{"version":"https:\/\/jsonfeed.org\/version\/1","title":"kentik Kentik Product Updates","home_page_url":"https:\/\/new.kentik.com","icon":"https:\/\/announcekit.app\/images\/empty-avatar.jpg","items":[{"id":"439169","content_html":"<p>\"Portal won't even load for me,\" said the SRE manager, Jim-bob, frantically looking at a series of alerts cascading through his observability tool. In the Slack war room, the pressure was mounting.\u00a0<\/p><blockquote><p><em>\"Is this a synth issue or a network issue?\"<\/em> he asked\u2014the classic question that marks the beginning of every high-stakes triage.<\/p><\/blockquote><p>Across the virtual table, Ally, the network architect, was digging into the charts. \"Why so many that say Tokyo?\" she muttered, staring at a sea of overlapping lines. The team was drowning in raw data, but they were missing the story.<\/p><hr class=\"read-more-break\" \/><h2>What's New?<\/h2><p>To solve these high-pressure moments, we\u2019re thrilled to announce the enhanced <strong>Investigative Capabilities of AI Advisor (AIA)<\/strong>. AI Advisor now has the power to act as your primary on-call investigator, correlating <strong>Synthetics monitoring<\/strong> with <strong>real-time BGP telemetry<\/strong>. Instead of you manually hunting for common denominators across different ephemeral queries or consoles, AIA looks at your global agent network, analyzes the routing paths, and builds a definitive root-cause report and complete with path visualizations, directly in the chat.<\/p><h2>Why It Matters<\/h2><p>This update turns AIA into a collaborative partner that solves the \"unknown network change\" by following the evidence:<\/p><ul><li><strong>AI Assisted Triangulation<\/strong>: During the triage, Ally and Jim-bob were overwhelmed by \"Tokyo\" alerts. AIA cut through the noise by identifying that geographically diverse agents (Cloud-A\/Chicago, Cloud-B\/Tokyo, Cloud-C\/London) all shared one thing in common: their traffic routed through a <strong>specific upstream transit path<\/strong>. AIA can now build these path-dependency diagrams on the fly, helping describe transit-layer issues in a context that is easier for NOC and network engineers to understand and act upon.<\/li><li><strong>Exposing the \"Connected Route\" Trap<\/strong>: One of the most dangerous false signals is a healthy P2P link. AI Advisor identified that while an upstream p2p interface remained reachable with 0% packet loss, it was a \"false friend.\" Because that subnet was a <strong>connected route<\/strong>, the link stayed up even as the provider\u2019s backbone lost the ability to route traffic to Kentik's actual service prefixes (193.177.*.*\/24). AIA accurately identified that the physical wire was fine, but the routing was broken.<\/li><\/ul><p style=\"text-align:center;\"><img src=\"https:\/\/img.announcekit.app\/fcf469252c2b982484d92b4aa209c557?s=b9382f3fe8f2f0fbc4346498dce1970d\" style=\"width:79.66%;\" \/><em>*note this image is an anonymized recreation based on the original<\/em><\/p><ul><li><strong>Correlating BGP Churn in Real-Time<\/strong>: AI Advisor doesn't just look at pings; it looks across the data you\u2019ve collected with Kentik. In our case, it identified a <strong>massive BGP UPDATE storm of 158k messages<\/strong>, roughly <strong>148x the normal churn rate<\/strong>, detected on a specific transit path. By linking this routing instability directly to the Synthetics packet loss, AI Advisor (AIA) gives you the data-driven evidence you need to coordinate with partners and resolve path-specific issues.<\/li><\/ul><p><img src=\"https:\/\/img.announcekit.app\/025e2462333aa96515d2fd0be262c149?s=a21fad187c6f5ed52f06d62a02cb2af6\" style=\"width:73.3%;\" \/><\/p><p style=\"text-align:center;\"><em>*note this image is an anonymized recreation based on the original<\/em><\/p><ul><li><strong>Depth Without the Drama<\/strong>: No more fighting with your dashboard while on the move. The updated <strong>UDE Table Renderers<\/strong> ensure that whether you're at a dual-monitor workstation or triaging on the go like <span style=\"text-align:left;\">Jim-Bob<\/span>, the critical path data and cloud provider info are front and center.<\/li><\/ul><p>Get Started! Ready to find your Mean Time to Innocence? Head to the <strong>Synthetics<\/strong> section in the Kentik portal to explore the new trace tool, or ask <strong>AI Advisor<\/strong> to \"analyze the latest packet loss spike\" to see the triangulation diagram in action. For a deep dive into the technical specs, visit our <a href=\"https:\/\/kb.kentik.com\" target=\"_blank\">Knowledge Base<\/a>.<\/p>","url":"https:\/\/new.kentik.com\/from-is-it-just-me-to-mean-time-to-innocence-an-ai-advisor-triage-story-2ngfgQ","title":"From \"Is it just me?\" to Mean Time to Innocence: An AI Advisor Triage Story","summary":"\"Portal won't even load for me,\" said the SRE manager, Jim-bob, frantically looking at a series of alerts cascading through his observabilit...","date_modified":"2026-05-06T00:43:17.913Z","tags":["Synthetics"]},{"id":"439081","content_html":"<p><strong>On May 8, 2026<\/strong>, during a scheduled maintenance window at <strong>2AM UTC<\/strong>, Kentik will introduce an <a href=\"https:\/\/www.f5.com\/products\/distributed-cloud-services\/distributed-cloud-waf\" target=\"_blank\">F5 Distributed Cloud Web Application Firewall (WAF)<\/a> in front of our US SaaS platform (<a href=\"https:\/\/portal.kentik.com\" target=\"_blank\">portal.kentik.com<\/a> \/ <a href=\"https:\/\/api.kentik.com\" target=\"_blank\">api.kentik.com<\/a>). \u00a0This is part of our commitment to continual improvement and defense in depth strategy to secure our systems in the face of novel, AI-assisted attack chains. <em>(<strong>Note<\/strong> - As part of our initial deployment, this change took effect in EU SaaS on April 22, 2026)<\/em><\/p><h2><strong>What's changing<\/strong><\/h2><p>All HTTPS traffic to <a href=\"https:\/\/portal.kentik.com\" target=\"_blank\">portal.kentik.com<\/a>, \u00a0<a href=\"https:\/\/api.kentik.com\" target=\"_blank\">api.kentik.com<\/a> <em>(including *.my.kentik.com, beta.kentik.com &amp; next.kentik.com)<\/em>, and the corresponding .<em>eu<\/em> domains, now routes through the F5 WAF at <strong>159.60.158.89<\/strong> before reaching Kentik infrastructure. This provides enhanced protection against malicious web application traffic and attacks with no change to the portal or API functionality.<\/p><h2><strong>What's not changing<\/strong><\/h2><ul><li>Our SaaS platform remains hosted with its data stored in our co-location facility in Ashburn, Virginia for our US and Frankfurt, Germany for EU.<\/li><li>Flow ingest data (NetFlow\/IPFIX\/sFlow packets) sent to collector IPs is unaffected. <br \/><em>(<strong>Note:<\/strong> However, some kproxy management\/health calls, ksynth result uploads and, any customer scripts calling our API \u00a0\u2014 now routes through the WAF)<\/em><\/li><\/ul><h2><strong>Action required<\/strong><\/h2><p>Action only required if you have outbound IP allowlists. If your proxies, firewalls or other routing policies restrict outbound HTTPS (port 443) to Kentik by IP, you must add <strong>159.60.158.89<\/strong> alongside the existing Kentik VIPs. Without this, portal and API access may be blocked from your network.<\/p><h2>Data Processing Notes<\/h2><p><strong>F5 Data Processing<\/strong><\/p><ul><li>Requests will be processed by <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000146743\" target=\"_blank\">F5\u2019s regional endpoints<\/a> based on where they originate.<\/li><li>F5 is a member of the US DPF program &amp; shares our overall GDPR commitment, so this change should not introduce novel data locality concerns.\u00a0<\/li><li>WAF performs transient analysis of user requests hitting the SaaS website only and is not used to process network telemetry data (such as NetFlow) sent to our servers. Furthermore, F5 does not store any user request data post-processing. As a result, we determined that this does not meet our criteria for declaring F5 as a full subprocessor working with customer personal data.<\/li><\/ul><p><strong>Private Network Interconnect (PNI)<\/strong><\/p><ul><li>If you have a private network interconnect (PNI) configured to Kentik with the portal\/API being accessed via the PNI. Then with the WAF in place, portal and API access will be routed via F5\u2019s regional edges over the internet. (Note: This is only for web traffic and, Flow\/ingest data will still continue to go over the PNI)<\/li><\/ul><h2>Additional F5 information<\/h2><ul><li>F5 Data Protection: \u00a0<a href=\"https:\/\/www.f5.com\/company\/trust-center\/general-data-protection-regulation-and-data-protection-framework\" target=\"_blank\">https:\/\/www.f5.com\/company\/trust-center\/general-data-protection-regulation-and-data-protection-framework<\/a><\/li><li>F5 Regional Edge Locations: <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000146743\" target=\"_blank\">https:\/\/my.f5.com\/manage\/s\/article\/K000146743<\/a>\u00a0<\/li><li>F5 Regional Edge IP ranges: <a href=\"https:\/\/docs.cloud.f5.com\/docs-v2\/downloads\/platform\/reference\/network-cloud-ref\/ips-domains.txt\" target=\"_blank\">https:\/\/docs.cloud.f5.com\/docs-v2\/downloads\/platform\/reference\/network-cloud-ref\/ips-domains.txt<\/a>\u00a0<\/li><\/ul><p>If you have any questions regarding this, please reach out to Kentik support or your customer success advisor.<\/p>","url":"https:\/\/new.kentik.com\/web-application-firewall-waf-protection-for-kentik-saas-portal-and-api-Llru8","title":"Web Application Firewall (WAF) protection for Kentik SaaS Portal and API","summary":"On May 8, 2026, during a scheduled maintenance window at 2AM UTC, Kentik will introduce an F5 Distributed Cloud Web Application Firewall (WA...","date_modified":"2026-05-04T19:06:13.098Z","tags":[]},{"id":"438954","content_html":"<p>Network problems happen all the time, but the hardest part isn't detection. It's getting to the <strong><em>why<\/em><\/strong>. Detection is easy, but diagnosis is not. Observability has gotten incredibly good at detecting issues and narrowing down the problem space. But actually diagnosing the network and finding the root cause? That is still painfully manual.<\/p><p>Engineers often need to look at multiple tools, dashboards and CLIs to get to root cause. Introducing, Kentik's new AI diagnostics for faster root-cause analsys! By bringing diagnostic tools-of-the-trade directly into your telemetry and alerting workflows, you can stop the swivel-chair investigation and confirm root causes faster.<\/p><p>Here are three new capabilities launching today to help you streamline troubleshooting:<\/p><h2><strong>On-Demand Connectivity Tests<\/strong><\/h2><p>Need to confirm an issue from a specific vantage point? You can now use AI Advisor to validate reachability and path behavior from Universal Agents. This allows you to test and confirm network issues exactly where they matter most to your end-users.<\/p><p><img src=\"https:\/\/img.announcekit.app\/773a24ffd396b23cfc8a731446d3b625?s=f199aeb705fc022d19eabd7f6cbf5a7c\" \/><\/p><h2><strong>\ud83d\udcdd Config Context (Backups + Diffs)<\/strong><\/h2><p>Configuration changes are a leading cause of network incidents. Kentik NMS now periodically captures running configs over SSH, securely stores them as secret-redacted backups, and surfaces diffs between revisions. Even better: AI Advisor can instantly analyze these backups and diffs to answer questions about configuration states and identify if a recent change is the culprit behind your current issue.