91% of malware uses DNS for command-and-control, exfiltration, or redirection — Cisco Annual Security Report. RoCi is Nantevo's AI-powered threat intelligence engine. It analyzes the DNS telemetry stream to sever those C2 channels, identify attack patterns, and automatically update threat rules — across every authenticated client, with 1:1 device attribution, continuously.
RoCi never touches a live query. All analysis happens asynchronously on the log stream — after responses are delivered. DNS resolution latency is a hard constraint. AI inference is not. The ~16ms production average holds regardless of analysis complexity.
DNS resolution speed is non-negotiable. RoCi's design separates the response path from the analysis path entirely — queries resolve and return without waiting for any AI inference. The ~16ms production average is protected by design, not policy.
Every step in the live query path is a fast lookup, never an inference.
Query metadata is written to the telemetry pipeline after the response is already on its way back to the device. Every record is tagged to the authenticated client identity.
RoCi consumes the telemetry stream, runs behavioral scoring, detects patterns, and pushes rule updates back into the synchronous threat feed.
When RoCi detects a threat in the telemetry stream, it doesn't just log it. It immediately pushes a block rule back into the synchronous threat intelligence layer, severs the attacker's DNS communication channel, and generates an incident record with 1:1 device attribution — giving the SOC everything needed to contain the threat without manual investigation.
A DNS query is authenticated, resolved, and the response returned to the device. Query metadata is written to the telemetry stream asynchronously. The device has its answer. The analysis begins.
RoCi ingests the metadata from the telemetry pipeline. Behavioral scoring compares the query against the per-client baseline. Entropy analysis runs on the domain string. Pattern matching checks for known attack sequences across the client's recent query history.
When scoring exceeds the configured sensitivity threshold, RoCi classifies the threat and immediately pushes a block rule to Nantevo's threat intelligence API. The rule propagates into the synchronous feed lookup used by the live query path.
The C2 channel is blocked at the DNS layer. The compromised device can no longer reach attacker infrastructure. The incident record contains the exact device ID, timestamp, domain, and classification — giving the SOC 1:1 attribution without VPN correlation, IP lookups, or manual investigation. MTTR drops to the time it takes to read the alert.
This creates a self-reinforcing Defense in Depth loop: every detection severs a C2 kill chain, makes the synchronous threat feed more accurate for every subsequent query across every client, and gives the SOC immediate 1:1 attribution without manual investigation. A threat detected on one client's traffic is blocked for all clients — and the incident record is ready before an analyst could have begun their first search query.
The visibility gap for remote and hybrid devices has been the primary driver of elevated MTTR in DNS-based incidents. When a device disconnects from VPN, traditional solutions lose the ability to attribute a malicious DNS query to a specific endpoint. RoCi eliminates that gap entirely.
A C2 beacon fires from a remote laptop on hotel WiFi. The SOC sees a suspicious domain in aggregate traffic logs — but the originating IP is the hotel's shared gateway. Correlating that query to a specific device requires VPN connection records, MDM check-ins, and manual cross-referencing across three systems. By the time the device is identified, the malware has had hours to operate.
The same C2 beacon fires. RoCi detects the DGA entropy pattern in the log stream and classifies it within seconds. The incident record contains the exact authenticated Client ID — mapped 1:1 to the device in the MDM registry — along with the timestamp, domain, entropy score, and classification. The SOC reads one alert. The device is identified before the next beacon fires.
IP-based attribution. Fails the moment the device leaves the corporate network. Requires VPN connection logs, DHCP records, and MDM check-in timestamps to reconstruct device identity. Manual correlation process measured in hours.
Every query carries the authenticated Client ID. Attribution is embedded in the transport layer — no VPN required, no IP correlation required. Works identically on hotel WiFi, satellite, coffee shops, or a home network. MTTR is limited by analyst reading speed, not data availability.
Federal guidance confirms that Protective DNS provides "high-confidence indicators of malicious activity" that other security controls often miss — precisely because the overwhelming majority of malware communicates through the DNS layer that endpoint agents and firewalls overlook.
91% of malware uses DNS for C2, exfiltration, or redirection — Cisco. Before Protective DNS, the SOC's visibility gap for remote assets made every incident a reverse-IP guessing game. RoCi's 1:1 attribution changes the entire investigation workflow.
Every blocked query carries a unique DoH Client ID mapped to a specific enrolled device. When RoCi detects a C2 beacon or DGA pattern, the SOC immediately knows the exact device — regardless of its physical location, IP address, or whether it's connected to the VPN. The investigation starts at the device, not at a subnet.
Every DNS query is logged with a timestamp, client ID, response code, threat classification, and latency measurement. When a device is flagged, the SOC can reconstruct the exact query sequence — the frequency of sinkholed queries from a single client ID distinguishes active malware from accidental browsing of a high-risk site.
