Frontier Forensics: Network Visibility, Segmentation and Forensics for ARMOR

Why network forensics needs a new architecture

Between us, we have spent more than thirty years looking at the world through a network security lens. Careers built on network engineering, security operations, and trustworthy AI. The discipline is fascinating at its core because networking is about connecting people across distance. It lets us share ideas, move data, and conduct business at speeds that would have seemed impossible a generation ago.

What is most compelling is how network security architectures have kept pace with shifting demands. We have moved from the centralized castle-and-moat perimeter to a distributed DMZ model, and more recently to the highly distributed, centrally managed SASE approach. Yet despite that evolution, the fundamental mechanics have not changed much in a decade: look at the packets, in real time or out-of-band, and render a verdict.

AI changes that calculus. The packets still do not lie, but the volume, velocity, and topology of where they travel have outrun every assumption that traditional network forensics was built on. Visibility tools designed for north-south enterprise traffic do not translate to 1.6 Tbps east-west AI fabrics. Legacy PCAP appliances drop frames at line rate. And the analyst experience is buckling. Three consoles. Two retention silos. One alert queue. That model was fragile in 2020. It is unworkable now.

This piece is about how the network forensics stack is being rearchitected for AI-scale environments. Visibility, detection, and enforcement are all in scope. So is how that architecture maps to the Infrastructure Security domain of WWT's ARMOR framework. ARMOR is WWT's AI Readiness Model for Operational Resilience, developed with NVIDIA and validated at Texas A&M. Its Infrastructure Security domain owns the controls that keep the systems, hardware, and environments supporting AI stable, resilient, and secure. Network traffic visibility, segmentation, boundary protection, and resilience planning all live here. So does this blog.

The visibility problem at AI scale

That gap is where breaches live. The 90 percent number is what executives report when asked if they can see their AI footprint; the 59 percent is what the security teams under them actually observe on the wire. Two narratives, one network. And the network is the only one that does not get a vote.

Why this matters to the business: shadow AI is not a curiosity. It is unsanctioned data flowing to public LLMs without DLP review, agentic workflows running with the privileges of a human and the common sense of a printer, and audit logs that cannot tell the difference between an employee submitting a prompt and an autonomous agent doing the same. Each of those is a regulatory exposure, an IP-exfiltration vector, and a forensic blind spot. A CASB can flag traffic to a public LLM, but it cannot tell you which agent issued the prompt, what privileges that agent borrowed, or what data the model returned. Closing that gap takes network-layer evidence.

Inside the data center, the problem changes shape. AI training and inference workloads live in the back end, and the network traffic there looks nothing like what a CASB or traditional NGFW is built to handle. These are primarily UDP flows running Remote Direct Memory Access (RDMA) over Ethernet. We are talking elephant flows: massive, sustained transfers that can saturate links from 400 Gbps all the way to 1.6 Tbps. Thousands of GPUs synchronizing simultaneously create microbursts that standard network tooling was never designed to absorb. To keep these environments lossless, operators rely on Explicit Congestion Notification (ECN) and Priority Flow Control (PFC), protocols tuned specifically for the high-throughput, low-loss demands of AI fabric networking.

East-west traffic inside AI clusters is where a growing number of blind spots live, and those blind spots are where threats hide. The visibility layer has to climb with the fabric. That means rethinking how taps, brokers, and analytics pipelines are architected from the ground up.

From point tools to a Federated Data Fabric

There is a conversation that does not get enough airtime: what do you do with the packet capture infrastructure you have been running for the last decade? Many organizations carry legacy full packet capture (PCAP) tools deployed years ago to satisfy regulatory requirements. PCI-DSS, HIPAA, NERC CIP, and financial sector mandates have long required the ability to retain and produce network traffic records for audits, legal proceedings, and breach investigations. Those tools did the job they were asked to do. But they were built for a different era of network scale, and they are showing their age.

