Agentic NDR integrates natively with cloud products such as Web Application Firewall (WAF) to obtain TLS session keys, enabling inspection and threat detection of encrypted HTTPS traffic.
Background
Public cloud application traffic is now fully encrypted. Over 90% of inbound web traffic uses HTTPS (TLS 1.2/1.3), and internal microservices and API gateways commonly enable mutual TLS (mTLS). Attack traffic—including webshells, exploit payloads, ransomware command-and-control (C2) communications, and data exfiltration—also relies heavily on encrypted channels. This creates significant blind spots for NDR systems that depend on raw packet inspection: they cannot identify web attack payloads such as SQL injection and command injection, cannot analyze webshell communications or lateral movement, and struggle to reconstruct attack chains after a breach.
Agentic NDR addresses this by integrating with Alibaba Cloud products such as Web Application Firewall. It securely obtains TLS session keys and feeds them to the NDR detection engine, enabling inspection of encrypted traffic without additional decryption appliances or business-side proxies.
-
Eliminate encrypted traffic blind spots: Gain visibility into encrypted flows without breaking end-to-end encryption, overcoming the detection limitations of traditional passthrough-mirror NDR for HTTPS traffic.
-
Reduce operational overhead: No need to modify application code or insert decryption proxies into the network path. You can enable the feature directly in the console.
-
Avoid business impact: All decryption is performed on the mirror side through a passthrough traffic mirroring mechanism. No additional agent plugins or certificates are required, avoiding the link instability and business risks of traditional SSL offloading.
How it works
Encrypted traffic detection uses a multi-source decryption, unified engine, integrated presentation architecture with four stages:
-
Collection: Leverages cloud products such as Web Application Firewall that already perform SSL/TLS offloading. After you grant authorization, the system automatically collects TLS session keys without introducing new decryption points in the business traffic path.
-
Transmission: Session keys are transmitted to the NDR encrypted traffic detection engine through an Alibaba Cloud internal channel with mutual authentication and transport encryption.
-
Detection: The Agentic NDR detection engine performs multi-engine parallel analysis on decrypted session content, covering four core capabilities:
-
Attack detection: Identifies web attack payloads such as SQL injection, command injection, remote code execution (RCE), deserialization attacks, and malicious file uploads.
-
Sensitive data identification: Detects sensitive data exfiltration through encrypted channels, including credentials, keys, and personal information.
-
Risk detection: Identifies business security risks such as weak password logins, risky operations, and exposure of high-risk services.
-
Behavioral profiling: Profiles and models suspicious behaviors such as webshell communications, encrypted C2 callbacks, tunneling tools, and internal lateral movement.
Detection results are correlated across raw packets, network logs, and risk behaviors to produce unified attack chain analysis and incident conclusions.
-
-
Presentation and response: Encrypted traffic detection findings are displayed across the Detection, Risk, Investigation, and Logs modules. The system retains raw packets before and after decryption along with protocol logs for traceability and analysis.
Scope
-
This feature currently supports only assets integrated into Agentic NDR through the WAF CNAME access method. For assets using the WAF cloud product access method, contact your account manager for support.
-
The asset must be added to Agentic NDR before you enable HTTPS traffic decryption.
Procedure
-
Sign in to the Agentic NDR Console.
-
In the upper-right corner of the Traffic Ingestion page, click Traffic Decryption Settings.
-
Follow the on-screen prompts to enable the Authorize Agentic NDR to Fetch TLS Session Keys toggle.
-
After authorization is complete, enable the WAF Auto-Decryption toggle.
-
After configuration is complete, you can view encrypted traffic detection results in the Detection, Risks, Investigate, and Logs modules.