Block rule propagation is automatic — RoCi doesn't wait for analyst review before pushing to the threat feed. The attacker's DNS communication channel is cut within seconds of detection. The SOC receives a fully-formed incident record with the device identified, the domain blocked, and the threat classified. The investigation begins after the threat is already contained.
When RoCi pushes a block rule from a detection on any client, that rule propagates to the synchronous threat feed serving all enrolled clients. A C2 domain detected on one device is blocked for every other device on the platform — without analyst intervention, without waiting for a threat feed vendor update cycle.
RoCi's detection capabilities are tuned specifically for DNS-layer threat patterns — the categories of malicious behavior that are invisible to endpoint security but plainly visible in query telemetry.
Malware families use Domain Generation Algorithms to programmatically generate large numbers of domain names. The malware tries each in sequence until it finds one that resolves — connecting to the attacker's command and control infrastructure without relying on a hardcoded domain that can be blocked.
DGA domains have a characteristic signature in their structure: high entropy, unusual character distributions, and subdomain patterns that deviate sharply from human-readable domains. RoCi scores every queried domain for these characteristics.
Subdomain entropy score exceeds 3.5 — character distribution inconsistent with human-readable domain patterns
Sequential pattern — multiple high-entropy domains queried within a short window, consistent with DGA iteration behavior
NXDOMAIN cascade — high volume of non-resolving queries to novel domains, indicating the malware is iterating through its generated list
Compromised devices regularly check in with attacker-controlled infrastructure to receive instructions, exfiltrate data, or report status. These check-ins — called beaconing — often use DNS to locate the C2 server, and produce characteristic timing patterns in query logs.
A device making DNS queries to the same novel domain at regular intervals — every 60 seconds, every 5 minutes — is a reliable signal of beaconing behavior. RoCi detects this by comparing query timing distributions against each client's established patterns.
Periodic queries to the same novel domain at regular intervals — consistent with an automated check-in rather than user-driven browsing
Off-hours query activity — C2 beaconing continues while the device is idle, producing DNS traffic patterns inconsistent with the user's baseline
Domain registered recently, low global query volume, hosting on infrastructure associated with bulletproof providers or known malicious ASNs
DNS tunneling encodes data inside DNS queries themselves — typically using unusually long subdomains or TXT record requests to carry arbitrary payloads. Because DNS traffic is often less scrutinized than HTTP or direct connections, it can be used to exfiltrate data or establish covert communication channels that bypass traditional network controls.
DNS tunneling produces distinctive patterns in query logs: extremely long subdomain strings, high volumes of TXT record requests, and large response payloads inconsistent with normal DNS operation.
Subdomain strings exceeding 63 characters — DNS allows up to 63 characters per label, and tunneling tools pack data into this space
Anomalous TXT record query volume — legitimate applications rarely make frequent TXT lookups, making elevated TXT query rates a reliable indicator
Response payload size anomaly — DNS responses carrying large TXT records or unusually large A/AAAA responses inconsistent with normal resolution
Phishing attacks rely on the victim's device successfully resolving a malicious domain — a credential-harvesting page, a malware download site, or a spoofed login portal. DNS-layer blocking prevents the connection from ever being established, regardless of how convincing the phishing content is or whether the user recognizes the threat.
When an employee on an untrusted public network clicks a malicious link in a targeted phishing email, RoCi evaluates the destination domain against threat intelligence feeds in real time. If the domain is flagged, the resolution is denied — the browser never connects, no credentials are entered, no payload is downloaded.
Domain present on active phishing intelligence feeds — known credential harvesting infrastructure, spoofed login pages, or active phishing campaign domains
Newly registered domain with characteristics consistent with phishing infrastructure — typosquatting patterns, lookalike domains targeting known brands or corporate services
Protection is network-agnostic — a device on untrusted hotel WiFi or public coffee shop WiFi receives the same phishing protection as one on the corporate network, without VPN
Not every threat has a known signature. Behavioral anomaly detection identifies deviations from a client's established baseline that warrant investigation — even when the specific threat type hasn't been seen before.
Because RoCi maintains a per-client baseline rather than a fleet-wide average, it can detect subtle deviations that would be invisible in aggregate data. A device querying 10x its normal volume, suddenly resolving domains in a new geographic region, or generating unusual query type distributions are all detectable signals.
Query volume spike — significant deviation from the client's per-day and per-hour baseline, which may indicate malware activity or a compromised process
Novel domain cluster — sudden appearance of many previously-unseen domains outside the client's normal resolution pattern, suggesting new software or infection
Per-client baselines mean a device that legitimately queries more — a developer machine, a build server — has a higher normal threshold. No false positives from expected high-volume clients
Fleet-level threat detection averages away the signal. RoCi maintains an independent behavioral baseline for every authenticated client — so anomalies are measured against what that specific device normally does, not what a server farm or endpoint pool looks like.
