sinkhole action redirects DNS requests for malicious domains to a sinkhole server instead of the original destination. This also helps identify the originating endpoint for the request, including in environments that use internal DNS proxies, and supports detection of potentially infected devices.

Suspicious Activity Monitoring expands IPS visibility for suspicious network activity that is not monitored by standard IPS signatures. SAM identifies activity that can indicate a compromise or breach, but because the traffic is not definitively malicious, it monitors the traffic without blocking it.

By correlating events over time, SAM reduces noise and gives security teams better visibility into early-stage attack activity. This helps you identify threats that are not detected by IPS signature-based controls. This adds investigative context for activity that may not trigger direct prevention and helps identify threats that signature-based controls alone might miss.

Cato Anti-Malware and NG Anti-Malware provide two layers of protection to prevent malicious files from entering your network. Both layers simultaneously scan files from WAN and Internet traffic.

Anti-Malware uses known file signatures and heuristic analysis to detect malicious files. NG Anti-Malware uses machine learning and predictive models to classify files as benign, suspicious, or malicious and detect unknown and zero-day malware. This layered approach blocks ransomware, trojans, and other commodity malware without impacting user experience.

RBI is part of the Internet Firewall policy and protects users from web and browser-based threats without blocking Internet access. Instead of rendering web content on the user’s device, RBI runs the browsing session in an isolated environment in the Cato Cloud and streams a safe visual representation to the browser. This helps protect against threats such as ransomware, malware, phishing, malicious ads, and cross-site scripting (XSS), while letting users safely access risky or unknown websites. RBI extends protection to risky browsing activity without forcing users to bypass security controls.

Dynamic Prevention is a behavior-based security engine that preemptively applies adaptive controls in response to detected threats to reduce the attack surface and mitigate threats early, before they can impact your environment. It analyzes activity over time and across a broader context than traditional point detections, which helps identify suspicious behavior that may use legitimate tools or otherwise appear benign in isolation. When abnormal behavior is detected, Dynamic Prevention can automatically apply temporary controls and continuously adjust or remove them as behavior changes.

Sandbox is an isolated and secure environment where potentially malicious or suspicious files are executed and analyzed without risk to your network. This adds in-depth analysis for malware investigation to detect unknown and evasive threats. Files identified by the Anti-Malware policy as malicious or suspicious are automatically scanned in the Sandbox, and you can also upload specific files for analysis.

Using the MITRE ATT&CK® Dashboard