<\/p><p><img src=\"https:\/\/img.announcekit.app\/7b090f9152f79f43f290a6f99f351f7f?s=dc2bbedb5e80e6df92bbc746a11873cc\" \/><\/p><p><img src=\"https:\/\/img.announcekit.app\/9b4307d48d27a5a47db2826b7fa6b65c?s=e92b24d43b5f85165da01611b762ff00\" \/><\/p><p><img src=\"https:\/\/img.announcekit.app\/4ca883f047e866de9010486f6a6da441?s=c3818da0500b1cc084a0411216941a12\" \/><\/p><h2><br \/><strong>\ud83d\udcbb SSH Command Access<\/strong> <\/h2><p>When an investigation requires live device data, the usual answer is to pull up a CLI and start digging. Now, you can do it right from AI Advisor. AI Advisor can propose, run, and analyze read-only <code>show<\/code> commands directly inside your investigation thread.<\/p><p><img src=\"https:\/\/img.announcekit.app\/56621bd286b46058963341b281c523bc?s=1cc26eaa34462d02d5d9492f0cfcaf01\" \/><\/p><ul><li><strong>No memorizing vendor syntax:<\/strong> AI Advisor handles the complex commands.<\/li><li><strong>No context switching:<\/strong> Keep your CLI output and your telemetry in the same window.<\/li><li><strong>Empower your team:<\/strong> Junior or less specialized staff can safely troubleshoot complex issues and correlate live device truth with ease.<\/li><\/ul><h1><strong>Ready to see it in action?<\/strong><\/h1><p>Monitor your devices with NMS, configure SSH access and start solving problems faster today. There's no \"upcharge\" for this new feature. It's included with an NMS device license. Need more details? Check out our <a href=\"https:\/\/kb.kentik.com\/docs\/ai-assisted-netops\" rel=\"noopener noreferrer\" target=\"_blank\">knowledge base article<\/a> and <a href=\"https:\/\/www.kentik.com\/blog\/accelerating-mttr-faster-root-cause-diagnosis-ai-advisor\/\" rel=\"noopener noreferrer\" target=\"_blank\">release blog<\/a>.<\/p><p><br \/><br \/><\/p>","url":"https:\/\/new.kentik.com\/accelerate-network-diagnostics-with-command-access-config-diffs-and-on-demand-tests-37Obyo","title":"Accelerate Network Diagnostics with Command Access, Config Diffs and On-Demand Tests","summary":"Network problems happen all the time, but the hardest part isn't detection. It's getting to the why. Detection is easy, but diagnosis is not...","date_modified":"2026-05-04T15:00:00.000Z","tags":["UI\/UX","Synthetics","New feature","NMS","AI"]},{"id":"438668","content_html":"<p>Observation Deck was initially built as a flexible landing page that adapts to users' interest. It includes a library of widgets that aren't available as Data\/Metrics Explorer views, but also allows our users to embed views from these two key Infrastructure Analytics query applications. In its initial design, there was only one Observation Deck per user, and no ability for a group of users to share the same.<\/p><p>Discussions with our user base led to these requirements:<\/p><ul><li>the ability to build and then share Observation Decks across users;<\/li><li>the ability to share an Observation Deck with users based on their assigned role, serving as a role-specific landing page for the tasks &amp; checks that their roles demand<\/li><li>the ability to centrally manage <span style=\"text-align:left;\">Observation Decks<\/span> assignments as landing pages for different user groups<\/li><\/ul><p>So... that's what this update is about! Read on! At the end of the article, we'll also share our vision of how Observation Decks and Dashboards will evolve in the short\/mid\/long term future, so make sure you review the last section.<\/p><hr class=\"read-more-break\" \/><h2>Introducing the new observation decks<\/h2><h3>Observation Decks are now their own Library objects<\/h3><p>If you go to the Library (<code>[shift]+[s]<\/code> from any screen in Kentik Portal, one of those magic shortcuts you want to know about) you will notice that the left-side filter panel now offers an additional choice for <code>Type<\/code>:<\/p><p><img src=\"https:\/\/img.announcekit.app\/5ad745b61c393432406045991fd677ff?s=9599e8d9ccd6885ae396c154ef0d2a39\" class=\"image-align-left\" \/><\/p><p>This means that you can now create multiple Observation Decks. Here's a few things about how it works:<\/p><ul><li>These Observation Decks are bound to the same RBAC rules as Dashboards: Shared vs Private settings supersede any RBAC permissions - a new RBAC section allows you to configure permissions for Observation Decks the same way that exists with Dashboards, including per-label permissions<\/li><\/ul><p><img src=\"https:\/\/img.announcekit.app\/aadb0aab5570dab3cfc14ce5f0ef4747?s=b8656b2c64fafc728da2b88b0be0fa7d\" class=\"image-align-left\" \/><\/p><ul><li><strong>Important note<\/strong>: This doesn't replace or delete your existing Observation Deck; it has been simply been migrated to a Library object for you so you won't need to re-create it<ul><li>The migrated Observation Decks are <code>Private<\/code> meaning you only will see them if you had one<\/li><li>You can change their share settings and they will then appear to other users in the Library (barring RBAC permissions) - ideally you should change their names before sharing them so you don't end up with multiple titled <code>Observation Deck<\/code>, each with a different owner<\/li><\/ul><\/li><\/ul><p><img src=\"https:\/\/img.announcekit.app\/dd0ddde21b1af97d38b96d1b0c16919e?s=05cfe9dfbae3390ba3fb5e5256268438\" class=\"image-align-left\" \/><\/p><ul><li>If your Kentik Portal Landing page was an Observation Deck, the record has been updated in your settings, pointing to the <strong>same, migrated library object, which should result in no change to your experience upon login<\/strong> - see section in this article about Observation Deck assignments<\/li><\/ul><h2>A complete overhaul of Observation Deck editing capabilities<\/h2><p>With this update, you'll find the previous ability to add widgets from a selection of existing ones with in the <code>+ Add Panel<\/code> dropdown at the top:<\/p><p><img src=\"https:\/\/img.announcekit.app\/a221ab9da6e193a7a3033aebef897266?s=2e8b91fa08c7226f8fbbc71d90ab8d8c\" class=\"image-align-left\" \/><\/p><p>We have now made editing Observation Deck simpler - let's go through a few useful changes that we've added:<\/p><p><strong>Edit in place<\/strong><\/p><p>All Observation Deck panel titles, as well as the main title are now editable in place: hovering on these titles highlights them, clicking loads an inline edit field.<\/p><p><img src=\"https:\/\/img.announcekit.app\/940d047734adc63c555a25ee619efe42?s=c6768e04c09fa028ea46e91b3c643f71\" class=\"image-align-left\" alt=\"Hover highlights the title\" style=\"width:26.99%;\" \/><img src=\"https:\/\/img.announcekit.app\/e0c1331ad1ea5908add8bf2da178423f?s=f294d3feab31a41fc417587c86099452\" class=\"image-align-left\" alt=\"Click enters title edit mode, validate your changes with [enter]\" style=\"width:27.21%;\" \/><\/p><p><strong>New top level widget types<\/strong><\/p><p>New widgets have been released that have long been asked by our users:<\/p><ul><li>Section widget<\/li><li>Markdown text panel widget<\/li><\/ul><p>The Section Widget lets you create sections to group panels in and make long Observation Decks easier for the users to consume - see below:<\/p><p><img src=\"https:\/\/img.announcekit.app\/a144f462f1418790c62ee23556d744fb?s=fac9975e0fddeea1097f7fb85c17e67d\" class=\"image-align-left\" style=\"width:89.58%;\" \/><\/p><p>Conveniently, sections are also collapsible\/expandable, as shown below:<\/p><p><img src=\"https:\/\/img.announcekit.app\/c5ed0a74ed1131a6c935f77a0c601b57?s=356fdeec6c1f4b012bcb13cbe833e4c9\" class=\"image-align-left\" \/><\/p><p>Markdown Text panels are another addition making this Observation Deck update exciting, look for yourself in the screenshot below.<\/p><p>A couple tricks that we've found very useful when using markdown panels:<\/p><ul><li>use emojis to display clear do's and don'ts type of instructions<\/li><li>use arrow characters in the titles to point at a nearby panel if you want to provide an inline explanation to them<\/li><li>don't hesitate to abuse URL embedding, even if these don't point to wiki documentation: non-public URLs are OK as long as the consuming user has access to the resource the URL points to (private wikis are fine)<\/li><li>a full <a href=\"https:\/\/gist.github.com\/allysonsilva\/85fff14a22bbdf55485be947566cc09e\" rel=\"noopener noreferrer\" target=\"_blank\">library of markdown examples is available here<\/a>, don't hesitate to steal ideas from it to make your Observation Decks more lively<\/li><\/ul><p><img src=\"https:\/\/img.announcekit.app\/171b466a50c2a87a51d6194a906febd8?s=fc428e2fc860436bf60366d61c6bf11c\" class=\"image-align-left\" style=\"width:99.96%;\" \/><\/p><p><br \/><\/p><h2>Central management of Observation Decks as Landing Page experiences<\/h2><p>To further Observation Deck's usefulness and make them more manageable at scale in the case of user groups with different demands in Kentik Portal, we've extended management capabilities throughout the Settings experience.<\/p><h3>Per user assignment of Observation Deck as a Landing Page<\/h3><p>If your user permissions allows it, you can now assign Landing Pages to users yourself (it used to be a user private setting).<\/p><p>In the Company Settings &gt; Users &gt; Edit User workflow, you'll now be able to set a specific Observation Deck as a landing page for any user:<\/p><p><img src=\"https:\/\/img.announcekit.app\/233cc99d02efa484d0df05954a97c8b0?s=2df75bb16d17d61992d3adca95976af8\" class=\"image-align-left\" \/><\/p><p>Beyond that, you'll also be able to leverage Bulk Edit capabilities from the same Users management page to assign the same Observation Deck to multiple users at the same time in one fell swoop!<\/p><p><img src=\"https:\/\/img.announcekit.app\/1d7b81aead70876db400e55d43fbe3ac?s=54d253e75c4ce167101525b4e5bb0fd4\" class=\"image-align-left\" \/><\/p><h3>SSO Role-Sets and the associated Landing Page<\/h3><p>Some of our users use SSO RBAC Automated Attribute Mapping via Role Sets (<a href=\"https:\/\/new.kentik.com\/sso-to-rbac-attribute-mapping-30lFi8\" rel=\"noopener noreferrer\" target=\"_blank\">see the announcement here<\/a>): this feature allows Kentik Administrator to set RBAC permissions and enforce them at login based on users' SAML2 attributes, including User Groups.<br \/><br \/>In that context, a Role-Set is a collection of roles assigned by SSO at login, and it now contains a setting to assign a specific landing page: each who has been assigned a Role-Set containing a Landing Page setting will now default to the selected Landing Page, where a named Observation Deck can be configured, as shown below.<\/p><p><img src=\"https:\/\/img.announcekit.app\/d9667b102ebcd60690b585d69d279bbd?s=42418c734377d36eb91116e0a34c7768\" class=\"image-align-left\" \/><\/p><h3>User API extensions for Observation Decks as a Landing Page<\/h3><p>Some users prefer relying on programmatic capabilities to set up users using our API - for those we've also extended the User API endpoints to include setting an Observation Deck as a landing page programmatically<\/p><p><img src=\"https:\/\/img.announcekit.app\/a0a22369c131a770a49753278571e8ec?s=528bcb5cd9fac2b79b85008810aa24ac\" class=\"image-align-left\" \/><\/p><h2>What is the future of Dashboards and Observation Decks ?<\/h2><p>As a lot of you have already pointed out, Observation Decks and Dashboards are very similar. For example, a lot of our users have asked for an ability to add Observation Deck widgets to Dashboards.<\/p><p>Additionally, we have determined that Dashboards have a high barrier to entry for our newer users, and are too involved to Create or Edit.<\/p><p>For both these reasons, we will merge Observation Decks and Dashboards together in the near future. Here's a (non-exhaustive) list of what you can expect:<\/p><ul><li>All existing Observation Decks will be migrated to dashboards<\/li><li>The new Dashboards experience will inherit the newer, simplified Edit\/Create User Experience of Observation Deck (ex: Edit Mode is permanent, no need to toggle View\/Edit mode to make layout changes etc...)