RoCi is Nantevo's AI-powered threat intelligence engine. She analyzes the DNS telemetry stream to detect behavioral anomalies, identify attack patterns, and automatically update threat rules — across every authenticated client, continuously.
RoCi never touches a live query. All analysis happens asynchronously on the log stream — after responses are delivered. DNS resolution latency is a hard constraint. AI inference is not. This design keeps both fast and accurate.
DNS resolution speed is non-negotiable. RoCi's design separates the response path from the analysis path — queries are resolved and returned without waiting for any AI inference. RoCi works on what already happened, not what is happening right now.
Every step in the live query path is a fast lookup, never an inference.
Query metadata is written to the telemetry pipeline after the response is already on its way back to the device.
RoCi consumes the telemetry stream, runs behavioral scoring, detects patterns, and pushes rule updates back into the synchronous threat feed.
When RoCi detects a threat in the telemetry stream, it doesn't just log it. It pushes a rule update back into the synchronous threat intelligence layer — so the next query to that domain is blocked before resolution even begins.
A DNS query is authenticated, resolved, and the response returned to the device. Query metadata is written to the telemetry stream asynchronously. The device has its answer. The analysis begins.
RoCi ingests the metadata from the telemetry pipeline. Behavioral scoring compares the query against the per-client baseline. Entropy analysis runs on the domain string. Pattern matching checks for known attack sequences across the client's recent query history.
When scoring exceeds the configured sensitivity threshold, RoCi classifies the threat and immediately pushes a block rule to Nantevo's threat intelligence API. The rule propagates into the synchronous feed lookup used by the live query path.
Any subsequent query — from any authenticated client — to the flagged domain now hits a block in the synchronous threat feed lookup and never reaches the resolver. The incident is logged, the affected client is notified, and the detection is visible in the dashboard immediately.
This creates a self-reinforcing feedback loop: every detection makes the synchronous threat feed more accurate for every subsequent query across every client. A threat detected on one client's traffic is immediately blocked for all clients — without any manual intervention, without any delay in the query path, and without waiting for a human analyst to review and act.
RoCi's detection capabilities are tuned specifically for DNS-layer threat patterns — the categories of malicious behavior that are invisible to endpoint security but plainly visible in query telemetry.
Malware families use Domain Generation Algorithms to programmatically generate large numbers of domain names. The malware tries each in sequence until it finds one that resolves — connecting to the attacker's command and control infrastructure without relying on a hardcoded domain that can be blocked.
DGA domains have a characteristic signature in their structure: high entropy, unusual character distributions, and subdomain patterns that deviate sharply from human-readable domains. RoCi scores every queried domain for these characteristics.
Subdomain entropy score exceeds 3.5 — character distribution inconsistent with human-readable domain patterns
Sequential pattern — multiple high-entropy domains queried within a short window, consistent with DGA iteration behavior
NXDOMAIN cascade — high volume of non-resolving queries to novel domains, indicating the malware is iterating through its generated list
Compromised devices regularly check in with attacker-controlled infrastructure to receive instructions, exfiltrate data, or report status. These check-ins — called beaconing — often use DNS to locate the C2 server, and produce characteristic timing patterns in query logs.
A device making DNS queries to the same novel domain at regular intervals — every 60 seconds, every 5 minutes — is a reliable signal of beaconing behavior. RoCi detects this by comparing query timing distributions against each client's established patterns.
Periodic queries to the same novel domain at regular intervals — consistent with an automated check-in rather than user-driven browsing
Off-hours query activity — C2 beaconing continues while the device is idle, producing DNS traffic patterns inconsistent with the user's baseline
Domain registered recently, low global query volume, hosting on infrastructure associated with bulletproof providers or known malicious ASNs
DNS tunneling encodes data inside DNS queries themselves — typically using unusually long subdomains or TXT record requests to carry arbitrary payloads. Because DNS traffic is often less scrutinized than HTTP or direct connections, it can be used to exfiltrate data or establish covert communication channels that bypass traditional network controls.
DNS tunneling produces distinctive patterns in query logs: extremely long subdomain strings, high volumes of TXT record requests, and large response payloads inconsistent with normal DNS operation.
Subdomain strings exceeding 63 characters — DNS allows up to 63 characters per label, and tunneling tools pack data into this space
Anomalous TXT record query volume — legitimate applications rarely make frequent TXT lookups, making elevated TXT query rates a reliable indicator
Response payload size anomaly — DNS responses carrying large TXT records or unusually large A/AAAA responses inconsistent with normal resolution
Not every threat has a known signature. Behavioral anomaly detection identifies deviations from a client's established baseline that warrant investigation — even when the specific threat type hasn't been seen before.
