Mission control for your firewall infrastructure.
Real-time telemetry, threat intelligence and compliance evidence across 18 firewall vendors — from a single self-hosted platform. No cloud. No per-device fees.
Live attack origins
last 60 min · globalLive event stream
all firewallsEvents by severity
last 24hConnected firewalls
8 vendors · 16 devicesFirewall vendors
auto-detected
Compliance frameworks
built-in PDFs
API endpoints
full REST
Time to first dashboard
from install
> market_reality
The firewall analytics market is broken.
Every existing tool forces you to pick a poison: expensive, cloud-locked, or single-vendor. We built ShieldLens because that tradeoff shouldn't exist.
> the_competition
What everyone else makes you accept
Cost $395+ per device per year
ManageEngine Firewall Analyzer
Lock you into the cloud
Cisco Umbrella, Cato Networks
Only support one vendor's firewall
FortiAnalyzer, Panorama
Take days of setup and tuning
Splunk, Graylog
> shieldlens_pro
How we do it differently
$99–$1,200 per year — not per device
Runs 100% offline on your own server
Auto-detects 18 different firewall brands
Live dashboard in 60 seconds of pointing syslog
> capabilities
Six capabilities. Each one a category killer.
No 47-tab dashboard. No bloated suite. Every screen earns its place by answering a question a network or security engineer actually asks.
One platform. 18 firewall vendors. Auto-detected from the first packet.
Mix FortiGate, Palo Alto, Cisco ASA/FTD, Sophos, SonicWall, Check Point, Juniper, MikroTik, WatchGuard, Barracuda, Huawei, Zyxel, F5 — and 5 more — on one syslog port. ShieldLens fingerprints the wire format and reshapes the dashboard to that vendor's capabilities.
- Auto-detect on the first log line — no per-vendor collector
- Per-device dashboards adapt to vendor capability
- Mixed-vendor MSSP / multi-tenant rollup
- Single UDP/TCP port (1514) for everything
Raw policy IDs become readable names. Across every panel.
Upload your running config and watch cryptic IDs — policy 8847, port12, addr_grp_44 — turn into 'Ecom team internet', 'WAN-PrimaryISP', 'Branch VLANs' on every chart, report and log line in the platform.
- Resolves policy IDs, interface aliases, NAT pools, address objects
- Reload-on-change · no service restart
- Built-in parsers for FortiGate, PAN-OS, IOS, Sophos
- One-click context drawer on every event
Discover every NAT, VIP and DNAT your perimeter exposes.
Continuously inventories every inbound rule across every connected firewall. See which IPs are scanning your exposed services, from where, and how often — without writing a single query.
- Auto-discovered services list — across all firewalls
- Per-service geo-attack heatmap
- Suspicious-country / suspicious-port correlations
- Zero configuration — finds them all
Risk-scored attackers. One-click block-list export.
Aggregates every attack source into a deduplicated, risk-scored list. Acknowledge a threat once and it stops screaming — delta tracking surfaces only new attackers since your last login.
- Risk score combines volume, severity, geo and target
- One-click export to FortiGate / PAN / ASA block-lists
- Acknowledge + comment trail for SOC handoff
- Delta view — only NEW threats since last shift
PCI, ISO, SOC 2, HIPAA, GDPR, NIST, CIS, NIS 2 — built-in.
Audit-ready PDFs in a single click. Every finding ships with vendor-specific hardening steps so your team has a remediation playbook the moment your auditor flags an issue.
- PCI-DSS 4.0 firewall control mapping (Req 1, 10, 11)
- ISO 27001:2022 Annex A.13 evidence pack
- SOC 2 CC6.6 + CC7.2 monitoring artifacts
- Branded cover page with your logo + auditor name
Air-gap deployable. No telemetry. No license phone-home.
Every component runs inside your perimeter. License keys are validated locally. Updates ship as offline-signed bundles. Verify the no-outbound-calls promise with tcpdump — we encourage it.
- No outbound network calls of any kind
- Offline-signed license validation
- Updates delivered as signed .pkg / .exe bundles
- Verified by tcpdump — we publish the command
root@host:~# tcpdump -i any host shieldlens.local
tcpdump: verbose output suppressed, listening on any, link-type LINUX_SLL
14:01:00.123 IP 10.20.3.1.51422 > shieldlens.1514: UDP, length 412
14:01:00.215 IP 10.20.4.1.51422 > shieldlens.1514: UDP, length 388
14:01:00.302 IP 10.20.3.4.51422 > shieldlens.1514: UDP, length 504
^C 0 outbound packets · 0 connections initiated by shieldlens
VERIFIEDno telemetry · no phone-home · no surprises
> deployment
Four commands. One minute. No agents.