<\/li><li>Existing Observation Deck widgets will by default be available in the new Dashboards experience<\/li><li><span style=\"text-align:left;\">The new Dashboards <span style=\"text-align:left;\">experience\u00a0<\/span><\/span>will include all the data-sets that you can add to Kentik: Traffic(Flow), NMS(Metrics), Synthetics, Events...<\/li><li><span style=\"text-align:left;\">The new Dashboards<\/span> <span style=\"text-align:left;\">experience\u00a0<\/span>will see its Guided Mode powers significantly overhauled and improved to make interactive dashboards a point of focus for creators<\/li><\/ul><p>Last but not least, we have a long term project to sprinkle AI magic over these new dashboards getting dashboard creation a step closer to true Generative AI!<\/p><p>Tell us what you'd like to see in these future dashboards, it's never to late to get involved in the future of Kentik Portal and we love sourcing our future improvements from our users themselves!<\/p>","url":"https:\/\/new.kentik.com\/observation-deck-upgrade-and-the-future-of-dashboards-2zK2TC","title":"Observation Deck upgrade, and the future of Dashboards","summary":"Observation Deck was initially built as a flexible landing page that adapts to users' interest. It includes a library of widgets that aren't...","date_modified":"2026-04-30T15:00:00.000Z","tags":["Improvement","Core","UI\/UX"]},{"id":"438762","content_html":"<p>Managing cloud security shouldn't be a guessing game, especially when you need to know exactly why traffic is being blocked or allowed across your AWS environment. We understand how frustrating and time-consuming it can be to troubleshoot these visibility gaps. And that's why we are thrilled to announce that Kentik Cloud now supports the ingestion of <a href=\"https:\/\/kb.kentik.com\/docs\/flow-firewall-log-collection-configuration#enable-network-firewall-logs\" rel=\"noopener noreferrer\" target=\"_blank\">AWS Network Firewall (ANF) logs<\/a>.\u00a0<\/p><p>By integrating this service-based firewall data, Kentik provides you with deep observability into traffic moving into, out of, and across your AWS environment, including critical metadata not found in standard VPC flow logs. This integration empowers your team for proactive network security management by bringing enriched ANF flow logs, alert logs, and firewall metrics all into a single view with the most relevant network context from your AWS environment.<\/p><ul><li><strong>Pinpoint Blocked Traffic:<\/strong> Quickly identify exactly what traffic is being blocked and why, allowing you to make informed decisions to either whitelist legitimate traffic or address unauthorized attempts immediately.<\/li><li><strong>Add Context to your Security Policies:<\/strong> Gain comprehensive visibility into specific firewalls, policies, and rules. You can now easily see and audit which traffic is traversing specific firewall rulesets to ensure your security posture aligns with your intended policy.<\/li><li><strong>Streamline Connectivity Analysis:<\/strong> Visualize the network paths across your AWS environment, ensuring that you have clarity on firewalls, security groups, and network ACLs that are all contributing to a potential connectivity blockage.<\/li><\/ul><hr class=\"read-more-break\" \/><h2>What's new?<\/h2><p>Network firewalls are a critical part of your cloud network architecture, so it was important that we first provide the relevant context about those ANF connections in the Kentik Map. This also provides important metadata about the Firewall Attachments, Firewall Rule Groups, and all of the connections from VPCs, subnets, Transit Gateways, and more.\u00a0<\/p><p><img src=\"https:\/\/img.announcekit.app\/a3e1bb318b2013685b01bc9445387377?s=5f1c4b68d5433e0a4080508e60419d5c\" \/><\/p><p>For troubleshooting, it was also important that this firewall metadata was also used for path analysis across your AWS network. We added AWS Network Firewall details to Kentik Cloud Pathfinder, including direct links into the AWS Console for firewall rule configuration.<\/p><p><img src=\"https:\/\/img.announcekit.app\/79d8ad443e2cb2b065ec3ec14df2a105?s=dbb421e1c28fbc1ca249da9d74930476\" \/><\/p><p>Finally, we wanted to surface the enriched ANF flow and alert log data to ensure that <span style=\"text-align:left;\">traffic analysis had a first-class experience in\u00a0<\/span>Kentik Data Explorer. Now you can use ANF-provided log dimensions along with Kentik's enrichment engine to make it easy to look at specific dropped flows and which VPC, region, and application they come from.\u00a0<\/p><p><img src=\"https:\/\/img.announcekit.app\/61ac651e55db14b4bbab2fe864ec66cd?s=2a93955c32051cbc687bebd641c1ff95\" \/><\/p><h2>How do I get started?<\/h2><p>Ready to get more out of your AWS Network Firewall visibility? Log in to the Kentik Portal today to enable AWS Network Firewall log ingestion as part of your Kentik Cloud Export. For step-by-step configuration details, check out our <a href=\"https:\/\/kb.kentik.com\/docs\/flow-firewall-log-collection-configuration#enable-network-firewall-logs\" rel=\"noopener noreferrer\" target=\"_blank\">Knowledge Base article on integrating AWS Network Firewall logs<\/a>.<\/p><p><img src=\"https:\/\/img.announcekit.app\/5300a60a55d646da2cb3b9da074d78ae?s=ac24296ea3f6576835ccb2dd7fe9183b\" class=\"image-align-left\" style=\"width:49.45%;\" \/><\/p><p><br \/><\/p>","url":"https:\/\/new.kentik.com\/gain-full-visibility-into-your-aws-network-firewall-traffic-4itdNS","title":"Gain Full Visibility into Your AWS Network Firewall Traffic","summary":"Managing cloud security shouldn't be a guessing game, especially when you need to know exactly why traffic is being blocked or allowed acros...","date_modified":"2026-04-28T19:31:03.626Z","tags":["Hybrid Cloud","Kentik Map"]},{"id":"438695","content_html":"<p>KProxy has long been a trusted ally in maintaining network visibility across complex and restricted environments. As we look toward the future of network intelligence, we are excited to help you scale even further by integrating these proven capabilities into a more unified and automated platform experience.<\/p><h3>See What\u2019s New<\/h3><p>With last week\u2019s release of <strong>Flow Proxy<\/strong> as a native capability within the <strong>Kentik Universal Agent<\/strong>, we are now officially setting a sunset date for the standalone KProxy binary: <strong>May 1, 2027<\/strong>.<\/p><hr class=\"read-more-break\" \/><p>We\u2019re sharing this roadmap a full year in advance to ensure your team has a clear and supported path to the next generation of flow collection. This transition moves the robust traffic forwarding you've relied on into a \"set-it-and-forget-it\" capability model. By consolidating into the Universal Agent, you\u2019re moving toward a more streamlined, single-agent architecture that simplifies your entire telemetry stack.<\/p><h3>Why It Matters<\/h3><p>Transitioning to Flow Proxy allows you to leverage a modern, high-performance architecture while building on the reliable foundation KProxy established.<\/p><ul><li><strong>Unified Agent Management:<\/strong> Instead of managing KProxy as a separate standalone service, you can now handle everything through the Universal Agent. This means one binary to maintain, one service to monitor, and a much cleaner operational footprint.<\/li><li><strong>UI-Driven Control &amp; Visibility:<\/strong> We\u2019ve moved configuration out of local text files and into the cloud. You can now deploy, tune, and scale your Flow Proxy settings directly from the Kentik Portal, giving you faster response times and better oversight.<\/li><li><strong>Enhanced Security Standards:<\/strong> The integrated Flow Proxy brings <strong>FIPS support<\/strong> to your traffic forwarding. This ensures your telemetry meets the highest security and compliance standards required for modern regulated environments without any additional configuration complexity.<\/li><\/ul><h3>Get Started!<\/h3><p>The future of network intelligence is unified, and the path forward is simple. We recommend all users begin migrating their KProxy instances to the Universal Agent Flow Proxy capability to start taking advantage of these integrated features today.<\/p><p>Dive into the <a href=\"https:\/\/kb.kentik.com\/docs\/migrate-from-kproxy-to-universal-agent\" rel=\"noopener noreferrer\" target=\"_blank\"><strong>KProxy Migration Guide<\/strong><\/a> to map out your move, or jump into the <a href=\"https:\/\/portal.kentik.com\/v4\/settings\/universal-agents\" rel=\"noopener noreferrer\" target=\"_blank\"><strong>Kentik Portal<\/strong><\/a> to enable Flow Proxy on your existing Universal Agents. Let\u2019s get your network ready for 2027.<\/p>","url":"https:\/\/new.kentik.com\/sunset-for-standalone-kproxy-transitioning-to-flow-proxy-and-2027-34oIWA","title":"Sunset for Standalone KProxy: Transitioning to Flow Proxy and 2027","summary":"KProxy has long been a trusted ally in maintaining network visibility across complex and restricted environments. As we look toward the futu...","date_modified":"2026-04-28T05:58:58.687Z","tags":["Agents & Binaries","Flow"]},{"id":"433452","content_html":"<p><img src=\"https:\/\/img.announcekit.app\/3a0b6205c6fac3f07de06963210cf598?s=a38d3fe2643410071203e5e60201033a\" \/><\/p><p>Onboarding network devices shouldn't require a complex flowchart to determine which agent polls for what data. We understand that juggling \"NMS devices\" versus \"Flow devices\"\u2014and facing the performance penalty of \"double polling\" where multiple agents hit the same device\u2014has been a source of friction and unnecessary complexity.\u00a0<\/p><h3>What\u2019s New?<\/h3><p>We\u2019re thrilled to announce a major evolution in how the Kentik Universal Agent (UA) collects device telemetry. Instead of a product-focused \"NMS\" capability, all SNMP and Streaming Telemetry (ST) collection will be handed by a <strong>Unified SNMP\/ST capability.<\/strong><\/p><p>Previously, the Universal Agent\u2019s \"NMS\" capability focused on full monitoring (as well as ICMP-only devices), while a separate Kproxy agent (outside of the UA) handled SNMP polling for flow enrichment (as well as flow ingest). This often led to redundant polling and confusing configurations when polling devices for both flow enrichment and device monitoring.<\/p><p>The \"NMS\" capability has evolved into the <strong>SNMP\/ST capability<\/strong>. This single, powerful capability now handles <strong>both<\/strong> Full Monitoring (NMS) and Flow Enrichment. For more details on these distinctions, check out the <a href=\"https:\/\/kb.kentik.com\/docs\/kproxy-migration-scenarios\" rel=\"noopener noreferrer\" target=\"_blank\">Detailed Migration Scenarios<\/a> section of the <a href=\"https:\/\/kb.kentik.com\/docs\/migrate-from-kproxy-to-universal-agent?highlight=Full%20Monitoring\" rel=\"noopener noreferrer\" target=\"_blank\">KProxy Migration Guide<\/a>. This update works hand-in-hand with our new<a href=\"https:\/\/new.kentik.com\/streamline-your-flow-collection-with-the-new-universal-agent-flow-proxy-2zDILS\" rel=\"noopener noreferrer\" target=\"_blank\">\u00a0UA Flow Proxy capability<\/a>, allowing you to consolidate everything under the Universal Agent framework, eliminating the need for standalone Kproxy installations and streamlining your \"Kentik devices\" onboarding process.<\/p><h3><br \/><\/h3><h3>Why It Matters<\/h3><p>This unification isn't just a rename; it is a fundamental architectural improvement designed to reduce overhead and simplify your workflow.<\/p><ul><li><strong>Eliminate \"Double Polling\":<\/strong> By consolidating monitoring and enrichment into a single capability, we stop the inefficient practice of having both Kproxy and the Universal Agent poll the same device. This significantly reduces CPU load on your network gear and improves overall performance.