Aviz Deep Network Observability Details Packet-Level Pipeline for Salt Typhoon Visibility
Vendor analysis of the Salt Typhoon campaign argues the key gap was visibility rather than detection, citing missed activity across authentication, administrative sessions, C2, and exfiltration. The update matters because enterprises rely on telemetry coverage across hybrid and unmanaged environments for effective security tooling.
Research Overview
The blog describes Salt Typhoon as a state-backed actor that conducted a prolonged intrusion into telecommunications network infrastructure, reported by security organizations in late 2024. It outlines tactics including edge infrastructure exploitation, password harvesting, command-and-control communications, lateral movement through administrative sessions, and cloud-based exfiltration.
The post says the operation did not aim to generate ransom, noting a lack of financial motivation. It also attributes prolonged undetected activity to monitoring teams missing traces for months despite signs left across multiple stages of the intrusion.
Key Findings
The blog’s main lesson is that the difficulty was tied to visibility and access to traffic data, not to discovery by security teams. It states evidence appeared across credential theft, lateral movement, administrative operations, C2 traffic, and exfiltration, while the monitoring gap persisted.
It argues the issue extends beyond telecoms, describing similar tactics across banks, hospitals, government departments, manufacturing firms, and critical infrastructure operators. The post frames the wider problem as a mismatch between where threats occur and what existing security products can observe.
Technical Breakdown
The blog describes modern security stacks as including firewalls, endpoint security, IDS, NDR, SIEM, and security analytics. It states these tools can detect sophisticated attacks when they receive the right traffic and context, and it characterizes the central limitation as insufficient telemetry from distributed environments.
It asserts that environments such as data centers, hybrid clouds, branch offices, remote edges, IT/OT systems, and unmanaged devices may lack endpoint agents and produce limited telemetry. It then describes traffic capture and processing as a way to create packet-level evidence for downstream detection and investigation workflows.
Product Update
The post positions Aviz Deep Network Observability as an add-on visibility layer that collects, optimizes, enriches, and distributes packet-level data to existing security tools. It describes a five-stage pipeline: Aggregate, Optimize, Enrich, Accelerate, and Distribute.
According to the blog, traffic is collected from TAPs, SPANs, cloud traffic mirroring, packet brokers, and distributed deployments. It adds that the system normalizes, filters, de-duplicates, and enriches traffic using deep packet inspection, then delivers optimized packet traffic to security systems using open formats such as JSON and Kafka.
Operational Impact
The blog claims vendor-agnostic compatibility, listing NDR systems such as ExtraHop, Darktrace, and Vector AI, IDS systems such as Suricata, and security tools from Palo Alto Networks, Fortinet, and Trend Micro. It also says enriched metadata can feed observability and analytics platforms and security data lakes including Splunk, Elastic, Datadog, Microsoft Sentinel, Google Chronicle, Dynatrace, Kentik, and others.
For an example use case, the post describes Security Onion detecting Salt Typhoon-inspired activity after receiving optimized packet traffic from the Aviz observability stack. It specifies detection of Cobalt Strike beaconing, SMB lateral movements, DCSync activity, Kerberos exploits, WinRM remote execution, and cloud exfiltration techniques, attributing this to traffic collected from hybrid clouds, data centers, remote edge sites, and IT/OT networks.
Across Salt Typhoon’s intrusion path, the blog reports that traces were present while monitoring teams lacked visibility into the right traffic and context, leading to undetected activity for months. It argues that distributed environments and limited telemetry access can restrict what security tools can identify, and it describes Aviz Deep Network Observability as a packet evidence layer designed to supply optimized traffic to existing security and observability systems; Blog Signals brief is a fact-based summary of the vendor blog.