How it Works

Detect new and advanced threats missed by legacy cybersecurity systems

Deployment Options: Cloud or On-Premise

Deploying Outlier via cloud-based software-as-a-service is easy and fast. New customers are provided a user account into the Outlier Portal and within minutes are fully operational for enterprise-wide endpoint visibility, threat detection and incident response.

An on-premise option is available for customers who require all data to reside within the enterprise.

Endpoint Scanning

The Outlier system uses agentless scanning technology to collect digital forensic evidence from endpoints to be used in Outlier’s advanced security analytics. Scans are agentless and take between 30 and 60 seconds, and have no impact on users.

There are two methods for agentless endpoint scans: Data Vault and Collection Service.

The Data Vault is used for Windows computers managed in a domain. Scans occur when the Data Vault makes a credentialed connection to endpoints. A single Data Vault can support tens of thousands of endpoints.

The Collection Service provides support for non-domain Windows computers, Mac and Linux systems. The Collection Service initiates connection from each endpoint to the Portal for scans to occur.

Collection includes hashes, suspicious binaries and endpoint metadata such as processes, memory modules, files, registry, autoruns, user accounts, logon events, prefetch, binary files and strings. Collection can be expanded to include other metadata types.

Knowledge Maps

Outlier security analytics use a new technology called “Knowledge Maps” that codify and replicate the complex, multi-step best practices of human security analysts at massive scale. Knowledge Maps query, collect and examine metadata and file artifacts from multiple sources within an enterprise.

Outlier examines your endpoints from a macro viewpoint as a big data set. Cyber adversaries and malware don’t belong on your network, so their behaviors stand out from your baseline as outliers, discrepancies and anomalies.

Your team will become more productive to uncover suspicious behaviors, unknown threats, lateral movement and policy violations, as well as malware.

eScribe Endpoint Recorder

eScribe is an endpoint recorder used by incident responders to monitor endpoints in real-time. Machines suspected of being infected or exhibiting rogue user behaviors can be examined more deeply for root cause and kill chain analysis. eScribe is integrated with the Outlier Agentless Endpoint Security Analytics platform for enhanced threat detection and response.


The entire Outlier system has been built on top of a RESTful API that supports all features and data in the system. User can drive the API from a command line or any scripting or programming language.

The API automates many use cases such as

  • Run recurring queries
  • Scan endpoints flagged by another sensor
  • Deliver endpoint alerts and metadata to the SIEM
  • Operationalize your threat intelligence across the enterprise in a touchless fashion