<\/li><li><strong>Simplified Onboarding &amp; Management:<\/strong> We're eroding the need to decide between an \"NMS device\" or a \"Flow device.\" You simply configure the SNMP\/ST capability based on your collection needs. Whether you just need <strong>Flow Enrichment<\/strong> (requires Flow license) or <strong>Full Monitoring<\/strong> (requires NMS license), it is now handled by a single, logical agent configuration.<\/li><li><strong>Faster Time to Value:<\/strong> Deploying new devices is faster and less prone to configuration errors. You get immediate visibility without the \"support tax\" of maintaining disparate agent binaries.<\/li><\/ul><h3><img src=\"https:\/\/img.announcekit.app\/2931d34680f9607bbf58e96b5cbf4204?s=35167fc70a8f806cffa8d59ef1d0143d\" \/><\/h3><h3>Get Started!<\/h3><p>Ready to streamline your device telemetry? For a detailed breakdown of the migration paths and new configuration options\u2014including Flow Enrichment vs. Full Monitoring\u2014check out the <a href=\"https:\/\/kb.kentik.com\/docs\/migrate-from-kproxy-to-universal-agent?highlight=Full%20Monitoring\" rel=\"noopener noreferrer\" target=\"_blank\">KProxy Migration Guide<\/a> in the Kentik Knowledge Base.<\/p>","url":"https:\/\/new.kentik.com\/unify-your-collection-pipeline-with-the-new-snmp-st-capability-OEzYc","title":"Unify Your Collection Pipeline with the New SNMP\/ST Capability","summary":" Onboarding network devices shouldn't require a complex flowchart to determine which agent polls for what data. We understand that juggling ...","date_modified":"2026-04-22T04:25:54.000Z","tags":["Improvement","UI\/UX","Agents & Binaries","Flow","SNMP","NMS"]},{"id":"432780","content_html":"<p>Managing disparate agent binaries across your network shouldn't be a manual chore that slows down or complicates your visibility. We know that deploying agents in remote sites or restricted environments often feels like a balancing act between security requirements and operational simplicity.<\/p><h3>What\u2019s New?<\/h3><p><strong>We\u2019re thrilled to announce that the power of KProxy is now natively integrated into the Kentik Universal Agent!<\/strong> This update brings the trusted secure traffic forwarding agent you rely on directly into our <a href=\"https:\/\/kb.kentik.com\/docs\/universal-agents?highlight=Universal%20Agnet\" rel=\"noopener noreferrer\" target=\"_blank\">Universal Agent<\/a>. Instead of managing standalone KProxy installations via command line, you can now deploy, manage, and scale your flow collection as a simple \"capability\" within the Universal Agent. This integration allows the agent to receive, process, and forward NetFlow, sFlow, and IPFIX telemetry to the Kentik platform with more control and less friction than ever before.<\/p><p><br \/><\/p><hr class=\"read-more-break\" \/><h3><img src=\"https:\/\/img.announcekit.app\/3075e45143a9ca2aa677f3a5bf9d2ceb?s=fbe3c0cd4463c33986c862ace8526d34\" style=\"width:46.82%;\" \/><\/h3><h3>Why It Matters<\/h3><p>This evolution of the Flow Proxy capability isn't just about consolidation; it's about making your life easier and your network more secure.<\/p><ul><li><strong>Centralized UI Configuration:<\/strong> Say goodbye to manual configuration files. You can now deploy and tune your Flow Proxy settings like listening ports directly from the Kentik Portal.<\/li><\/ul><p><img src=\"https:\/\/img.announcekit.app\/16bfa0011eed476a8fe9b9c40b401037?s=c6751f6076b834d6dbaec87dc913a4a3\" style=\"width:46.36%;\" \/><\/p><ul><li><strong>FIPS Support for Regulated Environments:<\/strong> For our customers in highly regulated industries, this update introduces FIPS support, ensuring your traffic forwarding meets the stringent security standards required for compliant implementations.<\/li><li><strong>Simplified Enrichment:<\/strong> Easily associate all flow data with specific Kentik Sites during setup, ensuring your data is organized and actionable the moment it hits the platform.<\/li><\/ul><h3>Get Started!<\/h3><p><span style=\"text-align:start;\">Ready to streamline your device telemetry? For a detailed breakdown of the migration paths and new Flow Proxy configuration options check out the\u00a0<\/span><a href=\"https:\/\/kb.kentik.com\/docs\/migrate-from-kproxy-to-universal-agent?highlight=Full%20Monitoring\" rel=\"noopener noreferrer\" target=\"_blank\">KProxy Migration Guide<\/a><span style=\"text-align:start;\">\u00a0in the Kentik Knowledge Base.<\/span><\/p><p><br \/><\/p>","url":"https:\/\/new.kentik.com\/streamline-your-flow-collection-with-the-new-universal-agent-flow-proxy-2zDILS","title":"Streamline Your Flow Collection with the New Universal Agent Flow Proxy","summary":"Managing disparate agent binaries across your network shouldn't be a manual chore that slows down or complicates your visibility. We know th...","date_modified":"2026-04-21T22:15:43.000Z","tags":["Improvement","Service Provider","UI\/UX","Agents & Binaries","Flow"]},{"id":"437490","content_html":"<p>Data Explorer has always been the crown jewel of Kentik Portal: by any measure this Observability Analytics workbench is our users' most beloved application. As its grown over time, we've kept adding new functionality to it over the years.<br \/><br \/>As a byproduct, we've heard feedback from our newer users that this Data Explorer beast could be hard to tame as you're making your first steps in Kentik Portal.<\/p><p>As we were ramping up Kentik's AI capabilities, we discovered very early that AI Advisor does an excellent job as a Natural Language Processor that turns human prompts into fully fledged Data Explorer queries - <a href=\"https:\/\/new.kentik.com\/kentik-ai-advisor-is-now-generally-available-ga-vgDcc\" rel=\"noopener noreferrer\" target=\"_blank\"><em>AI Advisor Announcement here<\/em><\/a><\/p><p>So to facilitate faster queries in Data Explorer, we've added small, buy highly useful feature to AI Advisor when using AI Advisor on the Data Explorer page:<strong>\u00a0Send to Data Explorer.<\/strong><\/p><h2>Learning to use Data Explorer with AI Advisor<\/h2><p>When it comes to users new to Data Explorer, we believe there's nothing more efficient than learning its ropes by example.<br \/><br \/>Starting today, you'll notice that when AI Advisor writes an answer to the chat window on a Data Explorer page that contains a query it has used for analysis, it will now present a <strong>Send to Data Explorer\u00a0<\/strong>button next to it.<\/p><p><img src=\"https:\/\/img.announcekit.app\/f895c0cbbd405113b01c6ed1c24c8d62?s=48febb66cebd0039f62388171f2aa8b5\" \/><\/p><p>When clicked, the <strong>Send to Data Explorer\u00a0<\/strong>button will replace the current query in the main window with an updated one from this step of the prompt response.<br \/>The beauty of it is that users can keep iterating over the same query without ever having to set all the query parameters themselves in the Data Explorer query panel. The additional benefit is that after each iteration, a learning user can precisely look at what parameters AI Advisor changed in the query to respond to their prompt, therefore getting a personalized tutorial on setting up their own query!<\/p><p>Here's a sample follow-up to the previous prompt, which will present the results in a table, but also offer the <strong>Send to Data Explorer<\/strong> button<\/p><p><img src=\"https:\/\/img.announcekit.app\/29e195182e03fa4c02892c4684497aca?s=00528688306c79a146e2f3367a5e9c9a\" \/><\/p><p>... and the result in the main Data Explorer window when clicking the button<\/p><p><img src=\"https:\/\/img.announcekit.app\/d401a9486d056ba234e2ef43cbe327b8?s=d5d7d9f94684b8744c0bc3e7f8f20dbb\" \/><\/p><h2>But wait... enter Cause Analysis<\/h2><p>While piloting Data Explorer via prompt is already a major improvement in itself, we also linked it to Cause Analysis. If you don't remember this incredible AI feature of Data Explorer, take a minute to read the <a href=\"https:\/\/new.kentik.com\/new-kentik-ai-cause-analysis-speeds-network-traffic-investigation-IytIQ\" rel=\"noopener noreferrer\" target=\"_blank\">Cause Analysis feature announcement here<\/a>.<\/p><p>With Cause Analysis, you can ask Kentik AI to inspect a traffic chart and ask it to identify anomalies and analyze them for you: one of the ways to do so was to drag and highlight a visual anomaly and summon the feature as shown in the screenshot below<\/p><p><img src=\"https:\/\/img.announcekit.app\/f14768f9ba3a7c1683d885ba3d450270?s=a632eedc47866046a9a2acfca09b8e62\" \/><\/p><p>With this new feature on display today, you can simply ask AI Advisor <em>\"What happened on 04\/3 around 15:00\"<\/em>, and AI Advisor will spontaneously summon <strong>Cause Analysis\u00a0<\/strong>and give you a <strong>Send to Data Explorer<\/strong> button for you to access the result of its reasoning as to what may have caused this peak:<\/p><p><img src=\"https:\/\/img.announcekit.app\/4fcf37571c1b846f02325598fe83b238?s=b1576696dd3771a4443cf9be590b708e\" \/><\/p><p><br \/><\/p>","url":"https:\/\/new.kentik.com\/query-data-explorer-with-ai-advisors-new-send-to-data-explorer-capability-4rx0IM","title":"Query Data Explorer with AI Advisor's new \"Send to Data Explorer\" capability","summary":"Data Explorer has always been the crown jewel of Kentik Portal: by any measure this Observability Analytics workbench is our users' most bel...","date_modified":"2026-04-06T19:08:42.187Z","tags":["Improvement","AI"]},{"id":"435983","content_html":"<p><span style=\"text-align:start;\">Many enterprises and businesses are looking to integrate AI agents together to standardize workflows and front ends. To help customers achieve that goal and make Kentik data more accessible to other workflows, Kentik AI Advisor now supports the\u00a0<\/span><strong>Model Context Protocol (MCP)<\/strong><span style=\"text-align:start;\">, enabling seamless integration with AI agents and development frameworks like Claude Desktop, GitHub Copilot, and others.<\/span><\/p><h2>What is MCP?<\/h2><p>The Model Context Protocol is an emerging industry standard for AI agent access to data and interaction with external systems. It's supported by all major AI agents and development frameworks, making it easy to extend AI capabilities with specialized tools and data sources.<\/p><h2>Key Benefits<\/h2><ul><li><strong>Standardized Integration<\/strong> - MCP is becoming the industry standard for AI agent integrations, ensuring broad compatibility and future-proofing your workflows<\/li><li><strong>Plug &amp; Play Simplicity<\/strong> - Integrate AI Advisor into your existing AI agents and workflows without complex API implementations<\/li><li><strong>Multi-turn Conversations<\/strong> - Full support for contextual follow-up questions and session management, enabling natural back-and-forth interactions<\/li><li><strong>Real-time Progress<\/strong> - See AI Advisor's reasoning process in real-time as it analyzes your network<\/li><\/ul><h2>How It Works<\/h2><p>The Kentik-hosted MCP server provides tools that enable AI assistants to:<\/p><ul><li>Ask natural language questions about your network<\/li><li>Maintain conversation context across multiple questions<\/li><li>Review full conversation history from any session<\/li><\/ul><p>Simply configure your MCP-compatible AI agent with your Kentik API credentials and the MCP endpoint:<\/p><p><strong>US Cluster<\/strong>: <code>https:\/\/api.kentik.com\/mcp<\/code><br \/><strong>EU Cluster<\/strong>: <code><a href=\"https:\/\/api.kentik.eu\/mcp\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/api.kentik.eu\/mcp<\/a><\/code><\/p><p>Required HTTP Headers:<\/p><ul><li><strong>X-CH-Auth-Email<\/strong>: email@company.com<\/li><li><strong>X-CH-Auth-API-Token<\/strong>: api-token<\/li><\/ul><h2>Available Tools<\/h2><p>The MCP server exposes three core tools:<\/p><ol><li><strong>ask_question<\/strong> - Submit a new question to AI Advisor<\/li><li><strong>ask_followup<\/strong> - Continue a conversation with follow-up questions<\/li><li><strong>get_session_history<\/strong> - Retrieve full conversation history<\/li><\/ol><h2>Example Use Cases<\/h2><p>Network questions show up everywhere: incident channels, postmortems, capacity reviews, security investigations. Here are some common ways AI Advisor MCP can help you integrate network intelligence into other places:<\/p><ul><li><strong>Network Operations<\/strong> - Integrate AI Advisor into your NOC workflows and automation tools<\/li><li><strong>Custom Dashboards<\/strong> - Build custom interfaces that leverage AI Advisor's intelligence<\/li><li><strong>Development Workflows<\/strong> - Use AI Advisor directly from your IDE with Claude Code or GitHub Copilot<\/li><li><strong>Slack Bots<\/strong> - Create custom Slack integrations for team collaboration<\/li><\/ul><h2>Getting Started<\/h2><p>Check out our <a href=\"https:\/\/kb.kentik.com\/docs\/ai-advisor-mcp-server\" rel=\"noopener noreferrer\" target=\"_blank\">Knowledge Base documentation<\/a> for detailed setup instructions, including:<\/p><ul><li>Configuration examples for Claude Desktop, GitHub Copilot, and other MCP clients<\/li><li>Authentication setup<\/li><li>Best practices and troubleshooting tips<\/li><\/ul><hr \/><p><em>Questions or feedback? Reach out to your Kentik account team or contact support.