GREYCORTEX became a new member of the non-profit Association, EUCYBSEC (European Cyber Security Excellence Center). Interests of the Association are cybersecurity and protection of SCADA systems. EUCYBSEC is aiming to create a communication space, where commercial, state and academic specialists can freely interact and share their knowledge. Thanks to EUCYBSEC membership, GREYCORTEX gets an opportunity to participate in professional events organized by the Association.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.


GREYCORTEX launched a new 2.3 version MENDEL Analyst. It added standardized support of NetFlow and IPFIX, new ways of data presentation and several performance improvements and more.
New features

  • New tool in GUI “Network Analysis” – user defined aggregated statistics for better analysis of network traffic and security incidents
  • Standardized NetFlow with IPFIX fully supported
  • New user account administration page
  • Changelog page with history and enhanced updating using RPM packaging system


  • Major performance improvements of signature-based detection engine
  • Improved DNS cache with TTL support for better hostname resolution
  • Improved algorithm for matching hosts with Active Directory users
  • Inserted GUI URLs kept after login
  • Improved export of charts
  • Enhanced system log management with filtering by time and a system component



GREYCORTEX MENDEL is a solution for detection, monitoring and analysis of advanced security incidents in network traffic. This solution is based on a combination of various types of detection technologies:

  • Intrusion Detection System (IDS), including Deep Packet Inspection (DPI)
  • Network Behavior Analysis (NBA); the analysis is based on the principles of artificial intelligence
  • Network Performance Monitoring (NPM) and Application Performance Monitoring (APM)
  • A tool for event correlation and risk assessment

During the initial design, the focus was on custom Advanced Security Network Metric (ASNM), large scale data mining based on artificial intelligence, and unique specialized algorithms providing detection of the entire scale of threats and anomalies. Immediate outcomes can be obtained via an intuitive user interface and user-defined reports. GREYCORTEX also brings a whole lot of other interesting options, e.g. for forensic purposes, it provides a complex and detailed overview and history of network traffic, behavior of users, network hosts, applications and services.


The main input is a network data from a mirror port on a backbone switch or a network tap. The NBA detectors are able to accept summarized data in the format of custom ASNM metrics or according to NetFlow v5/9 and IPFIX for IPv4 and IPv6. In addition to the network traffic, the product is able to identify identity context using the company’s LDAP or the Active Directory services. These technologies can also be used for user management and authentication.
Detection signatures dataset containing over 30,000 rules is obtained from external sources. IP address blacklists and their reputation (trustworthiness) are also obtained. These lists are regularly updated on an hourly or on a daily basis. This enables the tool to obtain information about generally known malware and about Command and Control (C&C) attack servers, sources of attack, and known botnets. Moreover, uses a list of known sources of spam, information about Tor[1] networks and about proxy servers as well as information about ownership and geographic position of the communicating hosts and domains.


The ASNM protocol is used to track over 70 attributes of each individual flow in the network. For each flow, it generates information about the source and the target, its duration, size of the data portion and packet counters. MENDEL also retrieves information about frequency spectrum and performance such as Application Response Time (ART), Round Trip Time (RTT), Jitter, and other.
The functions enabling the detection of anomalous and potentially undesirable behavior work similarly in NetFlow protocol; however, thanks to ANSM, they are more detailed and therefore more effective. Another difference consists in the ability to identify consistent bidirectional flows in the network. For application detection, a custom application protocol recognition mechanism similar to NBAR (Network-Based Application Recognition) standard used in Cisco devices is employed; the mechanism can recognize hundreds of protocols. The DPI technology enables extraction of metadata for almost 30 application protocols, even in tunneled traffic.


The incident detection is based on two methods, first based on signatures (IDS) and anomaly detection (NBA) based on machine learning and artificial intelligence. The whole mechanism of learning consists in detailed modelling of the whole network on various levels. From models of the entire network to models of individual services of individual hosts and devices.
The application is continuously learning to distinguish characteristics of anomalous flows from the normal ones based on probability and statistical models without the need for decoding or decrypting the data. After installation into a network, it is necessary to let the application train itself in a new environment for at least a couple of hours. It gains the complete knowledge after approximately one week.
The following algorithms of machine learning are based on the ASNM protocol:

  • Selection of relevant individual metrics
  • Bayesian analysis based on learned probability of events
  • GMM/EM (Gaussian Mixture Models/Expectation-Maximisation) probability models

Probability based (Bayesian) modelling provides almost 1,000 parameters divided for each flow of a host in a network or subnetwork and its services provided locally or remotely. A separate model is created for each service of the host, network device, services aggregated on the network, subnetwork mask, state and ASN (Autonomous System Number).


