<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Introducing Clear NDR Community 1.0: Advanced Suricata Network Security for Everyone

In today's complex threat landscape, organizations of all sizes need robust network visibility and detection capabilities. But for many teams, the barrier to entry has been high – sophisticated network detection and response (NDR) solutions often come with enterprise price tags and complexity that put them out of reach for smaller organizations, security researchers, and educational institutions.

That's why we're excited to announce the release of Clear NDR Community 1.0, the production-ready open source version of our open core network detection and response system. This milestone release transforms what began last December as an innovative beta into a complete solution suitable for production environments, all while maintaining our commitment to openness and transparency.

From Beta to Production: The Evolution of Clear NDR Community

When we first introduced Clear NDR Community as the successor to the popular SELKS last year, we set out to simplify access to advanced network security monitoring. The response from the security community was overwhelming, from small businesses running it in production to researchers using it as a platform for security innovation and students learning the fundamentals of network security.

Today, with version 1.0, we're delivering on the promise of a production-grade open source NDR that offers the deep network visibility needed for effective threat detection and response without the enterprise price tag.

This blog details a number of important advances included in this release, but I’d like to point out two that are the first-of-their-kind in a turnkey open source Suricata implementation: 

  • Suricata 8 – the most recent version of the industry’s most powerful network security engine, making Clear NDR Community an even more powerful and comprehensive network detection and response solution.
  • Integrated model context protocol (MCP) –  the open standard developed by Anthropic that enables AI assistants to securely connect with external data sources and tools such as Clear NDR Community.

You can read more about each of these below.

Three Ways to Deploy. Unlimited Ways to Protect.

One of the most significant enhancements in Clear NDR Community 1.0 is the flexibility in deployment options. While our previous release was available only as a Docker Compose deployment, version 1.0 introduces:

  • Debian ISO with Desktop – Perfect for security analysts who prefer a graphical interface for their monitoring and investigation workflows
  • Debian ISO without Desktop – Optimized for headless server deployments where efficiency and minimal resource usage are priorities
  • Containerized Version – Continuing support for containerized deployments in any Linux environment

Whether you're deploying on bare metal hardware or virtual machines, Clear NDR Community now adapts to your environment rather than the other way around.

The minimum requirements for running Clear NDR Community in simple small office/ home office (SOHO), training, teaching, offline analysis, and PCAP investigation use cases are listed below. 

  • 2 CPU cores (x86)
  • 9 GB RAM 
  • 50 GB of disk space
  • 2 network interfaces

Because both Suricata and OpenSearch are multithreaded, performance will improve with additional cores. Likewise, by allocating additional memory, Clear NDR Community will more easily support additional traffic loads. Finally, more disk space is required to support higher traffic rates and longer data retention.

What Makes Version 1.0 Production-Ready?

Clear NDR Community 1.0 introduces several critical enhancements that elevate it to production status:

1. Solid Foundation with OpenSearch 2.0

At the core of any security monitoring system is its data platform. Clear NDR Community now leverages OpenSearch 2.0 as its data lake, delivering improved performance, scalability, and reliability for security teams who need to trust their detection platform.

2. Streamlined Threat Intelligence

Staying ahead of threats requires current intelligence. Version 1.0 introduces native capability to ingest threat intelligence feeds (IoCs) without the complexity of writing custom Suricata rules. This simplifies  access to threat intelligence, making it accessible even to teams with limited resources.

Clear NDR-Community-Blog-Image-1b

3. Data Management Made Simple

As monitoring systems collect data, managing storage becomes critical. Clear NDR Community 1.0 provides new facilities and configuration options to help users manage their data retention needs – balancing security requirements with infrastructure constraints.

Clear NDR-Community-Blog-Image-2

4. From Alert to Evidence in Two Clicks

Investigation speed matters when facing potential threats. Our new "Two-Click to Evidence" workflow allows analysts to quickly navigate from alert to detailed evidence, dramatically accelerating the incident investigation process and reducing time to resolution. With just two clicks in the UI, users can access the evidentiary artifacts associated with each alert. These include protocol logs, flow records, file transactions, the detection logic, PCAPs, and more.

Clear NDR-Community-Blog-Image-1a

5. Connected Security Ecosystem

Security tools shouldn't exist in isolation. Version 1.0 implements UI integrations with other systems via configurable Deep Linking in the investigation and threat hunting interface, creating a more cohesive security ecosystem.

Clear NDR-Community-Blog-Image-4

6. Easy and Flexible Docker Deployment with StamusCtl

StamusCtl is an open-source command-line tool from Stamus Networks, written in Go, that serves as the all-in-one controller for spinning up and managing Suricata-powered Clear NDR stacks — sensors, Scirius UI, OpenSearch dashboards and more — on any Docker-capable Linux host.