<\/em><\/p>","url":"https:\/\/new.kentik.com\/ai-advisor-mcp-server-available-for-ai-agent-integrations-hLRn2","title":"AI Advisor MCP Server Available for AI agent integrations","summary":"Many enterprises and businesses are looking to integrate AI agents together to standardize workflows and front ends. To help customers achie...","date_modified":"2026-03-31T13:10:00.000Z","tags":["AI"]},{"id":"434393","content_html":"<p>One of the most common steps in investigating a network issue is validating connectivity from the right vantage point\u2014checking whether a destination is reachable, measuring latency or packet loss, and identifying where traffic may be breaking down along the path. Traditionally, that means switching tools to run ping or traceroute, then manually bringing those results back into the troubleshooting process.<\/p><p>With On-demand Connectivity Test, AI Advisor can perform that step for you directly from a Kentik Universal Agent. This keeps the investigation in one place, reduces context switching, and adds another source of real-time diagnostic data that AI Advisor can use alongside other telemetry as it reasons through the problem.<\/p><hr class=\"read-more-break\" \/><h2><strong>What It Does<\/strong><\/h2><p>The Connectivity Test tool provides <strong>Ping<\/strong> and <strong>Traceroute<\/strong> diagnostics directly from your private Universal Agents through AI Advisor's conversational interface:<\/p><ul><li><strong>Ping<\/strong>: Test device connectivity, measure latency, and detect packet loss<\/li><li><strong>Traceroute<\/strong>: Identify network bottlenecks, points of failure, or routing loops<\/li><li><strong>Private vantage points<\/strong>: Run tests from your own network locations where Universal Agents are deployed<\/li><\/ul><h2><strong>How to Get Started<\/strong><\/h2><p><strong>Prerequisites:<\/strong><\/p><ol><li>Deploy at least one Universal Agent (Settings \u00bb Universal Agents)<\/li><li>Install the <strong>Connectivity Test\u00a0<\/strong>capability on the agent:<ul><li>Open the Agent Details drawer<\/li><li>Under Capabilities \u00bb Available, click <strong>Install<\/strong> next to Connectivity Test<\/li><\/ul><\/li><\/ol><p>Once installed, AI Advisor automatically detects available agents and includes them in its system context (agent names, site locations, etc.).<\/p><h2><strong>How to Use It<\/strong><\/h2><p>Simply ask AI Advisor in natural language to test the connectivity to the destinations of interest.<\/p><p>Here are example prompts:<\/p><ul><li>Test the connectivity to device ABC1<\/li><li>Ping 8.8.8.8 with 5 packets<\/li><li>Traceroute to 147.91.1.120<\/li><li>Check if we can reach our DNS server from the Boston office<\/li><li>Run a traceroute from our London agent to 1.1.1.1<\/li><\/ul><p>AI Advisor will:<\/p><ol><li>Select the appropriate Universal Agent(s)<\/li><li>Execute the ping or traceroute test<\/li><li>Display results with success\/failure indicators<\/li><li>Interpret ICMP responses and provide actionable insights<\/li><\/ol><h2><strong>Key Benefits<\/strong><\/h2><p>On-Demand Connectivity Tests help teams investigate issues more efficiently by combining real-time diagnostics with the broader network context already available in AI Advisor. Because these diagnostics run inside AI Advisor and remain part of the investigation, they can improve both the speed and quality of troubleshooting in several ways:<strong><br \/><\/strong><\/p><ul><li><strong>Context-aware<\/strong>: AI Advisor knows your agent locations and can suggest the best vantage point<\/li><li><strong>Conversational troubleshooting<\/strong>: No need to SSH into servers or use separate tools<\/li><li><strong>Multi-agent support<\/strong>: Can run tests from multiple agents simultaneously for comparison<\/li><li><strong>Integrated analysis<\/strong>: Correlate connectivity results with flow data, metrics, alerts, and other telemetry<\/li><li><strong>Faster MTTR<\/strong>: Quickly validate reachability during incident investigations<\/li><\/ul><p><strong>Ready to try it?<\/strong> Quickly install <span style=\"text-align:left;\">Universal Agent's Connectivity Test and\u00a0<\/span>start testing with AI Advisor!<\/p>","url":"https:\/\/new.kentik.com\/new-ai-advisor-tool-on-demand-connectivity-test-3Z5P7W","title":"New AI Advisor Tool: On-demand Connectivity Test","summary":"One of the most common steps in investigating a network issue is validating connectivity from the right vantage point\u2014checking whether a des...","date_modified":"2026-03-12T15:00:00.000Z","tags":["New feature","AI"]},{"id":"434874","content_html":"<p>Not so long ago, we released <a href=\"https:\/\/new.kentik.com\/ai-week-kentik-portal-search-gets-an-ai-assist-16IRdC\" rel=\"noopener noreferrer\" target=\"_blank\">an update to Kentik Portal's Search Engine<\/a> that gave it AI Superpowers. Since then, the Search Engine has been able to point users to any screen in Kentik Portal based on any question pertaining to a task they want to perform, such as <em>\"Where can I track my IP Transit spend?\"<\/em> or <em>\"How can I monitor my backbone link capacity?\".\u00a0<\/em>In order to deliver this feature we've built an AI module that feeds off a complete SiteMap of the Portal and knows what each module on any URL does, and what its entry pointer in the <a href=\"https:\/\/kb.kentik.com\" rel=\"noopener noreferrer\" target=\"_blank\">Knowledge Base<\/a> is.<\/p><p>We've extended this feature to our beloved AI Advisor for it to gain new abilities, read on.<\/p><hr class=\"read-more-break\" \/><h2>\"AI Advisor, please help!\"<\/h2><p>Given our ever-increasing product surface, we wanted to make it easier for new users to hit the ground running. Often, someone will make a note of certain portal functionalities during a trial period that they will want to implement later in their deployment of the product, but forget where in the Kentik Portal it exists or how to implement them. This usually results in getting to the outcomes you want slower.<\/p><p>Sometimes, a user will need to dig into how a certain computation is made, or why Kentik Portal is making specific determinations.<\/p><p>This is where this feature shines: on any screen in Kentik Portal, you can now ask AI Advisor to explain to you how a certain screen works, just as how you would ask your Customer Success advisor.<br \/>AI Advisor will then fetch the relevant data from the SiteMap, link it to relevant Knowledge Base article and give you a crash course on how the screen you're currently looking at works. Basically, you can ask Kentik to explain how it works. We believe that this will significantly help with the timeliness to answer to our user's question about the product, and more durably unblock them in the pursuit of operating their infrastructure with our platform.<\/p><blockquote><p>As you will discover in the examples that follow, contrary to a lot of AI Assistants, AI Advisor just does not dump help links on the user. It answers in precise, summarized terms to questions related to functionality and how it works under the hood.<\/p><\/blockquote><h2>A simple example with Connectivity Costs<\/h2><p>As you can see in the <span style=\"text-align:left;\">screenshot below, AI Advisor now includes the additional step in its reasoning to summon the SiteMap tool<\/span><img src=\"https:\/\/img.announcekit.app\/16fc53c42142978d9493f78cb8d8cfef?s=76ac31f06c98d6243e9caae3c91931df\" class=\"image-align-left\" style=\"width:68.23%;\" \/><\/p><p>Landing on a screen and asking what it does and how it works is now a trivial operation, for instance on the <strong>Connectivity Costs\u00a0<\/strong>workflow screen:<\/p><p><img src=\"https:\/\/img.announcekit.app\/177e325f110dce71ddbbcdbbac227123?s=3469512bd7ef95d6613a99b550694dc1\" class=\"image-align-left\" \/><\/p><p>...leading to a follow-up conversation of how it works:<\/p><p><img src=\"https:\/\/img.announcekit.app\/ac4926f7a0792a56631ba9a9188dec56?s=9b3b306a17ba5c51d4156d81fcbbbbf8\" class=\"image-align-left\" \/><\/p><h2>Another example, this time with Kentik Market Intelligence<\/h2><p>Another example, directly taken from the <strong>Kentik Market Intelligence\u00a0<\/strong>page, as it is one of our more niche products - expectedly not all users are fully aware of what marvels it performs<\/p><p><img src=\"https:\/\/img.announcekit.app\/247266bb893c64d7a94a6bbb66ed7fe6?s=374ccc18605026c7f8e57d1ca45b8ed2\" class=\"image-align-left\" \/><\/p><p>... where a follow-up interaction would most likely be around \"How do we establish a score to rank networks against each others\", again successfully clarified by AI Advisor<\/p><p><img src=\"https:\/\/img.announcekit.app\/7f4a349ceca92706be589f423b1bdd85?s=e1538a3526fd20ae4e3001e0ba3ea016\" class=\"image-align-left\" \/><\/p><p>...which begs the follow-up question around the different Retail, Wholesale and Backbone types of scores, for which AI Advisor will even compose an explanatory diagram on the fly:<\/p><p><img src=\"https:\/\/img.announcekit.app\/cca940d786b130ab6576e376565174e0?s=92a0cf7af669f6ef8a42cc9f351705cd\" class=\"image-align-left\" \/><\/p><h2>AI Advisor gets smarter every day, so don't be shy, ask it anything !<\/h2><p>These examples are all but a tiny fraction of how AI Advisor can supercharge your life of managing infrastructure -- and we're adding new capabilities to it every day.<br \/>This is the simplest, most straightforward way for you to start on the journey to faster results and outcomes from Kentik: next time, right before you contact our amazing Customer Success team of advisors, give AI Advisor a prompt and see what it answers, you may be surprised ;)<br \/><br \/><\/p>","url":"https:\/\/new.kentik.com\/ai-advisor-is-your-new-kentik-portal-instructor-3pU760","title":"AI Advisor is your new Kentik Portal instructor!","summary":"Not so long ago, we released an update to Kentik Portal's Search Engine that gave it AI Superpowers. Since then, the Search Engine has been ...","date_modified":"2026-03-04T17:00:00.000Z","tags":["Improvement","Core","AI"]},{"id":"434875","content_html":"<p>As we've noticed, almost every time a table with data inside is displayed within Kentik Portal, it invariably takes no time before our users ask for it to be downloadable in a CSV format.<br \/>Additionally, AI Advisor very often displays results in a table format, because it is one of the most legible ways for our users to efficiently parse that data.