GREYCORTEX MENDEL enables the user to export the created events in various formats and send them via e-mail or to remote SIEM (Security Information and Event Management) servers for archiving or further processing. This makes it possible to generate alerts based on defined conditions and notifications about the detected anomalies. In this way, it is possible to create user configured reports containing text or graphic visualization of the detected events, network performance or applications and other data in the system. The messages can include a variety of adjustable elements including tables and graphs. The messages can be exported to standard document formats such as DOCX or PDF.
The e-mail system supports connection to standard e-mail servers with SMTP protocol and encrypted communication based on PGP (Pretty Good Privacy). The data exports can also be performed in preset intervals or during detection of a particularly important event. The tool also supports export to SIEM systems using Syslog, CEF format (Common Event Format) or IDEA (Intrusion Detection Extensible Alert). These messages can be previously configured and filtered according to the requirements of system integration.
It is possible to detect:

  • RAT Trojan horses (Remote Access Trojan) including C&C system activities
  • Zero-day type of vulnerabilities and exploitation of services
  • Malware on mobile and embedded devices
  • Long-term APT attacks (Advanced Persistent Threats)
  • Data leaks with DNS, SSH, HTTP(S), etc.
  • Tunneled traffic
  • Protocol anomalies indicating a long-term port scanning and other attacker activities
  • Masquerade attacks (the attacker pretends to be someone else), dictionary attacks and brute force attacks
  • Spam detection
  • Preparation for data theft and exfiltration (e.g. by employees)
  • Automated data harvesting
  • Data theft (e.g. from web applications)
  • Phishing attacks
  • Violation of internal security rules and policies
  • Faulty network settings
  • Network and application performance issues
  • Dos and DDoS attacks
  • New or unknown devices, e.g., of the BYOD type (Bring Your Own Device)

Data fusion and correlation techniques enable the detection of a wide spectrum of threats and activities. These techniques analyze the most interesting information about a particular network obtained through various detection mechanisms. It is possible to find event correlations, eliminate false positives and perform risk estimates. The system is also compatible with systems for risk categorization such as CVSS (Common Vulnerability Scoring System) or NIST Critical Infrastructure Cybersecurity Framework, etc.


The application is supplied as a hardware appliance or as an installation ISO file for a virtual hypervisor. Depending on the mode of deployment, the appliance is supplied with 2, 4 or 8 network interfaces enabling the monitoring of the required number of source lines. The solution can be installed in a probe/collector configuration that enables monitoring geographically remote networks or as a cloud.
We tested the version 2.2.0 of the product at Karel Engliš College (VŠKE). For testing purposes, we selected the virtual deployment on the base of a fully functional 30-day demo. To ensure that the application runs correctly, it is necessary that the server includes a processor with at least 8 virtual cores, 32 GB of RAM, disk capacity of 500 GB and two network interfaces; VM-ESXi virtualization system was used. The installation went smoothly, without any issues.
Tabs for the individual configuration areas are placed well, they enable a quick transition to settings of monitored networks and policies (Policies tab), Detection mechanisms (Detection tab), notifications and exports (Exports tab), and authenticating mechanisms, users and their rights (Users tab). In the Network tab, there is a practical priority setting.


At first glance, working with GREYCORTEX is very pleasant, mainly thanks to the elaborate filtering options and user-configurable overview dashboards. The possibility of a quick display of the communication of each device and all its services was interesting for me. In particular, it is the security visibility and transparency network that the applications brings. The overview of incidents detected at the level of detection patterns is ideally complemented by incidents identified by NBA methods.
In the Detection tab, it is possible to display the defined blacklists and false alarms, set the NBA detection mechanisms and policies for IDS rules, create the necessary correlation rules, also capture and save network traffic on the basis of a defined filter into PCAP format files.
The Export tab allows to define exports; we at VŠKE use SIEM; therefore, the possibility of exporting the data into this system was interesting for us. However, we encountered an issue particularly relevant for schools; instead of one application we now need two: SIEM and GREYCORTEX.


