Every endpoint in the enterprise, remote or on premise, is a potential entry point for a security threat. Cyber-criminals know that if they can control an endpoint, then they can move laterally within an organization and access critical systems and data. If they are careful, then their activity may go undiscovered for months.


Our Check Point Threat Forensics solution identifies and mitigates threats before significant damage happens. A Threat Forensics agent monitors files, processes, and network activity on managed endpoints. When our threat prevention technologies detect an attack, either on the endpoint or on the network, then the agent automatically begins an analysis of the attack. It then uploads details of the event to the security management server. Here, endpoint and network security events are correlated to understand what, when, and how an event happened. This knowledge prevents similar breaches from occurring in the future.

CP Forensics


Endpoint Security Threat Forensics adds detailed intelligence to show the entire story of the attack – from the time of bot detection to the spear-phishing mail that was the entry point for the initial compromise:

  • Monitors and records all endpoint events
  • Collects attack details and analyzes the incident
  • Sends incident report and logs to management
  • Follows the attack timeline, containing the threat


By monitoring and recording all endpoint events (including files affected, processes launched, system registry changes and network activity), we are able to trace and report on the steps taken by any malware, including zero-day threats.

All of the endpoint sensor data is efficiently stored on the endpoint itself, erasing the need for additional appliances. Even with thousands of endpoints, this distributed storage of endpoint events keeps traffic down and does not overload the network.

Our kernel level-sensors are secure and cannot be disabled by malicious processes.


Our Threat Forensics Solution allows you to view event reports from a central location like the endpoint security management server. Events that trigger the Incident Report creation may come from the endpoint itself or the gateway. Users can also generate reports for known malicious events, providing a detailed cyber kill chain analysis.


The sheer number of security events can be overwhelming. Our Check Point SmartEvent helps security teams by prioritizing events, letting them focus on the most important events.

SmartEvent aggregates and correlates network and endpoint events from our Next Generation Threat Prevention Appliances and Endpoint Security Suite. With the additional intel from Endpoint Threat Forensics, security teams have a better understanding of the attack and are able to mitigate security incidents more efficiently.