<\/p><p>Hence, we've taught AI Advisor to display a <code>Download CSV<\/code> action button with any and every data table it displays.<br \/>This could be the end of the product announcement, but read on, it gets even more interesting.<\/p><hr class=\"read-more-break\" \/><h2>Spreadsheets, day in to day out<\/h2><p>If you work in the computer or networking industry, you can certainly confirm first hand that one of the most routine tasks we all end up performing every day is some variant of this sequence of actions:<\/p><ol><li>Get some data from a SaaS tool<\/li><li>Download said data<ol><li>If you're lucky and the tool has the capability, export to CSV\/XLSX<\/li><li>If you're not copy it from the browser into a spreadsheet (comes with the customary prayer that it will format fine through pasting)<\/li><\/ol><\/li><li>Massage the data to make it presentable to an audience<\/li><\/ol><p>Rinse and repeat, all day every day including weekends.<\/p><h2>Enter AI Advisor<\/h2><p>As we are all making more and more room for AI Advisor to boost productivity, the aforementioned loop gets less taxing, thanks to this new <code>Download CSV<\/code> button mentioned earlier. Just take a look at the example below where I'm asking AI Advisor to give me a list of the top inbound ASN to my network by traffic:<\/p><p><img src=\"https:\/\/img.announcekit.app\/90ef29442f3f285e132cb34a71aae2eb?s=45dc8d16d9bc495d1da6cb78b8abc10e\" class=\"image-align-left\" style=\"width:99.95%;\" \/><\/p><p>We could call it a day and close the product announcement here, but I really wanted to make it worth your read here, so bear with for another paragraph, will you?<\/p><h2><strong>Cranking it up a notch<\/strong><\/h2><p>As mentioned earlier, there's always some amount of massaging you'll want to do on tabular data before presenting it to someone else.<br \/>The previous example is no exception. Right now I'm getting a table with the following columns 1) rank 2) AS Name, &lt;country_code&gt; 3) Avg Traffic.<br \/><br \/>What if I wanted to:<\/p><ul><li>display the ASN registration country in its own column for further filtering, and in a way that's human readable<\/li><li>add a link on each row to the peeringDB record for each network (arcane knowledge, you can reach the PeeringDB page of any ASN via this URL format: <a href=\"https:\/\/peeringdb.com\/asn\/&lt;AS_Number&gt;\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/peeringdb.com\/asn\/&lt;AS_Number&gt;<\/a> )<\/li><\/ul><p>Let's go.<\/p><p><img src=\"https:\/\/img.announcekit.app\/45667d8927195ab7795f050dce62930d?s=647eaf219861ca73f12c5524f21dde7d\" class=\"image-align-left\" style=\"width:98.92%;\" \/><\/p><p>I know, you're welcome \ud83d\ude09<\/p><p><br \/><\/p>","url":"https:\/\/new.kentik.com\/csv-download-for-ai-advisor-displayed-tables-3r2vCg","title":"CSV download for AI Advisor displayed tables","summary":"As we've noticed, almost every time a table with data inside is displayed within Kentik Portal, it invariably takes no time before our users...","date_modified":"2026-03-04T17:00:00.000Z","tags":["Improvement","Core","AI"]},{"id":"435128","content_html":"<p>As a network intelligence platform, one of the areas that we often try to help customers understand is their <a href=\"https:\/\/kb.kentik.com\/docs\/flow-overview\" rel=\"noopener noreferrer\" target=\"_blank\">flow volume<\/a>. Sampling is a critical part of that calculation, as it affects your data resolution and how confidently you can slice and dice the data to make decisions. Our flow-based pricing model is setup to protect you, the customer, from getting penalized for traffic spikes that might take you over your plan's Max FPS. After speaking with many users, we found that Kentik needed to provide more transparency when sampling was happening, so that you can adjust device sampling, pak size, and maintain the level of data accuracy that you expect in Kentik.\u00a0<\/p><hr class=\"read-more-break\" \/><p>As we made changes to the product, primarily as part of the <a href=\"https:\/\/kb.kentik.com\/docs\/licenses\" rel=\"noopener noreferrer\" target=\"_blank\">Licenses<\/a> page where your plans are laid out, we also included some updates to:<\/p><p>a) <a href=\"https:\/\/kb.kentik.com\/docs\/licenses\" rel=\"noopener noreferrer\" target=\"_blank\">Flow Licenses<\/a> - to show you which plans (FlowPak, CloudPak, DevicePak) have significant downsampling, potentially due to device configuration or under-licensing<\/p><p>b) <a href=\"https:\/\/kb.kentik.com\/docs\/licenses#nms\" rel=\"noopener noreferrer\" target=\"_blank\">NMS Licenses<\/a> - to more clearly reflect your device counts and limits<\/p><p>c) <a href=\"https:\/\/kb.kentik.com\/docs\/network-devices#device-list\" rel=\"noopener noreferrer\" target=\"_blank\">Device Flow and Downsampling indicators<\/a> - to allow you to filter and view devices that may be sending more flow than you expect, or to use AI Advisor to identify and suggest remediations<\/p><p>d) <a href=\"https:\/\/kb.kentik.com\/docs\/public-clouds\" rel=\"noopener noreferrer\" target=\"_blank\">Cloud FPS and Sampling configuration<\/a> - to allow you to view raw FPS in your cloud environment before Kentik-configured sampling<\/p><h2>Understanding your Licenses<\/h2><p>You'll notice a few changes to your Licenses page for Traffic plans (FlowPak, DevicePak), CloudPak plans, and NMS (NPak). Firstly, we wanted to provide more visibility to downsampled devices. This includes links to the Devices page with the relevant devices highlighted.<\/p><p><img src=\"https:\/\/img.announcekit.app\/d81d34114b777e63d399861656c479a6?s=a74a3c0ad36740162ea2637a04fc0016\" \/><\/p><p><br \/><\/p><p>Secondly, we wanted to provide a better understanding of sampling ratios and FPS measures, especially for AWS &amp; Azure cloud exports that support an additional export-configured sampling. We included similar graphs for Traffic FlowPaks as below, to show the trend of received FPS and stored FPS over time. These underlying metrics are also available in <a href=\"https:\/\/kb.kentik.com\/docs\/metrics-explorer\" rel=\"noopener noreferrer\" target=\"_blank\">Metrics Explorer<\/a> under \/kentik\/licensing\/flow measurements.<\/p><p><img src=\"https:\/\/img.announcekit.app\/2466be488ef6f637868998e20cbd3d3e?s=7439574df33186f666720ea371a46527\" \/><\/p><p><br \/><\/p><p>Finally, we wanted to clearly show which NMS devices were onboarded as Full-monitor Devices vs. ICMP-only, so that you can clearly track your device counts as you onboard and grow your network.\u00a0<\/p><p><img src=\"https:\/\/img.announcekit.app\/b39258e039cd5c560e3b6b1b094f72f1?s=513b14dce3c61d33c986507fe9114298\" \/><\/p><h2>Don't double-downsample Devices<\/h2><p>We also wanted to extend this transparency within the Licenses page to other parts of the Kentik product by surfacing the same FPS indicators and flow telemetry. We added additional filters to the Devices table and Flow status indicators, in addition to also supporting this same context in AI Advisor.<\/p><p><img \/><img src=\"https:\/\/img.announcekit.app\/ad8d63d3bffc54c16ab332dbc7417a9a?s=59a4af9ef31d75d206af26138104580c\" \/><\/p><p>We also added more of this data in the Telemetry tab for the device, including a historical view of received FPS and stored FPS for the past 30 days.<\/p><p><img src=\"https:\/\/img.announcekit.app\/ec37986c454f696a4ac87f576d023318?s=03eb730e76f7c156d436864f45779c55\" \/><\/p><h2>That's a lot of Cloud flow<\/h2><p>Understanding flow volume in your Cloud environment is a consistent pain point, so we wanted to add additional visibility there, too. Now, as part of your Public Clouds settings, you can see a breakdown of flow volumes across the various cloud exports that you have configured. Kentik supports customizable sampling ratios for AWS &amp; Azure cloud exports, allowing you to adjust the number of flows that you send to Kentik for storage. (While GCP &amp; OCI support sampling natively, we also surface your configured sampling ratios in the export table.)<\/p><p><img src=\"https:\/\/img.announcekit.app\/6dde97763476edd8c89a4b416e81639f?s=728c8bc57c16a9a27a052c616803fed0\" \/><\/p><p>We hope that this added visibility enables you to maintain the level of data accuracy that you desire in Kentik as your network traffic grows! As always, please don't hesitate to reach out to us to provide feedback anytime.<\/p>","url":"https:\/\/new.kentik.com\/enhancing-flow-and-plan-visibility-in-kentik-licenses-devices-and-public-clouds-3nDB6w","title":"Enhancing flow and plan visibility in Kentik Licenses, Devices, and Public Clouds","summary":"As a network intelligence platform, one of the areas that we often try to help customers understand is their flow volume. Sampling is a crit...","date_modified":"2026-02-26T20:21:22.426Z","tags":[]},{"id":"434427","content_html":"<p>To create a more seamless Kentik experience and more tightly integrate Kentik into your network operations workflows, <strong>we are pleased to announce Kentik's<\/strong> <strong>AI Advisor REST API<\/strong> is now available. This provides programmatic access to AI Advisor investigations, allowing you to integrate AI Advisor directly into your enterprise AI Agents, chatbots, and other automation workflows. <\/p><hr class=\"read-more-break\" \/><p>The AI Advisor REST API provides programmatic access to the same advanced network analysis capabilities available in the Kentik portal, allowing you to ask natural language questions and receive AI Advisor's insights through a simple, asynchronous REST interface<\/p><h2>What is AI Advisor REST API?<\/h2><p><strong>AI Advisor REST API<\/strong> gives you programmatic access to Kentik's network intelligence agent, enabling you to:<\/p><ul><li><strong>Ask questions in natural language<\/strong> about your network operations, device health, traffic patterns, and performance<\/li><li><strong>Maintain conversational context<\/strong> across multi-turn chat sessions for deeper analysis<\/li><li><strong>Receive markdown-formatted responses<\/strong> with transparent reasoning and actionable insights<\/li><\/ul><h3>Common Use Cases<\/h3><ul><li><strong>ITSM Integration<\/strong>: Connect AI Advisor to ServiceNow, Jira, or other ticketing systems for automated network analysis<\/li><li><strong>Automated Workflows<\/strong>: Trigger network analysis from alerting systems or scheduled jobs for reporting<\/li><li><strong>Chatbot Integration<\/strong>: Interact with AI Advisor in your favorite chat application<\/li><li><strong>AI Agents Integration<\/strong>: Extend your enterprise AI agent with AI Advisor's capabilities<\/li><\/ul><h3>API Endpoints<\/h3><ul><li><code>POST \/ai_advisor\/v202511\/chat<\/code> - Create new session with initial prompt<\/li><li><code>GET \/ai_advisor\/v202511\/chat\/{id}<\/code> - Retrieve session status and results<\/li><li><code>PUT \/ai_advisor\/v202511\/chat<\/code> - Add follow-up questions to existing session<\/li><\/ul><h3>Authentication &amp; Access<\/h3><p>The AI Advisor REST API uses standard Kentik API authentication with email and API token headers. All Admin and Member users with AI Advisor access can use the API.<\/p><h2>Get Started Today<\/h2><p>Ready to integrate AI-powered network intelligence into your workflows? Check out our comprehensive documentation:<\/p><ul><li><strong><a href=\"https:\/\/kb.kentik.com\/docs\/ai-advisor-api\" target=\"_blank\">AI Advisor REST API Documentation<\/a><\/strong> - Complete API guide with examples<\/li><li><strong><a href=\"https:\/\/github.com\/kentik\/api-schema-public\/blob\/master\/gen\/openapiv3\/kentik\/ai_advisor\/v202511\/ai_advisor.swagger.json\" target=\"_blank\">OpenAPI Specification<\/a><\/strong> - Full API schema<\/li><li><strong><a href=\"https:\/\/kb.kentik.com\/docs\/ai-advisor\" target=\"_blank\">AI Advisor Overview<\/a><\/strong> - Learn about AI Advisor capabilities<\/li><\/ul><p>Have questions? Contact your Kentik account team or reach out to <a href=\"mailto:support@kentik.com\" target=\"_blank\">support@kentik.com<\/a>.