The problem is not just storage cost, though that is real. At modern traffic volumes, legacy PCAP appliances struggle to capture at line rate without dropping packets, lack meaningful integration with the rest of the security stack, and require analysts to jump between separate tools for capture, storage, and analysis. The result is tool sprawl: one system retaining packets for compliance, another doing detection, a third handling investigation workflows. Each transition between them costs time that defenders cannot afford to spend, especially when adversary breakout times are now measured in seconds rather than hours.

The way out is not another point tool, and it is not a single-vendor pitch either. It is a federated data fabric: a vendor-diverse pipeline where best-of-breed tools tap once, index once, and surface packets, flows, detections, correlations, and enforcement signals across whichever console the analyst is using. Visibility, forensics, enforcement, and operations stop being four procurement cycles and become one operating model. Vendor diversity is the point, not the bug. Customers do not rip-and-replace; they augment. The fabric is what makes augmentation work without sprawl. That is the architecture this piece argues for, and it is the architecture that maps cleanly into ARMOR's Infrastructure Security domain.

The integrated architecture

Four planes, federated. Each plane is a real engineering job. Each maps to specific control areas inside ARMOR's Infrastructure Security domain. Each has a vendor that has been doing this long enough to be trusted with the work. The integration is what makes the whole more than the sum of the parts.

Of the four planes, Visibility is load-bearing. The fabric only works if the tap layer is correct, complete, and at line rate. That is why Gigamon's positioning sits underneath the other three. Without a clean source of network truth, ExtraHop has nothing to detect on, Splunk has nothing reliable to correlate against, and Forescout has nothing trustworthy to act on. The rest of this architecture is a discussion of consumers. This is a discussion of the producer.

We have identified four key vendor solutions in this space, but the federated data fabric is designed to extend. CrowdStrike Federated Search, for example, reaches directly into ExtraHop so Falcon Next-Gen SIEM analysts can query RevealX network data where it lives rather than duplicating it into another store. For organizations already running CrowdStrike, that integration closes the endpoint-to-network visibility gap without standing up a parallel pipeline. The same federated principle invites other tools, endpoint, identity, cloud, to participate at the seams of the architecture rather than from the outside.

Visibility plane: Gigamon Deep Observability

Gigamon holds 51 percent of the deep observability market. That share matters, but what matters more is what the company has been doing with its install base over the last 18 months. AI Traffic Intelligence delivers visibility into generative AI and LLM traffic across more than 40 engines, enriching visibility for the complementary tooling to fully address the shadow AI problem at the network layer rather than relying on endpoint or proxy telemetry alone. Insights, Gigamon's agentic AI application, builds investigations and operational response on top of network-derived telemetry. The core architectural pitch is the one Kurt Roemer at Gigamon framed cleanly:

On the ARMOR map, Gigamon owns Network Traffic Visibility and most of Boundary Protection inside the Infrastructure Security domain. Its job in this architecture is to tap once and feed everything downstream. No duplicated data. No second forensics pipeline soaking up budget. No dropped frames at AI fabric speeds.

Forensics plane: ExtraHop RevealX

ExtraHop's RevealX platform is the direct answer to the rationalization argument above. It combines continuous always-on full packet capture with NDR, network performance management, and IDS in a single integrated console. It replaces the multi-tool patchwork that most organizations have accumulated over years of point-solution procurement. The PCAP repository scales modularly up to petabytes, designed specifically to meet long-term regulatory retention requirements without standing up a separate storage stack.

The piece that matters for AI: RevealX automatically discovers and maps AI infrastructure across the environment. That includes LLM usage on cloud and on-prem, MCP servers and API endpoints, and agent-to-agent communication patterns. The same platform meeting your PCI or HIPAA packet retention requirements can build a continuous inventory of your agentic footprint and flag unsanctioned AI activity the moment it appears on the wire.

On the ARMOR map, ExtraHop sits squarely on Network Traffic Visibility (NDR) and Resilience Planning. The latter qualifies because evidentiary retention is a resilience function, not a storage function. When the post-incident question is "what did this agent actually send to that LLM, and when," RevealX is the system of record.

