Real Threats. Real PCAPs.
See exactly what PcapAI catches — and how. Each use case is built around actual attack patterns, real capture files, and the findings your team needs to act on
DNS Tunneling Detection
The Symptom
High-entropy DNS subdomains spiking in query volume — a classic sign of C2 traffic hiding inside port 53.
AI Discovery
"MITRE T1071.004 confirmed: C2 communication via DNS. DGA-like domain pirate.sea identified with base64-encoded subdomains carrying exfiltration payloads."
Recommendation
Isolate endpoint 10.0.2.30, block the pirate.sea TLD at the resolver, and scan for persistence mechanisms on the affected host.
Severe TCP Retransmission Storm
The Symptom
Users reporting application timeouts. Internal endpoints showing 61.36% packet retransmission — well above the 1% threshold for healthy traffic.
AI Discovery
"Extreme retransmission storm traced to ARP spoofing activity on the local segment — a compromised host intercepting and corrupting in-transit packets."
Recommendation
Identify and isolate the ARP spoofing source. Inspect switch hardware for duplex mismatches or failing uplinks contributing to buffer exhaustion.
Critical Cleartext Password Exposure
The Symptom
Internal endpoint transmitting unencrypted traffic to an external US-based server — credentials visible in plaintext on the wire.
AI Discovery
"HTTP Basic Auth decoded: live service account credentials exposed over port 80. Traffic is 100% unencrypted, violating PCI-DSS Requirement 4.2 and SOC2 encryption controls."
Recommendation
Rotate all exposed credentials immediately. Enforce HTTPS/TLS on the offending service and audit other internal apps for unencrypted authentication.
ARP Spoofing & Active Scanning
The Symptom
Gateway IP conflict at 192.168.1.1 combined with systematic TCP SYN sweeps across the /24 subnet — two attack phases in a single capture.
AI Discovery
"MITRE T1557.002 (ARP Cache Poisoning) by host .105 intercepting gateway traffic. MITRE T1595 (Active Scanning) by host .104 mapping the subnet prior to the attack."
Recommendation
Isolate 192.168.1.105 and 192.168.1.104 immediately. Deploy Dynamic ARP Inspection on the switch and monitor for lateral movement to adjacent VLANs.
Regulatory Compliance & Network Integrity Failure
The Symptom
Unauthorized MITM infrastructure detected alongside internal reconnaissance activity — two simultaneous compliance violations in one capture.
AI Discovery
"PCI DSS 4.0 Req. 1.2 and NIST 800-53 SC-5 violated by ARP Spoofing (T1557.002). Active Scanning (T1595) by host .104 fails SOC2 CC6.6 and CIS Controls v8 Control 13."
Recommendation
Isolate 192.168.1.105 immediately to contain GDPR/HIPAA breach risk. Implement egress filtering and produce audit log evidence for SOC2 remediation documentation.
Malware Exfiltration & C2 Credential Recovery
The Symptom
Unencrypted outbound FTP session to an unknown external IP — a STOR command uploading a compressed archive with a hostname-based filename.
AI Discovery
"Infostealer confirmed: MITRE T1048.003 exfiltration via FTP port 21. Hardcoded drop-server credentials (USER/PASS) extracted from the unencrypted session — MITRE T1040."
Recommendation
Block the C2 IP at the perimeter firewall. Use the recovered credentials to access the attacker's drop server and assess the scope of stolen corporate data.
PhantomStealer C2 Tunnels & Network Anomalies
The Symptom
Periodic HTTP beaconing every 10 seconds from a single host, combined with DNS congestion at 265ms latency and TCP Zero Window events masking the root cause.
AI Discovery
"PhantomStealer confirmed: MITRE T1071.001 C2 tunnel to 185.27.134.154. Secondary SMTP exfiltration on port 587 (T1048.003) identified as a parallel data channel."
Recommendation
Block the C2 IP immediately. Audit outbound SMTP for exfiltration traces and flush DNS cache on affected hosts to stop ongoing beaconing.
Seen enough? Try it on your own traffic.
Upload any PCAP or PCAPNG — get the same depth of analysis in under 60 seconds. No installation. Nothing stored after 24 hours.
Every finding above is mapped to the MITRE ATT&CK framework. Explore the full 40+ technique coverage matrix →
No installation required. 100% private.