<\/p>","url":"https:\/\/new.kentik.com\/kentik-ai-advisor-rest-api-is-now-available-4BHgOI","title":"Kentik AI Advisor REST API is Now Available!","summary":"To create a more seamless Kentik experience and more tightly integrate Kentik into your network operations workflows, we are pleased to anno...","date_modified":"2026-02-17T09:16:47.037Z","tags":["AI"]},{"id":"432212","content_html":"<p><strong>CDN Analytics<\/strong> is one of the most valued features in our platform, and for good reason. With 75% to 85% of a broadband ISP\u2019s inbound traffic routinely being carried by just five major CDNs, understanding CDN-originated traffic is critical for managing subscriber performance and network capacity.<\/p><p>However, CDNs vary widely in how they operate. They range from massive commercial entities to single-purpose networks built exclusively for content providers (like Netflix\u2019s Open Connect, Facebook's Network Appliances, or Google Global Caches). Because of this complexity, automatically enriching traffic data based on its true CDN origin is both an art and a science. It requires a smart detection engine \u2013 the core of our <b>True Origin<\/b> technology \u2013 that keeps evolving.<\/p><p>Additionally, the relationship between a broadband ISP and a CDN often extends beyond standard interconnection agreements, particularly when CDNs offer Cache Embedding programs. When caching appliances are co-located in the ISP's last mile, the ISP needs to verify the ROI: measuring the efficiency of that last-mile caching against the real-world costs of hosting, cooling, and powering the hardware.<\/p><p>Today, our detection engine grows again to help support these use cases. We are adding detection for <b>Edgevana<\/b> and <b>Valve<\/b> to our CDN Analytics, bringing our list of detected commercial and purpose-built CDNs to <b>65!<\/b><\/p><p>Let\u2019s double-click into what this means for your network.<\/p><hr class=\"read-more-break\" \/><h2>How does Kentik's True Origin CDN detection engine work?<\/h2><p>The theoretical bits are somewhat trivial: flow telemetry comes in with source and destination IPs, which we map in real time to source or destination CDNs to enrich flow records we ingest. For this to be possible, our CDN Detection Engine constantly maintains a list of CDN-to-IP mappings behind the scenes. This list leverages a number of datasets:<\/p><ul><li>Multiple passive DNS datasets<\/li><li>Our customer's real-time DNS data feeds\u00a0<\/li><li>Routing registry data for prefixes originated by CDN ASNs<\/li><li>Interface classification-based detection of 'Embedded Cache' type interfaces<\/li><li>Configuration inputs from our customers declaratively adding Embedded Caches<\/li><\/ul><p>This data is parsed every day using a set of heuristics, and allows Kentik to generate a unique and very accurate data set of IP-to-CDN mappings that include 1) IPs for servers in each CDN's infrastructure, and 2) last-mile-embedded servers in the broadband ISPs of both customers and non-customers.\u00a0<\/p><p>Leveraging Passive DNS data feeds and Interface Classification, setup for our customers is kept minimal as most of the embedded caches in their network will be automatically detected. In case they are not (one example is when these servers are behind a 3rd party router that's not registered with Kentik), a config interface allows them to statically declare them.\u00a0<\/p><h2>What happens when we add a new CDN to our detection engine?<\/h2><h3>Train the detection engine on CNAMEs<\/h3><p>This basically means that we feed it with patterns to look for in terms of unique CNAMEs to be crawled in our set of passive DNS data-feeds. We're talking about the *.akamaized.net or `*.fastly.net` well-known CNAME patterns that CDN customers use to link their own domain names in order for these CDNs to serve.<br \/><em>This data is further fed to the engine via our OTT DNS Taps, since it taps the DNS queries upstream of your subscribers.<\/em><\/p><h3>Wire the ASN-to-CDN mappings using Routing Registries<\/h3><p>The other trivial source of data is the ASNs that a given CDN uses to run their infrastructure on: all prefixes originated by these ASNs is turned in to CDN-to-IP mappings. For instance <code>Akamai<\/code> is well known to operate <code>AS20940<\/code>, but they have successively acquired other companies such as <code>Prolexic<\/code>, <code>Instart Logic<\/code>, <code>Linode<\/code> ...and not all of their associated ASNs are used to deliver CDN traffic to users. In the same vein, <code>Netflix<\/code> is <a href=\"https:\/\/openconnect.netflix.com\/en\/?utm_referrer=https:\/\/www.google.com\/\" rel=\"noopener noreferrer\" target=\"_blank\">publicly known<\/a> to operate the Open Connect cache network both at IXes on their own servers via <code>AS2906,<\/code> but also via embedded caches on <code>AS40027<\/code>. This updated list gets parsed every day and adds to the IP-to-CDN mappings from the day before.<\/p><p>We also add metadata to all CDN entries in the engine's directory service, so that we can present users with added context for a given CDN \u2013 such as:<\/p><ul><li>The public logo of the CDN to embellish the CDN's detail page<\/li><li>CDN type \u2013 are they a Commercial CDN, a purpose-build content CDN, or a Cloud Provider<\/li><li>What their associated ASNs are and <a href=\"https:\/\/peeringdb.com\" rel=\"noopener noreferrer\" target=\"_blank\">PeeringDB<\/a> entries are<\/li><li>Do they run an Embedded Cache Program (such as Netflix's OCA, Facebook's FNA, Google's GGC, Akamai's AANP, Apple's AEC...) and store the link to these individual initiatives web pages<\/li><\/ul><p>Here's what the <code>\/service-provider\/cdn\/Valve<\/code> details page looks like:<\/p><p><img src=\"https:\/\/img.announcekit.app\/567a1640f2ddcc385536c8bab33a8596?s=1c3904daba322776155b498417361db9\" class=\"image-align-left\" style=\"width:98.86%;\" \/><img src=\"https:\/\/img.announcekit.app\/3d57e1ffeb4a417921bc59f3f7d63817?s=b4af57e08bf25c79ed5cddc3cc04ec05\" class=\"image-align-left\" \/><\/p><p><br \/><\/p><h3>Wire the detection engine to Interface Classification<\/h3><p>For the CDNs running an Embedded Cache Program, we built our engine to be able to detect as many of the IPs corresponding to these cache servers, even when they are in your own last-mile network and not directly hosted in the CDNs ASNs.<\/p><p>One of the ways our engine detects this is it looks at SNMP interface data from your Network Devices and inspects those with an <code>Embedded Cache<\/code> <code>Connectivity Type<\/code>. For those, the engine takes the IP subnet the interface is on, and if able to match a CDN from the interface description or the <code>Provider<\/code> Interface Classification field, assigns an additional IP-to-CDN Mapping.<\/p><p>In the <code>CDN Analytics &gt; Config<\/code> section of the portal, you can see which ones are automatically detected (updates once a day) as depicted below:<img src=\"https:\/\/img.announcekit.app\/ab816b62b9b9f2fec3e2c6523a946b09?s=ffc696d9b3dd8a2dfc39f5a4a4b6f0fb\" class=\"image-align-left\" style=\"width:99.86%;\" \/><\/p><h3>Add means for users to self-declare IP CIDRs to CDN Mappings<\/h3><p>Some Content CDNs (aka purpose-built) that run a last-mile Cache Embedding program have been known to provide a router to the broadband ISP in addition to the caches. The CDN in this case retains admin control over this router, which in turn cannot be registered with Kentik.<\/p><p>The consequence is that Embedded Cache interfaces cannot be auto detected since they're located on a device not registered in Kentik. In this case, users from the ISP will want to declare the CIDR space used to number the caches manually, which they can do in the Additional Embedded Caches tab of the CDN configuration workflow.<\/p><p>When adding a new CDN with a last-mile Embedded Cache program, we ensure that it is added to the manual addition config screen for users to start entering their static mappings. \u00a0<\/p><p>The following Cache Embedding CDNs are currently covered: <em>Akamai, Amazon, Apple, Azion (Brazil), Baishan Cloud, ByteDance (tiktok), CDN77, Cloudflare, Edgevana, Facebook, G-Core, Globo, Google, i3D, Izzi, Limelight, Lumen\/Level(3), Azure, Netflix, Netskrt, Quantil\/China NetCenter, Qwilt, Valve<\/em>.<\/p><p><img src=\"https:\/\/img.announcekit.app\/722bf72edf9444747644c2c6b87ca9d7?s=4ac0eb02604aa6496ee85b544bfdf985\" class=\"image-align-left\" style=\"width:99.86%;\" \/><\/p><p><br \/><\/p><p>As a result, the IP-to-CDN mappings resulting from this configuration form will be added to the daily mechanism that generates the global CDN-to-IP mappings.<\/p><h3>Adding a CDN Offload widget to the landing page<\/h3><p>While last-mile Cache Embedding provides many benefits to the broadband ISP, they also come with an operational cost around rack space, power, and cooling. Because of this, the embedding broadband ISP will often want to be able to measure the benefits for each embedding CDN to continuously justify the decision to embed.<\/p><p>The key metric for the main benefit is called offload: <strong>offload is a ratio between how much traffic is delivered to the subscribers from the cache vs. how much traffic is delivered to the subscribers in total \u2013 from a cache or from outside of the network<\/strong>. This Offload Ratio is commonly measured as a percentage. Traditionally, CDNs that transport a constantly growing long tail of user-generated content tend to have lower Offload Ratios (as popular content is competing for the discreet storage space offered by the embedded appliances). Conversely, CDNs with a fixed catalog (Netflix being a prime example, as the size of their catalog being somewhat fixed at all times) can achieve very high offload for a little cache footprint.<\/p><blockquote><p><em>Note: there are subtleties between CDNs as to how we compute the Offload ratio. While we usually run these computations at peak time, because offload makes the most sense when traffic is at its highest, cases like Netflix Open Connect are different because the peak for inbound traffic happens when the caches fill themselves at night instead of during the delivery peak.<\/em><\/p><\/blockquote><p>Users can enable\/disable any Embedding CDN widget on the CDN Analytics landing page via the config screen, here's what it looks like:<\/p><p><img src=\"https:\/\/img.announcekit.app\/2b909382318ed6620f457c987d2cfbfd?s=f3b6046582aabb39c52030e29f9851f6\" class=\"image-align-left\" style=\"width:99.57%;\" \/><\/p><p>And here's what a fully furnished landing page with offload widgets can look like:<\/p><p><img src=\"https:\/\/img.announcekit.app\/93423b7d296a80570061561ba68442e1?s=27cde4376ac62a903f6f2293becb9240\" class=\"image-align-left\" style=\"width:99.17%;\" \/><\/p><p>Even better, all those independent widgets lead to a dashboard that will precisely let users figure out what the traffic patterns are for the caches when it comes to offload and will display all the following types of cache traffic:<\/p><ul><li>OffNet to Subscribers (aka longtail)<\/li><li>OnNet to Subscribers (aka last-mile delivery)<\/li><li>Cache to Cache Fill Traffic<\/li><li>OffNet Cache Fill traffic<\/li><\/ul><p>We hope you enjoyed this walk through on the internals of our CDN detection system. If you have any questions about it, please let Kentik's Product Team know, as we heavily count on your inputs to add new CDNs or new capabilities to the workflow as our CDN detection engine gets smarter and smarter!