Enforcement plane: Forescout 4D Platform

Forescout shipped agentless, cloud-native network segmentation in the 4D Platform that lets organizations model and enforce zones based on device identity, function, behavior, and risk. The 2026 Riskiest Connected Devices Report carried a finding worth pausing on: network infrastructure now surpasses traditional endpoints in overall risk ranking. For teams securing AI workloads, that is a significant data point. The fabric connecting your GPUs is now your highest-risk surface, and the device profile of an AI training node is different enough from a general-purpose VM that legacy NAC policies will not catch the drift on their own.

What makes Forescout interesting in this stack is not segmentation as a feature. That is table stakes. What matters is its ability to consume risk and AI-asset signals from upstream platforms (ExtraHop's auto-discovery, Gigamon's traffic intelligence) and turn those into policy automatically. The result is enforcement that adapts as the environment changes, rather than a static zoning model that ages out the moment a new model gets deployed.

On the ARMOR map, Forescout owns Segmentation and Device Profiling & NAC, with meaningful contribution to Boundary Protection. It is the plane that turns visibility and forensics into action.

Operations plane: Splunk

If Gigamon is the tap and ExtraHop is the system of record, Splunk is the system of synthesis. Splunk Enterprise Security correlates the network telemetry coming out of the fabric with identity events, endpoint signals, application logs, and cloud audit trails. Splunk SOAR turns those correlations into action. A Forescout segmentation change. A CrowdStrike isolation. A ServiceNow ticket. An ExtraHop drill-down. The point is not that Splunk owns any one of those moves. The point is that operating across them is what an analyst's day actually looks like, and the operations plane is where that orchestration belongs.

Cross-pollination is where this plane earns its keep. Gigamon's Application Metadata Intelligence (AMI) extracts thousands of application and protocol attributes from network traffic and forwards them as structured metadata, not raw packets, into Splunk Enterprise Security. That distinction matters operationally and financially. Splunk analysts get high-fidelity, indexed records of what is happening on the wire without paying the ingestion cost of streaming full packets. Gigamon publishes a tool-cost reduction of 50 percent or more for customers running this pattern, backed by ESG economic validation, and anonymized public references push the upper bound to 75 percent. Different data shapes for different consumers. Full packets to ExtraHop for forensics. Metadata to Splunk for correlation. Risk signals to Forescout for enforcement. One tap, three appropriately-shaped feeds.

The Splunk Agentic SOC build-out adds a layer that is harder to ignore. AI agents triaging alerts, correlating across the same federated stack, and surfacing investigations with full network and endpoint context attached. AMI's normalized metadata is exactly the input format those agentic reasoners want. For organizations already running Splunk, there is no architectural rip-and-replace required to participate in this fabric. The integrations exist.

On the ARMOR map, Splunk's primary contribution to Infrastructure Security is correlation and orchestration, with reach into Resilience Planning through audit-grade retention and into Secure AI Operations through SOAR. It does not enforce segmentation, but it can trigger Forescout to. It does not capture packets, but it can pivot to ExtraHop when an investigation needs them. That is the cross-pollination the federated data fabric is designed to enable.

When Splunk ingest cost becomes the conversation

Building on this, organizations raising Splunk license costs as a blocker have a direct answer in the Gigamon-Splunk federated-search integration. It reduces ingest while keeping full visibility by turning raw network traffic into actionable, indexed telemetry that analysts can query where it resides. High-value Gigamon metadata (AMI) lands in Splunk's hot tier for real-time detection and dashboards. The full JSON telemetry stream goes to AWS S3 as a lower-cost long-term retention tier. Splunk Federated Search queries both, so analysts pivot from a real-time alert to historical evidence in S3 without paying full ingestion cost for petabytes of audit data.