No collectors. No vendor SDKs. No services to provision. Just syslog — the protocol every firewall already speaks.
Install
shieldlens.exe on Windows, pip wheel on Linux, or our Docker image.
Point syslog
Send every firewall's syslog to <your-ip>:1514 — one port for all.
Auto-detect
ShieldLens fingerprints the vendor in under a second.
Operate
Open your browser. The console is already populated.
$ shieldlens start
[15:42:01] listening on UDP/TCP 1514 · web on :8080
[15:42:08] packet from 10.20.3.1 → FortiGate-200F detected
[15:42:09] packet from 10.20.3.4 → Palo Alto PA-440 detected
[15:42:10] packet from 10.20.3.7 → Sophos XGS 3100 detected
[15:42:11] packet from 10.20.4.1 → Huawei USG6610E detected
[15:42:12] packet from 10.20.4.5 → Cisco FTD FPR-2110 detected
[15:42:14] packet from 10.20.5.1 → Check Point Quantum 6200 detected
[15:42:15] packet from 10.20.5.8 → F5 BIG-IP i4800 detected
[15:42:17] packet from 10.20.6.1 → MikroTik CCR2004 detected
[15:42:58] dashboard live → http://localhost:8080 ✓
> adaptive_console
One platform. Reshapes itself per vendor.
ShieldLens reads each vendor's capability matrix and rebuilds the console accordingly — so you always see meaningful telemetry, never a "no data" tile. Pick a vendor below to see exactly which fields ShieldLens surfaces.
Top users (FSSO)
ahmed.r · sales-laptop-04 · fatima.k
UTM events
1,284 IPS · 412 AV · 88 web filter
App-ID hits
youtube · github · sap.s4hana · zoom
Bandwidth
782 Mbps avg · 1.2 Gbps peak
Active sessions
14,210 · 2.1M today
Health (logid 40704)
CPU 28% · Mem 41% · Disk 22%
> vendor_matrix
All 18 vendors. Every capability. One parser stack.
ShieldLens ingests syslog from every major firewall on the market — and tells you exactly which fields it gets from each one. No marketing fluff. Hover any cell to see the parse rule.
| vendor | tier | format | APP | USER | BYTES | VPN | DHCP | RULE | HEALTH |
|---|---|---|---|---|---|---|---|---|---|
Fortinet FortiGate FortiGate-200F | T1 | key=value · CEF | |||||||
Palo Alto Networks PA-440 | T1 | CSV · CEF · LEEF | |||||||
Sophos XG / XGS XGS 3100 | T1 | key=value | |||||||
Cisco Firepower / FTD FPR-2110 | T1 | Cisco · key=value | |||||||
Juniper SRX SRX340 | T1 | BSD · RFC 5424 structured | |||||||
Check Point Quantum 6200 | T2 | Syslog · CEF · LEEF · JSON | |||||||
SonicWall TZ670 | T2 | Enhanced k=v · CEF | |||||||
Huawei USG USG6610E | T2 | Custom key=value | |||||||
Barracuda CloudGen F800 | T2 | BSD syslog | |||||||
Cisco ASA ASA 5520 | T2 | Cisco proprietary | |||||||
WatchGuard Firebox Firebox M390 | T3 | Custom · LEEF | |||||||
F5 BIG-IP BIG-IP i4800 | T3 | BSD · HSL k=v · CEF | |||||||
Zyxel USG / ATP USG FLEX 500 | T3 | VRPT · CEF | |||||||
MikroTik RouterOS CCR2004 | T3 | BSD · CEF (7.18+) | |||||||
Cisco Meraki MX MX85 | T4 | Custom space-delim | |||||||
pfSense pfSense+ on Netgate 6100 | T4 | filterlog CSV · BSD | |||||||
OPNsense OPNsense 24.x | T4 | filterlog CSV · BSD | |||||||
Ubiquiti EdgeRouter / UniFi UniFi UDM-Pro | T4 | BSD · CEF (UniFi 9+) |
> pricing
One annual fee. Not per device.
Pick a tier by device count. All tiers ship with every feature. Cancel any time — your install keeps working forever.
