Product Updates

ExaScale

Introducing ExaScale: The Operating System for Packets

Nov 29, 2025

Introducing ExaScale: The Operating System for Packets

After 20 years of building packet capture tools, we asked ourselves a simple question: What if network visibility had no limits?

No limits on capture speed. No limits on storage. No limits on scale. No limits on what you could query, analyze, or secure.

The answer is ExaScale.

The Problem We Set Out to Solve

Network traffic is exploding. Organizations capture terabytes daily, petabytes weekly. Traditional tools buckle under the load. You're forced to choose: capture everything and drown in data, or sample and miss critical events.

Packet brokers help, but they're expensive hardware. SIEM tools aggregate, but lose packet-level detail. Open-source solutions work, but don't scale. Cloud solutions scale, but your data leaves your control.

We wanted something different. Something that could:

Capture at line rate—800 Gbps and beyond
Store petabytes efficiently with intelligent indexing
Project any view of your data on demand
Integrate existing data sources without copying
Keep data on-premises with zero-trust security
Work with existing infrastructure, not replace it

So we built it.

What is ExaScale?

ExaScale is a software platform for packet capture, storage, and analysis at any scale. Think of it as SQL + Wireshark + Kubernetes—but for packets.

It's built on three core components:

ExaScale Core is the control plane. It manages nodes, clusters, and global federations from a single dashboard. Create regions, provision thousands of nodes, assign security roles—all through a unified interface. The architecture is designed for scalability: each cluster and node handles heavy lifting locally, while upper layers work in aggregate.

ExaFS is our virtual filesystem. Raw packets are captured to disk with metadata and indexes. ExaFS then projects any view of that data as virtual files and directories. Query for specific traffic, and the result appears as a standard PCAPNG file you can open in Wireshark. Navigate your entire federation like a folder structure.

ExaQL is our query language—and the only interface to ExaScale. There's no separate CLI, no shell commands. Everything—capture control, projections, security, exports, analytics—goes through ExaQL. It's pronounced "ex-ak-will"—the psql of packet exascale.

One Command to Rule Them All: exaql

The exaql binary is the single entry point to ExaScale:

# Start interactive shell
exaql --cluster global

exaql> show clusters
+---------+--------+---------+
| Name    | Nodes  | Status  |
+---------+--------+---------+
| us-east | 1200   | healthy |
| eu-west | 850    | healthy |
+---------+--------+---------+

exaql> use capture-2025-11-15

exaql> create projection offset@1 shard by offset[GB] aggregates on

exaql> create projection temporal@1 shard by time[minute] aggregates on

exaql> cd temporal@1/year=2025/month=11/day=15

exaql> ls
hour=00.pcapng   hour=01.pcapng   ...   hour=23.pcapng

exaql> top
→ realtime dashboard: packets/sec, flows, top IMSIs, anomalies

exaql> export hour=12.pcapng to s3://export/2025-11-15.pcapng security level 18

One language. Capture, store, index, secure, query, navigate, export.

How Capture Works

ExaScale captures all raw packet data to storage. Nothing is lost. During capture, we generate:

Raw packet files (PCAPNG format)
Metadata (timestamps, flow tuples, protocol info)
Sparse indexes (SIX) for fast navigation in massive files
Dense indexes (DIX) for O(1) packet access
Statistics (per-flow, per-protocol, aggregates)

Indexes can be written inline in the PCAPNG file (they're valid custom block types) or as sidecar files. jNetWorks generates these during capture, or they can be created post-capture.

Sensitive captures can be replicated to redundant nodes for durability and availability.

You can reduce storage with options like truncating payloads, removing tunnel headers, or capturing headers only—but the raw data you choose to keep is always there.

ExaFS: The Virtual Filesystem

ExaFS projects your captured data as a navigable filesystem. Every projection creates a directory structure:

Every directory contains a README.txt—auto-generated, human-readable documentation describing every file, metadata relationships, and how subdirectories connect. In a complex exascale environment, you always know exactly what you're looking at.

Query instances are numbered with @N suffixes. Run the same query multiple times and each result gets its own instance: offset@1, offset@2, etc.

Virtual files are symlinks pointing to their source. The source itself can be another virtual file—projections can chain. Drag any .pcapng into Wireshark and it just works.

SILOs: Integrate Without Copying

ExaScale integrates external data sources through SILOs—third-party adapters that project existing data into ExaFS without copying it.

How it works: Import a SILO and the physical data stays where it is. ExaFS projects it as if it were a physical file, complete with directory structure and README documentation. The data appears alongside your captures, queryable through ExaQL.