PCI, HIPAA, and other regulated-retention scenarios are the key use cases here, and the tiered model is a direct example of the AMI cost-curve argument to come. This is just one example where a federated data fabric leveraging Gigamon & Splunk create a smarter way to maximize data value, improve visibility, and simplify analytics.

Sources: Splunk Community — Unlocking Unified Insights: New Gigamon Federated Search App for Splunk · Gigamon Deep Observability App for Federated Search on Splunkbase.

What AMI actually does

Application Metadata Intelligence is the GigaSMART application that turns deep packet inspection into structured records. It examines traffic flowing through the Gigamon broker, extracts roughly 7,000 protocol and application attributes (HTTP, DNS, TLS, SMB, Kerberos, SQL, and LLM and agent traffic among others), normalizes them into consistent record formats, and ships them via CEF, Syslog, Kafka, or native Splunk HEC. The SIEM never sees the raw packets. It sees the answers.

Where AMI is heading: Shrinking the SIEM data-feed footprint

AMI represents an architectural shift that is still early but accelerating. Three patterns to watch.

1. Metadata-first ingestion. Forwarding structured application metadata instead of raw logs or full packets reduces the SIEM data-feed footprint without losing fidelity for correlation. As Splunk ingestion costs continue to grow with AI workload telemetry, this becomes less a cost-optimization exercise and more an operating requirement.
2. ML and AI baselining over normalized metadata. AMI records are structured, attribute-rich, and consistently shaped across protocols. That is exactly the input format that ML-driven baselining engines and agentic SOC reasoners want. The same metadata stream that cuts ingestion cost becomes the substrate for behavioral analytics on AI-fabric flows that legacy log-centric pipelines cannot afford to keep, much less analyze.
3. Protocol coverage expanding into the AI stack. AMI's roadmap is moving toward decoding the protocols AI workloads actually use. MCP, model APIs, agent-to-agent messaging. AI traffic becomes inspectable as structured metadata rather than opaque flows. When that decoding matures, the federated data fabric will have a way to see what AI agents are doing without retaining the petabytes of PCAP that would otherwise be required.

This is the emerging architecture worth watching. The SIEM data-feed footprint shrinks while the depth of visibility into AI traffic expands. Those two trends usually run in opposite directions. AMI is one of the few patterns that runs them in the same direction at the same time.

How the integration actually works

The handoffs are where this architecture earns its keep. None of these vendors is new. What is new is the discipline of operating them as a federated data fabric instead of as three separate procurement cycles.

Telemetry path

Gigamon taps east-west AI fabric traffic at line rate and brokers it three ways from a single source of network truth. Full packets to ExtraHop for NDR, AI infrastructure auto-discovery, and PCAP retention. AMI metadata to Splunk Enterprise Security for correlation against identity, endpoint, application, and cloud audit logs, with SOAR playbooks that can pivot back into RevealX for packet evidence or trigger Forescout for segmentation action. Risk and AI-asset signals to Forescout, which adjusts segmentation policy in response. CrowdStrike Federated Search reaches into RevealX for joint endpoint-and-network investigations. Same tap. Three data shapes. Three appropriately sized feeds.

On the ARMOR map, this single pipeline addresses Network Traffic Visibility, Segmentation, Device Profiling & NAC, Boundary Protection, and Resilience Planning. That is five of the ten Network/Host/DPU control areas inside Infrastructure Security, and it does so without running five separate operating models. That is the rationalization argument made concrete. Less licensing overhead. Fewer analyst context-switches. No retention gaps from legacy appliances falling behind on ingestion.

The DPU horizon: Where the fabric is heading

The architecture above describes what is shippable today. The architecture coming next puts the same functions on a different substrate, and that substrate is the DPU.

A Data Processing Unit is purpose-built infrastructure that offloads networking, security, and storage functions from the CPU. In AI cluster environments, every CPU cycle is committed to inference and training. Adding a traditional security agent on top of that host competes directly with the workload you are trying to protect. At 400 Gbps to 1.6 Tbps, it simply cannot keep up. The DPU sits between the network and the host, running microsegmentation, zero trust enforcement, encryption, deep packet inspection, and telemetry collection independently of the CPU. NVIDIA's BlueField is the most visible example. BlueField-3 is already positioned as the telemetry and NDR sensor for NVIDIA's Morpheus AI security platform. BlueField-4, launching in 2026, scales to 800 Gbps per device.

