In today's complex threat landscape, organizations of all sizes need robust network visibility and detection capabilities. But for many teams, the barrier to entry has been high – sophisticated network detection and response (NDR) solutions often come with enterprise price tags and complexity that put them out of reach for smaller organizations, security researchers, and educational institutions.
That's why we're excited to announce the release of Clear NDR Community 1.0, the production-ready open source version of our open core network detection and response system. This milestone release transforms what began last December as an innovative beta into a complete solution suitable for production environments, all while maintaining our commitment to openness and transparency.
From Beta to Production: The Evolution of Clear NDR Community
When we first introduced Clear NDR Community as the successor to the popular SELKS last year, we set out to simplify access to advanced network security monitoring. The response from the security community was overwhelming, from small businesses running it in production to researchers using it as a platform for security innovation and students learning the fundamentals of network security.
Today, with version 1.0, we're delivering on the promise of a production-grade open source NDR that offers the deep network visibility needed for effective threat detection and response without the enterprise price tag.
This blog details a number of important advances included in this release, but I’d like to point out two that are the first-of-their-kind in a turnkey open source Suricata implementation:
- Suricata 8 – the most recent version of the industry’s most powerful network security engine, making Clear NDR Community an even more powerful and comprehensive network detection and response solution.
- Integrated model context protocol (MCP) – the open standard developed by Anthropic that enables AI assistants to securely connect with external data sources and tools such as Clear NDR Community.
You can read more about each of these below.
Three Ways to Deploy. Unlimited Ways to Protect.
One of the most significant enhancements in Clear NDR Community 1.0 is the flexibility in deployment options. While our previous release was available only as a Docker Compose deployment, version 1.0 introduces:
- Debian ISO with Desktop – Perfect for security analysts who prefer a graphical interface for their monitoring and investigation workflows
- Debian ISO without Desktop – Optimized for headless server deployments where efficiency and minimal resource usage are priorities
- Containerized Version – Continuing support for containerized deployments in any Linux environment
Whether you're deploying on bare metal hardware or virtual machines, Clear NDR Community now adapts to your environment rather than the other way around.
The minimum requirements for running Clear NDR Community in simple small office/ home office (SOHO), training, teaching, offline analysis, and PCAP investigation use cases are listed below.
- 2 CPU cores (x86)
- 9 GB RAM
- 50 GB of disk space
- 2 network interfaces
Because both Suricata and OpenSearch are multithreaded, performance will improve with additional cores. Likewise, by allocating additional memory, Clear NDR Community will more easily support additional traffic loads. Finally, more disk space is required to support higher traffic rates and longer data retention.
What Makes Version 1.0 Production-Ready?
Clear NDR Community 1.0 introduces several critical enhancements that elevate it to production status:
1. Solid Foundation with OpenSearch 2.0
At the core of any security monitoring system is its data platform. Clear NDR Community now leverages OpenSearch 2.0 as its data lake, delivering improved performance, scalability, and reliability for security teams who need to trust their detection platform.
2. Streamlined Threat Intelligence
Staying ahead of threats requires current intelligence. Version 1.0 introduces native capability to ingest threat intelligence feeds (IoCs) without the complexity of writing custom Suricata rules. This simplifies access to threat intelligence, making it accessible even to teams with limited resources.
3. Data Management Made Simple
As monitoring systems collect data, managing storage becomes critical. Clear NDR Community 1.0 provides new facilities and configuration options to help users manage their data retention needs – balancing security requirements with infrastructure constraints.
4. From Alert to Evidence in Two Clicks
Investigation speed matters when facing potential threats. Our new "Two-Click to Evidence" workflow allows analysts to quickly navigate from alert to detailed evidence, dramatically accelerating the incident investigation process and reducing time to resolution. With just two clicks in the UI, users can access the evidentiary artifacts associated with each alert. These include protocol logs, flow records, file transactions, the detection logic, PCAPs, and more.
5. Connected Security Ecosystem
Security tools shouldn't exist in isolation. Version 1.0 implements UI integrations with other systems via configurable Deep Linking in the investigation and threat hunting interface, creating a more cohesive security ecosystem.
6. Easy and Flexible Docker Deployment with StamusCtl
StamusCtl is an open-source command-line tool from Stamus Networks, written in Go, that serves as the all-in-one controller for spinning up and managing Suricata-powered Clear NDR stacks — sensors, Scirius UI, OpenSearch dashboards and more — on any Docker-capable Linux host.