Trial
Unlimited features
Evaluation
- All Enterprise features unlocked
- 30 days, no credit card needed
- Local data — never uploaded
- Convert to a paid tier any time
Essentials
Up to 2 devices
Single-site offices
- All 6 core features
- Email alerts
- 9 compliance reports
- Community support
Standard
Up to 5 devices
Small business
- Everything in Essentials
- Push alerts (Pushover/Telegram)
- Smart Context Engine
- Published Services Intelligence
- Email support
Professional
Up to 10 devices
Multi-site business
- Everything in Standard
- LDAP / Active Directory
- Full REST API (240+ endpoints)
- Multi-site rollup dashboard
- Branded PDF reports
Enterprise
Up to 25 devices
Large organisations
- Everything in Professional
- MSSP multi-tenant mode
- Priority email + WhatsApp support
- Custom report templates
- Hardening consultation included
All prices in USD. Local taxes may apply. Larger fleets? Talk to sales.
> benchmark
Stack ranked against the alternatives
Real prices. Real feature scope. Real platform limits. Every cell below is verifiable on the vendor's own site.
| Feature | ShieldLens Pro | ManageEngine | Splunk | FortiAnalyzer | Graylog | SolarWinds |
|---|---|---|---|---|---|---|
| Price per year (10 devices) | $500 | $3,950+ | $15,000+ | $2,400+ | $0 (free) / $9,000 ent. | $3,495+ |
| Multi-vendor support | 18 vendors | 10 vendors | Many (paid apps) | FortiGate only | Generic syslog | 12 vendors |
| Runs 100% offline | Yes | Yes | Yes (enterprise) | Yes | Yes | Yes |
| Per-device licensing | No (tier-based) | $395/device | By data volume | By device | By data volume | By node |
| Time to first dashboard | 60 seconds | 1–2 days | 1+ week | 2–4 hours | 1–2 days | 3–5 hours |
| Smart Context Engine | Yes | No | Custom build | Partial | No | No |
| Published Services discovery | Auto | Manual | Custom | Manual | No | Manual |
| PCI-DSS 4.0 reports | Built-in | Built-in | Paid app | Partial | Custom build | Built-in |
| ISO 27001:2022 evidence | Built-in | Generic | Paid app | No | Custom | Partial |
| Smart Block List export | 1-click | No | Custom | Manual | No | No |
| REST API | 240+ endpoints | Limited | Full | Limited | Full | Yes |
| Air-gap deployable | Yes | Yes | Yes | Yes | Yes | Yes |
| Hardware footprint | 2 vCPU / 4 GB | 8 vCPU / 16 GB | 12 vCPU / 32 GB | Appliance | 8 vCPU / 16 GB | 8 vCPU / 16 GB |
| MSSP multi-tenant | Enterprise tier | Add-on | Enterprise | Limited | Operations | Add-on |
| Zero telemetry | Verified | No | No | Mixed | No | No |
> compliance
Audit-ready evidence, on demand.
Generate auditor-grade PDFs for nine frameworks in one click. Every finding ships with vendor-specific hardening steps, so your team has a remediation playbook the moment something gets flagged.
global
PCI-DSS 4.0
Payment Card Industry Data Security Standard v4.0
global
ISO 27001:2022
ISO/IEC Information Security Management
US
SOC 2
Service Organization Control 2 — Type II
US
HIPAA
Health Insurance Portability and Accountability Act
EU
GDPR Art. 32
EU General Data Protection Regulation
global
NIST CSF 2.0
NIST Cybersecurity Framework 2.0
global
CIS Controls v8
Center for Internet Security Controls v8
EU
NIS 2
EU Network and Information Security Directive 2
any
Security Audit
Generic security audit report template
Air-gap deployable
Verified zero outbound calls. License keys signed locally. Run on isolated networks.
Zero telemetry
We have no idea how you use the product. There is no usage data to leak — we never collected any.
Your data, your server
SQLite or PostgreSQL — your choice. Backups are just files. No vendor lock-in. Ever.
> questions
Operator questions
Twelve questions network and security engineers ask before they install. If there's a thirteenth we haven't answered, the contact page is at the bottom.
> the_company
ShieldLens is an Elevian.io product.
Elevian.io ships self-hosted SaaS for network, security and ops engineers. ShieldLens Pro is the first of 11 products — every one of them follows the same three rules.
- Self-hosted by default
- Zero telemetry — verified
- Per-tier pricing, not per-device
- Built for engineers, by engineers
> deploy_when_ready
Stop paying per device.
Start seeing everything.
30-day trial. No credit card. Self-hosted. Convert to a paid tier any time — your data, dashboards and reports stay exactly where you left them.
ShieldLens Pro · an Elevian.io product · self-hosted · zero telemetry · v2.4.0