What particularly excites me about this product is the possibility to analyze incidents (we have quite a few of them in the student subnetwork) both from the point of view of their progress in time and in the smallest details. I also appreciate the elaborate elimination of false alarms. The documentation fulfills the basic criteria, but I believe it would be convenient to add some examples of typical settings. The product is still being developed and I am curious about what next the producer will come up with.
Doc. Ing. Jaroslav Dočkal, CSc.
Graduate of VDU Martin and VAAZ, currently the vice-dean of science and creative development at Karel Engliš College. He gives lectures at Masaryk University and University of Defence. He’ is also a lecturer at Cisco Academy, a tutor of HP and a member of DSM magazine editorial board.


Cybercrime is evolving at drammatic speed and at every moment, hackers and attackers are figuring out new strategies to compromise organizations and industries. The cybersecurity sector must not fall behind these attackers.

But the number of technologies claiming to create cybersecurity is vast. Organizational spending and reallocating investments to the right network security sector can help reduce cost of cyber breaches. A recent report produced by Accenture, with an independent survey by the Ponemon Institute indicates that among the higher-valued security technologies per cost; machine learning tools and extensive use of cyber analytics and user behavior analytics, have a high return on investment – in other words, they can bring a greater security benefit for a lower cost. Yet, conversely, Accenture reports that these high value technologies are under-deployed compared to other tools in the marketplace.

MENDEL, from GREYCORTEX makes extensive use of machine learning and behavior analytics to identify cyber threats, protecting the network from attacks which would be unknown and unseen by other security tools.

To find out more about MENDEL’s machine learning technology can help you, or to schedule a demonstration, contact your local GREYCORTEX partner, or GREYCORTEX directly.

With this findings comes opportunity to focus on the right technology to protect a company’s assets.

Study and images are found in the following study:


GREYCORTEX is happy to announce the latest version of GREYCORTEX MENDEL; Version 2.9.0. This version includes several new important features: the first is the Flow Exporter, which gives you the possibility to export flows from MENDEL to your SIEM solution. The second important feature is the ability to execute script commands to other devices e.g. a firewall systems in order to block communications. SCADA network protocols Modbus and DNP3 L7 visibility have also been added, as has the ability to audit commands executed from ssh connections.
New Features

  • Added a Flow Export feature, which allows you to export flows from MENDEL to your favorite SIEM tool. This allows you to have the same data detail of a much more expensive SIEM-specific flow export tool, at a fraction of the cost.
  • Added ability to execute and send scripts, e.g. to a firewall – which means you can identify and stop incoming malware at the firewall, without ever leaving MENDEL.
  • Added integrated Modbus and DNP3 SCADA protocol visibility. Think of it as MENDEL for the industrial control systems. GREYCORTEX takes its next steps into protecting not just “traditional” networks, but also SCADA systems as well with these protocols.
  • Added SSH auditing (turn on the SSH audit signature in status monitor signatures)
  • Added possibility to filter by group of entities (subnet, host, mac, user) to extend filtering options using comma “,”, e.g. src:, & dst: which shows communication between source IPs or and destination IP In a nutshell: much more efficient filtering capabilities are now yours. Identify communication from not just one source and destination, but several hosts to a single destination, so complicated attacks are now clear.
  • MENDEL is powerful and detailed, but now it works just as well for the T1 Security Analyst. New installations and newly created users will see new default dashboards with Overview, Performance, and Security tabs included, for ease of use by everyone.

Several different features of MENDEL were improved. These included improvements to the installation and update process, optimization of flows, and detection features – including the ability to choose your favorite IDS ruleset, or better L7 application service recognition.
Bug Fixes
In general, our development team focused on repairing inconsistencies in user experience and connectivity.


GREYCORTEX is happy to announce that CEO and Co-Owner Petr Chaloupka was named to the New Europe 100 (NE100). The list is made up of individuals selected by the Financial Times, Google, the Visegrad Fund, and Res Publica.

Now in it’s fourth year, the 2017 New Europe 100 “is a list of central and eastern Europe’s brightest and best citizens who are changing the region’s societies, politics, or business environments and displaying fresh approaches to prevailing problems. The aim is to raise the profile of changemakers in emerging Europe and to build connection among those in the vanguard.”

Previous editions of the NE100 have included such well-known business leaders as Vaclav Muchna, CEO of Y Soft.

You can read more about the NE100 here:,5a166ff03228719568984a76


GREYCORTEX is happy to announce that our MENDEL network security tool is now part of the Brno University of Technology (VUT) cybersecurity program. MENDEL is used as part of the compulsory Bachelor’s course called “Information and Communication Technologies Security 2”, offered in the Faculty of Electrical Engineering and Communication specifically the Information Security Program.