Suricata integration: Suricata rules and alerts are fully integrated as a SILO. Query IDS events alongside packet data:

show packets 
    where suricata.alert.signature contains "ET MALWARE"
    during last 24h

Other SILOs: Zeek logs, firewall exports, SIEM data, proprietary formats. If you have packet-adjacent data, ExaScale can integrate it.

You can copy SILO data into ExaScale storage at any time—full or partial—but that's your choice. The integration works either way.

Indexing: SIX and DIX

ExaScale uses two indexing strategies:

Sparse Index (SIX) places beacons every N packets (configurable—10K to 1M). Each beacon enables logarithmic seeks with minimal overhead—less than 0.00005% for 100 EB files. Perfect for archival navigation.

Dense Index (DIX) provides O(1) access to any packet. Higher storage overhead but instant random access. Ideal for hot data and interactive analysis.

Both can be written inline in PCAPNG, stored as sidecars, or virtually injected by ExaFS into projected files.

Zero-Trust Security

Security in ExaScale isn't a feature—it's the architecture. Every ExaQL command is parsed and enforced through the security engine. No packet, projection, or export can bypass these controls.

20 configurable security levels (0-20):

create projection "raw-mobile-core" 
    from /captures/global-2025 
    where gtp 
    security level 18 
    decrypt with vault://master-2025

Mandatory PII obfuscation:

capture all traffic obfuscate imsi,msisdn,imei level 10

Export gating with step-down:

export packets 
    where imsi == "311480123456789" 
    to usb://evidence-2025/case-001.pcapng 
    security level 15 
    decrypt with "court-warrant-key-2025"

Immutable audit ledger: Every command is cryptographically logged. Chain-of-custody is built in.

Air-gap support: Works with offline vaults for classified environments.

This makes ExaScale the first packet platform that is truly zero-trust native—from the query language down to the last byte on disk.

Hierarchical Architecture

ExaScale scales from a single laptop to global infrastructure:

Regions define geographic boundaries:

create region "americas" location "US-VA"
create region "europe" location "IE"
create region "classified" location "US-SCIF" security airgap

Clusters group nodes within regions:

create cluster "us-east-prod" in region "americas" nodes 1200
create cluster "eu-west-prod" in region "europe" nodes 850
create cluster "classified-core" in region "classified" security airgap

Federations unify everything under one control plane:

create federation "acme-global" owner "security@acme.corp"

There's no theoretical limit on nodes per cluster. Our tiers support up to 5,000+ nodes for Ultra edition, with unlimited available for custom deployments. The control plane is designed for scalability—local clusters handle their own heavy lifting while upper layers work in aggregate.

The entire federation hierarchy is projected as directories in ExaFS. Navigate clusters like folders. Security levels control visibility automatically.

Hardware Agnostic

ExaScale is software-only. It runs on commodity servers. But it also integrates with specialized hardware:

Napatech SmartNICs for hardware-accelerated capture
DPDK for kernel-bypass on commodity NICs
Endace and other capture appliances as data sources

Already have infrastructure? ExaScale federates it. We enhance—we don't replace.

The ExaNet Capture Engine

At the heart of ExaScale's performance is ExaNet—our jNetWorks SDK integrated directly into the platform:

800 Gbps sustained capture (tested, verified)
Zero-copy packet path from NIC to storage
Hardware timestamping with nanosecond precision
Inline SIX/DIX index generation during capture
Multi-port aggregation and load balancing

AI That Stays On-Premises

ExaScale's AI module—ExaInsight—runs entirely on-premises. Your data never leaves.

Natural language queries use the AI: prefix:

AI: Show me all failed SSH login attempts from last week
AI: Find DNS queries to newly registered domains
AI: Which internal hosts communicated with known C2 servers

The AI translates to ExaQL and executes. Beyond queries, ExaInsight provides anomaly detection, threat prediction, and automated response actions.

Who Is ExaScale For?

Security teams hunting threats:

find flows where fraud-pattern
    during last 24h
    group by meta.tuple
    order by count(*) desc
    limit 100

Compliance officers automating reports:

schedule daily at 03:00
    report "gdpr-exposure" 
    where meta.tuple contains "IMSI|IMEI|passport"
    export to "s3://acme-compliance/gdpr-{{date}}.csv"

Telecom providers with carrier-grade requirements. Financial institutions detecting fraud at wire speed. Government and defense needing air-gapped, zero-trust solutions.