Strategic Decryption

Detect and Stop the New Breed of Encrypted Attacks

The new class of attack techniques take advantage of recently released exploits. Encryption can be used to mask the exploitation of 60% of the most frequently targeted network vulnerabilities. Can you see them coming?


delivered through encrypted channels

Attackers Living
off the Land

in encrypted traffic on your critical infrastructure


that are leveraging encrypted pathways

How Attackers Use Encryption to Live Off the Land

Advanced attackers use encryption to decrease the likelihood of being caught and reduce the effectiveness of forensic investigation. As the use of encrypted protocols for network traffic inside the enterprise increases, attackers are finding that the stealthy channels they need are ready-made for them inside their target networks.

A new breed of attack technique is rapidly developing to take advantage of these preexisting encrypted channels.

Attackers use these techniques in many ways, including:

  • Privilege escalation and persistence through Kerberos ticket attacks
  • Using commonly encrypted protocols to rapidly and broadly distribute ransomware or other malicious files without detection
  • Data exfiltration from databases, storage clusters, or cloud storage across encrypted protocols

Reveal(x) Detects Threats Other Tools Miss

Other tools use Encrypted Traffic Analysis (ETA), which fails to detect most modern attacks and misses the necessary historical data for rapid response.

Reveal(x) uses targeted decryption to expose the new breed of advanced threats, detect malware in encrypted traffic, and help you take back the advantage from cyberattackers.

Reveal(x) can decrypt TLS 1.3, as well as the most exploited Microsoft protocols, including SMBv3, Kerberos, Active Directory, MSRPC, and more. This means Reveal(x) can catch advanced threats that are invisible to ETA-based solutions.

PrintNightmare and Ransomware

The PrintNightmare vulnerability offers attackers an encrypted channel for lateral movement and distribution of ransomware. The vulnerability affects every version of Windows.


The Microsoft Exchange vulnerabilities known collectively as ProxyLogon enable remote code execution across an encrypted channel. The potential impact is enormous due to the ubiquity of Microsoft Exchange.

Microsoft Protocol

Microsoft authentication protocols such as Kerberos, as well as application protocols such as SMBV3, are commonly abused by attackers to maintain stealth while using encrypted living-off-the-land techniques.

Quote Icon

When our organization was hit by DarkSide ransomware, ExtraHop Reveal(x) alerted us to activity at the very outset of the attack. We were able to use that information to act quickly to stop further exfiltration and encryption.



blind spots

Gain comprehensive visibility into
encrypted channels.

50% faster

threat detection

Catch threats transmitting malware in
encrypted traffic.

84% faster

threat resolution

Gain deeper forensic data to confidently
scope and respond to threats.

Explore the Demo

Stop data exfiltration, insider threats, and more
with the full product demo.

cloud graphic Reveal(x) Product UI