The course teaches extended information and communication security knowledge of secure network device configuration, secure configuration testing, and penetration testing. MENDEL is used in laboratory exercises as a visualisation tool for various scans, exploits, and other tests practised by students.

VUT is in the top 5 % of world universities, and offers wide range of education programs. The 30 students in the course as well as the Lecturers are happy that MENDEL’s advanced security tools are available to them. They were especially interested in MENDEL’s intuitive filter and full network visualization. GREYCORTEX is happy to work with the next generation of Security Analysts and to provide the right tools to ready them to participate in the future of network security.

AV-Comparatives Names ESET Endpoint Security Solution as the Lightest on the Market

Today, global IT security vendor ESET has been awarded top marks by AV-ComparativesESET Endpoint Security has been named the lightest endpoint security solution on the market by the world’s leading security software testers AV-Comparatives. Following a series of performance tests on a number of endpoint security solutions, ESET Endpoint Security was commended for its low system impact.

Using one of the largest sample collections in the world, AV-Comparatives provides the most accurate test by creating a real-world environment and replicating the scenarios faced by everyday users.

ESET Endpoint Security provides businesses comprehensive IT security via multiple layers of protection including trademark NOD32® detection technology combined with machine learning. It protects networks from malware and phishing attacks and stops harmful malware from breaching your system. It provides complete data access protection and fully adjustable scanning, including cloud-powered scanning.

“ESET’s business solution made an impressive run in another of our Business performance tests, reaching the lowest impact score of all tested solutions,” commented Andreas Clementi, CEO at AV-Comparatives.

AV-Comparatives rated ESET’s product at an industry high, with a total score of 98.3 in the industry recognized PC Mark tests. The software was praised as ‘very fast’ for browsing websites, launching applications, installing and uninstalling applications, downloading files, as well as archiving and unarchiving files.

“We pride ourselves on developing products that give the most robust protection to enterprises without slowing down their systems,” said Michal Jankech, Business Product Manager. “AV-Comparatives is the most renowned testing organization out there so it’s great to see that ESET Endpoint Security software has scored as the lightest on the market. Business and consumers can rest assured their systems won’t be impacted and will continue to run at high speeds, all while maintaining the highest level of protection.”

You can read more about ESET Endpoint Security and request a free trial here.

Read the whole report by AV-Comparatives here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

NetJapan releases ActiveImage Protector 2018: NetJapan’s flagship Backup and Recovery solution now includes Virtual Standby Availability (VSA)

Tokyo – NetJapan, Inc. publisher of disk imaging backup, system disaster recovery, and virtualization software, announces the release of ActiveImage Protector™ 2018. NetJapan’s virtual standby availability technology, vStandby™, is now integrated into ActiveImage Protector. Combining both image backup and VSA provides greater value by incorporating the convenience of point-in-time switch-over, and dynamic recovery in a single solution.

NetJapan’s Virtual Standby Availability Technology, creates and maintains dormant point-in-time Virtual Standby Replicas (VSR) of physical or virtual source machines in Hyper-V or VMware environments, and are ready for use; ensuring business continuity. ActiveImage Protector 2018 includes task tools for verifying backup integrity and bootability, and consolidating backup images, via post-backup processing. NetJapan’s BootCheck™ provides confidence that your backup images are bootable, whether restoring or virtualizing.

New features

  • Post-backup processing including BootCheck™ and consolidation
  • Virtual Standby Availability • Updated and improved P2V, V2P, P2P, and V2V processing
  • Enhanced Full-state file recovery retains access rights
  • Supports Windows 10 Fall Creators Update

ActiveImage Protector 2018 will be made available as following platforms: Server, Hyper-V Enterprise, Cluster, Virtual, IT Pro, Desktop, and Linux editions. ActiveImage Protector 5 will be available for home and small office users.


“Threat hunting,” or “cyber threat hunting” is the process of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools and is done by a threat hunter or security analyst. It is essential for network security because it works to identify hidden threats within an existing set of network data.
Threat hunting utilizes manual techniques from the threat hunter and machine-assisted techniques, the combination of which aims to find Tactics, Techniques, and Procedures (TTPs) of advanced adversaries. While this methodology is both time-tested and effective, it is also time consuming, and can sometimes miss important clues in mountains of network data. In the article below, we will discuss not only what threat hunting is, but also how it can be made more efficient through the use of modern tools.
Download the article here.