A developer workstation that queries 10,000 domains a day is normal for a developer. A corporate laptop doing the same thing on a Tuesday at 3am is not normal for that laptop. Fleet-level baselines cannot distinguish between these. Per-client baselines make that distinction automatically.
From the moment a client is enrolled, RoCi begins building its baseline — query volume distributions by hour and day, typical domain categories, normal response patterns, and query type ratios. After a short observation window, behavioral scoring becomes active and thresholds are set to that client's specific normal.
If a client's usage pattern legitimately changes — a new role, new software, a new workflow — the baseline adapts over time rather than generating persistent false positives. Sudden deviations still trigger alerts; gradual legitimate evolution updates the model.
When RoCi pushes a block rule from a detection on one client, that rule propagates into the shared threat feed immediately. Every other authenticated client across the platform benefits from the detection without their individual queries or baselines being affected.
A complete reference of RoCi's detection and analysis capabilities, all operating asynchronously on the telemetry stream without any impact on query response times.
Shannon entropy scoring on subdomain strings, character distribution analysis, and NXDOMAIN cascade detection. Catches malware iterating through algorithmically-generated domain lists in search of live C2 infrastructure.
Timing distribution analysis across query sequences to identify regular, automated intervals inconsistent with user-driven DNS traffic. Off-hours activity detection and newly-registered domain correlation.
Long subdomain detection, anomalous TXT record query volume analysis, and response payload size monitoring. Identifies covert channels using DNS as a data transport mechanism to bypass traditional network controls.
Volume spike detection, novel domain cluster identification, and query pattern deviation scoring — all measured against the specific client's established normal. When a deviation triggers, the incident record contains the exact device identity. No fleet-wide averaging hides the signal, and no manual correlation is needed to find the affected endpoint.
When any detection exceeds threshold, RoCi immediately pushes a block rule to Nantevo's threat intelligence API. The rule propagates to the synchronous feed lookup used by all active clients — turning a detection into a cross-platform block in seconds.
Every detection generates a structured incident record containing the authenticated Client ID — mapped 1:1 to the specific device, regardless of its network location or IP address. SOC analysts get the exact device, timestamp, domain, classification, and evidence signals in a single record. No VPN logs, no DHCP correlation, no manual reconstruction.
Online advertising and tracker networks are the primary delivery vehicle for malvertising campaigns. RoCi's filtering engine sinkholing ad and tracker domains removes approximately 25% of all DNS queries from the attack surface entirely — a reduction validated across 2.5 years of production telemetry. Global Cyber Alliance research found DNS-layer filtering could prevent roughly a third of data breaches.
RoCi's name comes from Rocinante — the van that carried the engineer who built Nantevo across two and a half years and over 40,000 miles of the United States. Throughout that journey, a Raspberry Pi mounted in the dashboard ran continuously, monitoring DNS traffic, logging queries, and building the dataset that became RoCi's foundation.
Two and a half years of production DNS telemetry from real clients across real networks — mobile connections, satellite internet, hotel WiFi, coffee shops, data centers — is an unusually rich and varied dataset for a threat intelligence model. RoCi knows what normal looks like across a wide range of network conditions because it has seen all of them. That production dataset was the subject of the founder's MS Cybersecurity capstone, validated against NIST SP 800-81r3.
"RoCi doesn't look for threats. It looks for things that don't look like everything else it has seen before."
The first version of RoCi was a Raspberry Pi mounted in the van's dashboard — monitoring DNS traffic across mobile networks, satellite connections, and public WiFi during a nomadic journey across the US. Every query logged became part of the dataset.
Continuous collection of DNS query metadata across real networks and real clients. Not a synthetic dataset or a lab environment — actual traffic from production deployments across a wide range of network conditions, device types, and use patterns.
The production QueryGuard/Nantevo platform was the subject of the founder's MS Cybersecurity capstone at WGU — validating the architecture against NIST SP 800-81r3 and NSA/CISA Protective DNS guidance. The production telemetry was the dataset. The live system was the proof of concept.
The intelligence model built on van-era telemetry is integrated into Nantevo's asynchronous analysis pipeline. Per-client behavioral baselines, DGA scoring, and the detection-to-remediation loop become production capabilities.
Each incident confirmed, each rule update pushed, each false positive corrected refines RoCi's model. The platform's telemetry is the training data. Every client enrolled extends the dataset further.
Demo includes the full detection pipeline — from enrollment through behavioral baseline establishment to a live anomaly scenario.