With a couple of stamusctl stack up commands you can install, configure, upgrade, or tear down complete network-detection environments, replay PCAPs, and even juggle multiple instances, all without hand-editing YAML or poking at REST APIs.
That radical ease of deployment makes enterprise-grade visibility and threat-hunting capabilities accessible to students, researchers, and busy blue-teams alike — which is why stamusctl isn’t just another installer script, it’s a genuine productivity super-power for anyone exploring or defending their networks.
7. Built on a foundation of Suricata 8.0
Clear NDR Community 1.0 is built on the foundation of Suricata 8.0 – the most recent version of the industry’s most powerful network security engine, making it an even more powerful and comprehensive network detection and response solution. With Suricata 8.0, Clear NDR Community can offer better threat detection accuracy, improved performance at scale, and expanded protocol coverage to address modern network security challenges.
Suricata 8.0 delivers significant performance improvements, enhanced detection capabilities, and groundbreaking new features that will substantially benefit Clear NDR Community users.
The release brings substantial performance enhancements across the detection engine, PCAP processing, and initialization phases, while introducing support for new protocols including DNS over HTTPS (DoH), LDAP, multicast DNS, and WebSocket traffic. Key detection improvements include transactional rules that can express both directions of network communication in a single rule, per-transaction "txbits" support, and the ability to match on the absence of specific buffers using the new "absent" keyword.
A particularly powerful new feature is the "JSON Data for Datasets" capability, which allows threat intelligence IOCs to be enriched with contextual information directly in alert records, including MITRE ATT&CK framework mappings and threat actor attribution, eliminating the need for external correlation and enabling security analysts to quickly identify threat techniques and actors within their OpenSearch database.
The integration of Suricata 8.0 into Clear NDR Community will provide users with enhanced security through more protocol conversions to Rust (including LibHTP, FTP, and MIME parsing), experimental firewall capabilities for intrusion prevention, and improved Lua support with sandboxed execution for safer rule deployment.
8. Model Context Protocol (MCP) for AI Native Integrations
With this release, Clear NDR Community 1.0 becomes the first open source Suricata NDR that can interface with third party AI applications natively. These include open source implementation as well as the most advanced commercial solutions like Chat GPT, Claude, Gemini, Grok, and MS Copilot. Using the built-in MCP endpoints in Clear NDR Community, security practitioners can extract network intelligence to empower agentic AI and large language models, providing automation, enhanced threat analysis, natural language threat hunting, and AI-powered investigation assistance.
The screenshots below illustrates how a user might query Clear NDR Community data to answer the question, “Has there been any unusual traffic seen to my domain controller at 10.7.5.5?”
Who Benefits from Clear NDR Community edition?
Small and Medium Organizations
For many small-to-medium sized organizations, Clear NDR Community 1.0 represents a complete production-grade network security monitoring (NSM) and intrusion detection (IDS) solution. It delivers the visibility needed to detect threats that evade other controls, without the enterprise price tag.
Security Researchers and Practitioners
Because all data available in Clear NDR Community is generated by the Suricata engine, it continues to be a valuable platform for network security practitioners and researchers exploring what's possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.
Educators and Students
Clear NDR Community provides an accessible platform for teaching and learning network security fundamentals, offering students hands-on experience with professional-grade tools and workflows.
Security Enthusiasts
For hobbyists and home lab enthusiasts, Clear NDR Community 1.0 offers an opportunity to implement enterprise-class security monitoring without enterprise costs.
How to Get Clear NDR Community
- ISO image with Desktop – Complete image built on Debian OS that includes a desktop. This is designed for security analysts who prefer a graphical interface for their monitoring and investigation workflows. Download it here >>
- ISO image without Desktop – Complete image built on Debian OS, optimized for headless server deployments where efficiency and minimal resource usage are priorities. Download it here >>
- Install on your Linux – A Docker-based containerized deployment for any Linux environment. We’ve streamlined the process by developing StamusCtl – an open-source command-line tool from Stamus Networks, that serves as the all-in-one controller for spinning up and managing the Clear NDR stacks — Suricata sensor, Scirius UI, OpenSearch dashboards and more — on any Docker-capable Linux host. Get StamusCtl here >>
- Source Code - Access the developer environment – including the source code and all components.