With a couple of stamusctl stack up commands you can install, configure, upgrade, or tear down complete network-detection environments, replay PCAPs, and even juggle multiple instances, all without hand-editing YAML or poking at REST APIs.

That radical ease of deployment makes enterprise-grade visibility and threat-hunting capabilities accessible to students, researchers, and busy blue-teams alike — which is why stamusctl isn’t just another installer script, it’s a genuine productivity super-power for anyone exploring or defending their networks.

7. Built on a foundation of Suricata 8.0

Clear NDR Community 1.0 is built on the foundation of Suricata 8.0 – the most recent version of the industry’s most powerful network security engine, making it an even more powerful and comprehensive network detection and response solution. With Suricata 8.0, Clear NDR Community can offer better threat detection accuracy, improved performance at scale, and expanded protocol coverage to address modern network security challenges.

Suricata 8.0 delivers significant performance improvements, enhanced detection capabilities, and groundbreaking new features that will substantially benefit Clear NDR Community users. 

The release brings substantial performance enhancements across the detection engine, PCAP processing, and initialization phases, while introducing support for new protocols including DNS over HTTPS (DoH), LDAP, multicast DNS, and WebSocket traffic. Key detection improvements include transactional rules that can express both directions of network communication in a single rule, per-transaction "txbits" support, and the ability to match on the absence of specific buffers using the new "absent" keyword. 

A particularly powerful new feature is the "JSON Data for Datasets" capability, which allows threat intelligence IOCs to be enriched with contextual information directly in alert records, including MITRE ATT&CK framework mappings and threat actor attribution, eliminating the need for external correlation and enabling security analysts to quickly identify threat techniques and actors within their OpenSearch database.

The integration of Suricata 8.0 into Clear NDR Community will provide users with enhanced security through more protocol conversions to Rust (including LibHTP, FTP, and MIME parsing), experimental firewall capabilities for intrusion prevention, and improved Lua support with sandboxed execution for safer rule deployment. 

8. Model Context Protocol (MCP) for AI Native Integrations

With this release, Clear NDR Community 1.0 becomes the first open source Suricata NDR that can interface with third party AI applications natively. These include open source implementation as well as the most advanced commercial solutions like Chat GPT, Claude, Gemini, Grok, and MS Copilot. Using the built-in MCP endpoints in Clear NDR Community, security practitioners can extract network intelligence to empower agentic AI and large language models, providing automation, enhanced threat analysis, natural language threat hunting, and AI-powered investigation assistance.

Clear-NDR-Community-Diagram-TAP

The screenshots below illustrates how a user might query Clear NDR Community data to answer the question, “Has there been any unusual traffic seen to my domain controller at 10.7.5.5?”

Clear NDR-Community-Blog-Image-6

Who Benefits from Clear NDR Community edition?

Small and Medium Organizations

For many small-to-medium sized organizations, Clear NDR Community 1.0 represents a complete production-grade network security monitoring (NSM) and intrusion detection (IDS) solution. It delivers the visibility needed to detect threats that evade other controls, without the enterprise price tag.

Security Researchers and Practitioners

Because all data available in Clear NDR Community is generated by the Suricata engine, it continues to be a valuable platform for network security practitioners and researchers exploring what's possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces.

Educators and Students

Clear NDR Community provides an accessible platform for teaching and learning network security fundamentals, offering students hands-on experience with professional-grade tools and workflows.

Security Enthusiasts

For hobbyists and home lab enthusiasts, Clear NDR Community 1.0 offers an opportunity to implement enterprise-class security monitoring without enterprise costs.

How to Get Clear NDR Community

  • ISO image with Desktop – Complete image built on Debian OS that includes a desktop. This is designed for security analysts who prefer a graphical interface for their monitoring and investigation workflows. Download it here >>
  • ISO image without Desktop – Complete image built on Debian OS, optimized for headless server deployments where efficiency and minimal resource usage are priorities.  Download it here >>
  • Install on your Linux – A Docker-based containerized deployment for any Linux environment. We’ve streamlined the process by developing StamusCtl – an open-source command-line tool from Stamus Networks, that serves as the all-in-one controller for spinning up and managing the Clear NDR stacks — Suricata sensor, Scirius UI, OpenSearch dashboards and more — on any Docker-capable Linux host. Get StamusCtl here >>
  • Source Code - Access the developer environment – including the source code and all components.
Clear NDR Community GitHub repository here >>
StamusCtl GigHub repository here >>

 

Enterprise Needs? We've Got You Covered

While Clear NDR Community 1.0 is suitable for small production environments, organizations with enterprise-scale requirements should consider our commercial solution, Clear NDR Enterprise. It builds upon the Community edition with many additional capabilities for large-scale environments, advanced threat hunting, and automated response workflows. Here’s a compact table that illustrates some of the differences.