Where the integrated stack is heading on the DPU

Each vendor in this architecture is moving functions toward the DPU. The substrate is the same. The consumers shift. What follows is what to expect.

Vendor convergence on the DPU

• Gigamon: Tap and traffic-intelligence functions integrating with BlueField, so the broker lives at the host edge instead of behind a separate appliance.
• ExtraHop: NDR sensor footprint shrinking onto the DPU, enabling inter-pod forensics and agent-to-agent visibility that never has to leave the host.
• Splunk: Edge correlation closer to the source, with summarized telemetry and high-fidelity events shipped upstream instead of raw logs at line rate.
• Forescout: Microsegmentation policy enforced at the DPU, applied per pod rather than per VLAN, with risk signals from upstream platforms driving the policy in real time.

Three use cases sharpen what this enables. Inter-pod forensics: capturing traffic between GPU pods without instrumenting the host operating system or stealing CPU cycles from the workload. Telemetry pull-down: replay-grade packet records collected at line rate, eligible to feed network digital twins for testing, simulation, and post-incident reconstruction. Traffic inspection: deep packet inspection and policy enforcement on east-west AI fabric flows that no perimeter device will ever see.

Network digital twins are the longer arc. A high-fidelity, replay-grade copy of the production fabric, fed by DPU-resident telemetry, lets defenders test segmentation changes, rehearse incident response, and reproduce attacker activity without touching the live environment. The fabric is the source of truth. The DPU is what makes capturing it at AI scale practical. The vendors above are the ones writing the consumer side of that pipeline.

Why this matters now

AI cluster speeds are climbing toward 1.6 Tbps. The visibility layer has to climb with them, and it is not a minor upgrade. East-west blind spots in AI clusters are where the next class of breaches hides. Adversary breakout times are already inside human reaction windows, and they will not slow down to wait for the analyst to log into the right console. Regulatory PCAP retention, traditionally the boring justification for legacy appliances, is being collapsed into NDR consoles that can actually feed the rest of the security stack. The customers who get ahead of this consolidation will spend less and see more. The ones who do not will pay the legacy tax in two places: licensing and detection.

WWT, NVIDIA, Gigamon, and ExtraHop are formalizing a joint AI visibility initiative that anchors to ARMOR. Gigamon is engaged with the ARMOR team directly on Infrastructure Security alignment. Splunk's Enterprise Security and SOAR sit at the operations end of that pipeline today, and the Agentic SOC build-out promises deeper automation tomorrow. Forescout's 4D Platform is the segmentation layer most likely to enforce the policy these other systems generate. And on the horizon, the same vendors are already moving functions onto the DPU substrate that AI infrastructure will demand at scale. The architecture in this piece is not a forecast. It is what these companies are already building together, mapped to a framework customers can adopt.

Network security is not standing still. Neither should you.

Whether your priority is collapsing legacy PCAP infrastructure, operationalizing AI workload visibility, or aligning your network security stack to ARMOR, WWT can help you move forward with confidence. Contact us to continue the conversation.

Talk to WWT →

A note on forward-looking statements

Portions of this piece describe vendor roadmaps, emerging integration patterns, and architectural direction. Examples include AMI's expanding protocol coverage, vendor function convergence on the DPU substrate, network digital twins, the Splunk Agentic SOC build-out, and the WWT, NVIDIA, Gigamon, and ExtraHop joint AI visibility initiative. These statements reflect our current read of industry direction at time of publication. They are not commitments by Gigamon, ExtraHop, Forescout, Splunk, NVIDIA, or WWT, and vendor roadmaps move. Verify against each vendor's official roadmap communications before making purchase decisions.