StamusCtl GigHub repository here >>
Enterprise Needs? We've Got You Covered
While Clear NDR Community 1.0 is suitable for small production environments, organizations with enterprise-scale requirements should consider our commercial solution, Clear NDR Enterprise. It builds upon the Community edition with many additional capabilities for large-scale environments, advanced threat hunting, and automated response workflows. Here’s a compact table that illustrates some of the differences.
|
Basic capabilities offered by Clear NDR® Community |
Additional capabilities in Clear NDR® Enterprise |
|
|
Primary Use Cases |
• Single site IDS/IPS replacement • Single site open source NDR • Suricata education and threat research |
• Multi-site hybrid enterprise attack surface (cloud, branch office, data center, etc) • Enabler of the AI-powered Autonomous SOC • Enterprise network detection and response • Regulatory or directive compliance |
|
Best Fit Organizations |
• Small organizations • Students • Threat researchers |
• Medium-to-extra large Enterprises with a dedicated security operations team • Highly-targeted entities, including critical infrastructure • Managed security service providers (MSSP or MDR) |
|
Detection mechanisms |
• Signatures • IoC matching |
• AI and Machine learning • Statistical algorithms • Other heuristics |
|
Event types |
• IDS Alerts |
• Suspicious events – such as C2 beacons, host outliers, SMB insights • Sightings – host and user anomalies • Declarations of Compromise™ (DoC) – ultra high-confidence threat events • Declarations of Policy Violations™ (DoPV) – high-confidence events triggered by organization-specific policy violations • Rich source of structured network metadata - ideal for use in AI models for the autonomous SOC |
|
Evidentiary artifacts |
• Network protocol transactions • Flow records • Conditional PCAP • File extraction |
• Incident timeline • Cyber killchain mapping • Optional conditional logging • File extraction |
|
Event workflow and triage |
• Manual |
• Users are presented high-fidelity threat incidents (DoC) and policy violation (DoPV) events, and incident investigation is aided by an attack timeline, detailed evidence collection and review, and reporting • Experienced users may tag events as “Informational” or “Relevant” and are automatically classified by the system for easy prioritization by less experienced users |
|
Response Automations |
• Not included • Can be built using API calls into the event data. |
• Triggered based on high-fidelity detection events – DoC and DoPV • Simple notifications such as email or messaging • Sophisticated responses, including policy changes, quarantine actions, or playbook initiations in third party systems such as XDR, EDR, SOAR, IR, or Firewall systems |
|
Other Integrations |
• Third party threat intelligence and rulesets • API-based query and control • User interface contextual deep linking into other systems • Model context protocol (MCP) with basic endpoints |
• Pre-built integrations into various third-party systems to support the response automations described above • These include XDR, EDR, SOAR, IR, Firewall, DDI, and more • Straightforward integrations into other systems via API, Webhook, custom deep-linking, and email • Model context protocol (MCP) endpoints provide access to advanced network intelligence for DoC, DoPV, Host Insights, and more |
|
Host attributes |
• May be collected via periodic queries into database and correlated using third party analytics |
• Hosts are auto-classified into device types (roles), such as domain controllers, printers, proxy servers, etc • Host Insights – collects and maintains 60+ attributes for every host seen on the network (up to millions) • Attack surface inventory - identifies all hosts seen communicating on the network |
|
Organizational context |
• Usernames are extracted and presented |
• Associates host names, usernames, and organization-specific network names for rapid assessment and identification during triage and incident response |
|
Support |
• Support is through the open-source user community via Discord • Issues and feature requests reported via GitHub |
• Enterprise-class onboarding, training, and technical support • Dedicated customer success manager • Quarterly business reviews • Issues and feature requests logged and tracked though ticketing system |
Request a demo of Clear NDR Enterprise here >>
Join the Clear NDR Community
As of September 10, 2025, Clear NDR Community 1.0 will be available for download. As the only open core NDR on the market, we're proud to offer security teams the opportunity to experience deep network visibility before considering an upgrade to our Enterprise edition.
We invite you to join us in building a more secure digital world, where network visibility is not a luxury but a fundamental right for all security teams. Because when defenders have the right tools, we all benefit from a safer connected world.
Collaborate with other users on our Discord Server here >>
Visit www.stamus-networks.com/clear-ndr-community to learn more.