 

Basic capabilities offered by

Clear NDR® Community

Additional capabilities in

Clear NDR® Enterprise

Primary Use Cases

Single site IDS/IPS replacement

Single site open source NDR

Suricata education and threat research

Multi-site hybrid enterprise attack surface (cloud, branch office, data center, etc)

Enabler of the AI-powered Autonomous SOC

Enterprise network detection and response

Regulatory or directive compliance

Best Fit Organizations

Small organizations

Students

Threat researchers

Medium-to-extra large Enterprises with a dedicated security operations team

Highly-targeted entities, including critical infrastructure

Managed security service providers (MSSP or MDR)

Detection mechanisms

Signatures

IoC matching

AI and Machine learning

Statistical algorithms

Other heuristics

Event types

IDS Alerts



Suspicious events – such as C2 beacons, host outliers, SMB insights

Sightings – host and user anomalies

Declarations of Compromise™  (DoC) – ultra high-confidence threat events

Declarations of Policy Violations™ (DoPV) – high-confidence events triggered by organization-specific policy violations

Rich source of structured network metadata - ideal for use in AI models for the autonomous SOC

Evidentiary artifacts

Network protocol transactions

Flow records

Conditional PCAP

File extraction

Incident timeline

Cyber killchain mapping

Optional conditional logging

File extraction

Event workflow and triage

Manual

Users are presented high-fidelity threat incidents (DoC) and policy violation (DoPV) events, and incident investigation is aided by an attack timeline, detailed evidence collection and review, and reporting

Experienced users may tag events as “Informational” or “Relevant” and are automatically classified by the system for easy prioritization by less experienced users

Response Automations

Not included

Can be built using API calls into the event data.

Triggered based on high-fidelity detection events – DoC and DoPV

Simple notifications such as email or messaging

Sophisticated responses, including policy changes, quarantine actions, or playbook initiations in third party systems such as XDR, EDR, SOAR, IR, or Firewall systems

Other Integrations

Third party threat intelligence and rulesets

API-based query and control

User interface contextual deep linking into other systems

Model context protocol (MCP) with basic endpoints

Pre-built integrations into various third-party systems to support the response automations described above

These include XDR, EDR, SOAR, IR, Firewall, DDI, and more

Straightforward integrations into other systems via API, Webhook, custom deep-linking, and email

Model context protocol (MCP) endpoints provide access to advanced network intelligence for DoC, DoPV, Host Insights, and more

Host attributes

May be collected via periodic queries into database and correlated using third party analytics

Hosts are auto-classified into device types (roles), such as domain controllers, printers, proxy servers, etc

Host Insights – collects and maintains 60+ attributes for every host seen on the network (up to millions)

Attack surface inventory -  identifies all hosts seen communicating on the network

Organizational context

Usernames are extracted and presented

Associates host names, usernames, and organization-specific network names for rapid assessment and identification during triage and incident response

Support

Support is through the open-source user community via Discord

Issues and feature requests reported via GitHub

Enterprise-class onboarding, training, and technical support

Dedicated customer success manager

Quarterly business reviews

Issues and feature requests logged and tracked though ticketing system

 

Request a demo of Clear NDR Enterprise here >>

Join the Clear NDR Community

As of September 10, 2025, Clear NDR Community 1.0 will be available for download. As the only open core NDR on the market, we're proud to offer security teams the opportunity to experience deep network visibility before considering an upgrade to our Enterprise edition.

We invite you to join us in building a more secure digital world, where network visibility is not a luxury but a fundamental right for all security teams. Because when defenders have the right tools, we all benefit from a safer connected world.

Collaborate with other users on our Discord Server here >> 

Visit www.stamus-networks.com/clear-ndr-community to learn more.

 

Valentin Vivier

Valentin Vivier is a passionate Staff Software Engineer at Stamus Networks with over 8 years of experience in designing, building, and scaling robust web and software systems. Specializing in backend architecture, DevOps, and cloud infrastructure, he brings deep expertise in technologies like Go, TypeScript, C++, C#, React.js, and Kubernetes. Valentin is dedicated to crafting high-quality, maintainable solutions through clean code and continuous learning, having applied his skills across diverse environments, from co-founding a startup as CTO to contributing to large organizations like Société Générale. Valentin resides near Nantes, France.

Schedule a Demo of Clear NDR

REQUEST A DEMO

Related posts

Tired of Alert Fatigue? How Declarations of Compromise (DoC) Cut Through the Noise

Security operations centers (SOCs) are drowning in a deluge of alerts. Millions of network events...

Beyond Threats: Enforcing Compliance with Declarations of Policy Violations (DoPV)

While detecting malicious attacks is critical for preventing a serious security incident, ensuring...

Streamlining Suricata Development with NixOS and Custom Build Targets

tl;dr

This article explores the integration of NixOS, a declarative Linux distribution, with...