Because RoCi maintains a per-client baseline rather than a fleet-wide average, it can detect subtle deviations that would be invisible in aggregate data. A device querying 10x its normal volume, suddenly resolving domains in a new geographic region, or generating unusual query type distributions are all detectable signals.
Query volume spike — significant deviation from the client's per-day and per-hour baseline, which may indicate malware activity or a compromised process
Novel domain cluster — sudden appearance of many previously-unseen domains outside the client's normal resolution pattern, suggesting new software or infection
Per-client baselines mean a device that legitimately queries more — a developer machine, a build server — has a higher normal threshold. No false positives from expected high-volume clients
Fleet-level threat detection averages away the signal. RoCi maintains an independent behavioral baseline for every authenticated client — so anomalies are measured against what that specific device normally does, not what a server farm or endpoint pool looks like.
A developer workstation that queries 10,000 domains a day is normal for a developer. A corporate laptop doing the same thing on a Tuesday at 3am is not normal for that laptop. Fleet-level baselines cannot distinguish between these. Per-client baselines make that distinction automatically.
From the moment a client is enrolled, RoCi begins building its baseline — query volume distributions by hour and day, typical domain categories, normal response patterns, and query type ratios. After a short observation window, behavioral scoring becomes active and thresholds are set to that client's specific normal.
If a client's usage pattern legitimately changes — a new role, new software, a new workflow — the baseline adapts over time rather than generating persistent false positives. Sudden deviations still trigger alerts; gradual legitimate evolution updates the model.
When RoCi pushes a block rule from a detection on one client, that rule propagates into the shared threat feed immediately. Every other authenticated client across the platform benefits from the detection without their individual queries or baselines being affected.
A complete reference of RoCi's detection and analysis capabilities, all operating asynchronously on the telemetry stream without any impact on query response times.
Shannon entropy scoring on subdomain strings, character distribution analysis, and NXDOMAIN cascade detection. Catches malware iterating through algorithmically-generated domain lists in search of live C2 infrastructure.
Timing distribution analysis across query sequences to identify regular, automated intervals inconsistent with user-driven DNS traffic. Off-hours activity detection and newly-registered domain correlation.
Long subdomain detection, anomalous TXT record query volume analysis, and response payload size monitoring. Identifies covert channels using DNS as a data transport mechanism to bypass traditional network controls.
Volume spike detection, novel domain cluster identification, and query pattern deviation scoring — all measured against the specific client's established normal, not a fleet-wide average. No false positives from legitimately high-volume clients.
When any detection exceeds threshold, RoCi immediately pushes a block rule to Nantevo's threat intelligence API. The rule propagates to the synchronous feed lookup used by all active clients — turning a detection into a cross-platform block in seconds.
Every detection generates a structured incident record — client identity, domain, classification, confidence score, evidence signals, and rule action taken. Incidents are immediately visible in the dashboard and available via API for SIEM integration.
RoCi's name comes from Rocinante — the van that carried the engineer who built Nantevo across two years and over 40,000 miles of the United States. Throughout that journey, a Raspberry Pi mounted in the dashboard ran continuously, monitoring DNS traffic, logging queries, and building the dataset that became RoCi's foundation.
Two years of production DNS telemetry from real clients across real networks — mobile connections, satellite internet, hotel WiFi, coffee shops, data centers — is an unusually rich and varied dataset for a threat intelligence model. RoCi knows what normal looks like across a wide range of network conditions because she has seen it.
"RoCi doesn't look for threats. She looks for things that don't look like everything else she's seen before."
The first version of RoCi was a Raspberry Pi mounted in the van's dashboard — monitoring DNS traffic across mobile networks, satellite connections, and public WiFi during a two-year nomadic journey across the US.
Continuous collection of DNS query metadata across real networks and real clients. Not a synthetic dataset or a lab environment — actual traffic from production deployments across a wide range of network conditions and use patterns.
The intelligence model built on van-era telemetry is integrated into Nantevo's asynchronous analysis pipeline. Per-client behavioral baselines, DGA scoring, and the detection-to-remediation loop become production capabilities.
Each incident confirmed by an analyst, each rule update pushed, each false positive corrected refines RoCi's model. The platform's telemetry is the training data. Every client enrolled extends the dataset.
Demo includes the full detection pipeline — from enrollment through behavioral baseline establishment to a live anomaly scenario.