<\/p>","url":"https:\/\/new.kentik.com\/adding-detection-for-two-new-cdns-edgevana-and-valve-1y31xm","title":"Adding detection for two new CDNs: Edgevana and Valve","summary":"CDN Analytics is one of the most valued features in our platform, and for good reason. With 75% to 85% of a broadband ISP\u2019s inbound traffic ...","date_modified":"2026-01-20T17:00:00.000Z","tags":["Improvement","Service Provider"]},{"id":"432613","content_html":"<p>For several years, <strong>kprobe<\/strong> has served as a flexible bridge for our community, providing deep host-level visibility and DNS insights. However, the requirements for modern network observability are changing. To ensure our customers are equipped with our latest innovations and highest-performance capabilities, we have officially sunset kprobe as we consolidate our engineering focus onto the <strong>Kentik Universal Agent<\/strong>.<\/p><p>This transition is about more than just a tool change; it is about providing you with a unified, high-performance foundation for the next decade of networking. We recommend all users begin transitioning to these supported alternatives to stay aligned with Kentik\u2019s innovation roadmap.<\/p><hr class=\"read-more-break\" \/><h3>Unlocking the Next Generation of Innovation<\/h3><p>Maintaining disparate legacy agents limits the speed at which we can deliver value. By centralizing our development on the Universal Agent, we are creating a streamlined control plane that enables us to roll out new capabilities from advanced metadata enrichment to UI-driven orchestration, at a much faster cadence. This move ensures you are always running on our most secure, platform-agnostic, and performant code base.<\/p><h3>The Path to Modern Observability<\/h3><p><img src=\"https:\/\/img.announcekit.app\/919e3530f19fbd69ca34ca8c4e3ec3d9?s=cc7b4a92e68b00131020a0b68de9be19\" class=\"image-align-left\" style=\"width:99.3%;\" \/><\/p><h4>1. High-Performance DNS &amp; OTT Insights<\/h4><p>For those utilizing kprobe for DNS performance or OTT traffic mapping, the <strong>Kentik Universal Agent<\/strong> is your direct path forward. Our recently released <a href=\"https:\/\/new.kentik.com\/new-universal-agent-capability-ott-dns-tap-0uNSo\" rel=\"noopener noreferrer\" target=\"_blank\"><strong>DNS Tap<\/strong><\/a> capability is now live, purpose-built to replace kprobe\u2019s DNS-tapping functions with higher throughput. By mapping DNS queries directly to hostnames, it provides the deep service context required for modern OTT visibility without the CPU overhead of legacy packet processing.<\/p><h4>2. Standardized Host Flow &amp; System Visibility<\/h4><p>For general host-flow export and system-mode visibility, we recommend the industry-standard <strong><a href=\"https:\/\/sflow.net\/\" target=\"_blank\">hsflowd<\/a><\/strong>. As a mature, widely adopted open-source project, hsflowd provides excellent cross-platform support and is the ideal choice for users who prioritize open-source consistency for general host metrics.<\/p><hr \/><p><strong>A Strategic Shift in Application Visibility<\/strong><br \/>As the industry moves toward pervasive encryption (TLS 1.3), traditional application-layer packet decoding such as kprobe\u2019s legacy HTTP decodes has become less effective for modern, secure environments. Kentik\u2019s strategy is evolving to focus on high-scale transport-layer visibility and cloud-native insights. For specialized use cases requiring deep, unencrypted HTTP packet analysis, we recommend leveraging dedicated APM or specialized DPI tools that complement Kentik\u2019s network-wide observability.<\/p><hr \/><h3>Timeline &amp; Support<\/h3><ul><li><strong>Status:<\/strong> kprobe is officially deprecated as of today.<\/li><li><strong>Repositories:<\/strong> The GitHub repository has been moved to an \"Archived\" state.<\/li><li><strong>Support:<\/strong> While traffic processing and query results will remain working without any intended interruption standalone agents deprecated such as kprobe will receive limited to no new software updates. Plan your migration today.\u00a0<\/li><\/ul><p style=\"text-align:center;\"><strong>Ready to access the latest Kentik innovations?<\/strong><br \/>Contact your Kentik account team or visit our <strong><a href=\"https:\/\/kb.kentik.com\/docs\/universal-agents\" rel=\"noopener noreferrer\" target=\"_blank\">Knowledge Base<\/a><\/strong> for detailed migration guides.<\/p><p>We are incredibly grateful to the developers and customers who helped kprobe grow, and we look forward to building the future of network observability together.<\/p><p><strong>The Kentik Product Team<\/strong><\/p>","url":"https:\/\/new.kentik.com\/sunsetting-kprobe-transitioning-to-the-kentik-universal-agent-4cGE1O","title":"Sunsetting kprobe: Transitioning to the Kentik Universal Agent","summary":"For several years, kprobe has served as a flexible bridge for our community, providing deep host-level visibility and DNS insights. However,...","date_modified":"2026-01-16T20:22:23.833Z","tags":[]},{"id":"431809","content_html":"<p>Our users and readers probably noticed a few months back that we <a href=\"https:\/\/new.kentik.com\/nms-device-centric-alerting-now-supports-snmp-trap-and-syslog-OhKUw\" rel=\"noopener noreferrer\" target=\"_blank\">added the ingestion of SNMP Syslogs and Traps<\/a> to our platform via NMS.<br \/>Today we are bringing new enhancements to that Syslog functionality. But before we dig into those, let's do a quick recap of what was already available.<\/p><hr class=\"read-more-break\" \/><h2>Setting up Syslog on a Network Device<\/h2><p>First order of business when you want to add Syslog observability to your Kentik setup is to deploy our Universal Agent and enable the syslog capability on it. <a href=\"https:\/\/kb.kentik.com\/docs\/universal-agents#deploy-a-universal-agent\" rel=\"noopener noreferrer\" target=\"_blank\">Deploying Universal Agent is trivial<\/a> and all that's needed is to enable the <strong>Syslog Server\u00a0<\/strong>capability during the final steps of the deployment process, as pictured below:<\/p><p><img src=\"https:\/\/img.announcekit.app\/2053c308fd2ec10ad897a387a240b659?s=0678b8134883309204b7fa3ed1b37101\" class=\"image-align-left\" style=\"width:22%;\" \/><\/p><p>For an already deployed agent, the capability can be installed\/enabled on the fly as depicted below from the <strong>Settings &gt; Universal Agent\u00a0<\/strong>agent list.<\/p><p><img src=\"https:\/\/img.announcekit.app\/f12d256e9ff14f7b222043a4890a8fba?s=049859c913cd9b5a78d273c44d142615\" class=\"image-align-left\" \/><\/p><p>Once this is done, all you need to do is configure your network devices to send Syslog records to this agent. If necessary, you can also configure the listening IP and ports on the syslog capability.<br \/>Provided your device is NMS enabled, the Kentik cluster will ingest Syslog records from the device via the Universal Agent's syslog capability.<\/p><h2>How can I access Syslog data for analysis? (part 1)<\/h2><p>All ingested syslog data is enriched with a sum of attributes and immediately stored in our universal telemetry datastore, making it ready for analysis.<br \/>Syslogs (as well as SNMP Traps) correspond to a new broad type of Telemetry available in our platform called <strong>Events<\/strong>.<strong>\u00a0<\/strong>We intend to add additional event types in the near future, so stay tuned!<\/p><p>Once ingested, new Metrics and Dimensions choices (both Group By and Filter) will be available in Data Explorer, as depicted below - allowing for very granular event type queries.<\/p><p><img src=\"https:\/\/img.announcekit.app\/a7eebd1c9b7b5af28b91b4c0315aeae3?s=d1bbc5f7e39d1b387cf0074973236bf3\" class=\"image-align-left\" style=\"width:34.25%;\" \/><\/p><p><img src=\"https:\/\/img.announcekit.app\/6cbfcc834fe93814a24a508b8f83da5c?s=877b6c8a933f41632b57a881313e4691\" class=\"image-align-left\" style=\"width:33.03%;\" \/><\/p><p>Here's an example of a Data Explorer query displaying syslog volumes per device and per severity over time.<\/p><p><img src=\"https:\/\/img.announcekit.app\/5853517a9196d251772f081e7aed3275?s=8ca87ab1600b534105a14a9d16184f40\" class=\"image-align-left\" \/><\/p><p>Additionally, the new <strong>Events View<\/strong> tab on the data table will appear for users to display a complete list (unaggregated) of all the Syslog messages captured in this time window for filter defined in the query.<img src=\"https:\/\/img.announcekit.app\/b3dec150e5a5db21ee2c5852f7d12e84?s=85cad8b21cb5361473033b80a876f149\" class=\"image-align-left\" \/><\/p><p>Of course, all of these visualizations are available to a bunch of extra useful capabilities such as<\/p><ul><li>Saved Views<\/li><li>Dashboards<\/li><li>Filter Based Dimensions<\/li><li>Generate One Chart per Series<\/li><\/ul><h2>So what's new with Syslog? (part 2)<\/h2><p>As of today, we're adding a few niceties, this is where it all becomes interesting. The keen eye will have noticed that the <strong>Infrastructure &gt; Devices\u00a0<\/strong>inventory screen includes a new filter in the <strong>NMS Status<\/strong> section - this filter now allows users to narrow the device list down to those that we are seeing Syslog entries for.<\/p><p><img src=\"https:\/\/img.announcekit.app\/a9027686e6820d26881faa160f2df066?s=228fba4e0df448c3c51ae107b23fd4aa\" class=\"image-align-left\" \/><\/p><p>...but the real deal is that starting today a new <strong>Syslogs<\/strong> tab appears on the <strong>Infrastructure &gt; Device &gt; &lt;device_instance&gt;<\/strong> device details screen: let's say you are doing your rounds on a device, eyeballing it's metrics in the overview tab - you see a spike on CPU on the overview spark line and want to check if error reported by syslog has happened that may explain it, here's what it looks like when you click on the Syslog tab. Now users can easily search for specific syslog entries on this device of any Severity within any Time Range.<\/p><p><img src=\"https:\/\/img.announcekit.app\/4e38b21d9073fead6037d9a56d7349b6?s=de5642aeed191cc3c965d17db3bc59bb\" class=\"image-align-left\" \/><\/p><h2>What does the future hold?<\/h2><p>As mentioned earlier, we are just getting started on <strong>Events<\/strong>. They will soon play an important role in our unified observability stack, being additionally available to our recently released <a href=\"https:\/\/new.kentik.com\/kentik-ai-advisor-is-now-generally-available-ga-vgDcc\" rel=\"noopener noreferrer\" target=\"_blank\">AI Advisor<\/a>: when clicking on the top right <strong>Ask\u00a0<\/strong>button on a Device Details page to summon the agent, it will already have the recently Syslogs for the device as part of its context.<br \/><br \/>As a fast follow-up, we will be soon adding SNMP Traps as a similar additional tab in the <strong>Device Details\u00a0<\/strong>screen.<\/p><p>Later this year, we will be opening up amazing possibilities to query together Traffic (Flow), NMS (SNMP\/ST), Events (syslogs, traps &amp; more) and Performance (Synthetics) together in a cohesive set of visualizations - so stay tuned as things are just about to become interesting!<\/p>","url":"https:\/\/new.kentik.com\/syslog-additions-are-here-3xNA9q","title":"Syslog additions are here!","summary":"Our users and readers probably noticed a few months back that we added the ingestion of SNMP Syslogs and Traps to our platform via NMS. Toda...","date_modified":"2026-01-07T20:23:20.000Z","tags":["Improvement","Core","NMS"]},{"id":"431808","content_html":"<h2>Low Resolution login screen<\/h2><p>More often than not, our users may have to access Kentik Portal from a web browser running via Terminal Server or some equivalent VNC variant.<br \/>Some of our users have reported that the animated gradient on the new Login Screen resulted in a very laggy experience in such remote setups.<\/p><p>To solve this issue, we have introduced a QueryArg in the login URL that these users can now bookmark, which instead of an animated gradient displays a static one, therefore solving this issue:<\/p><p><a href=\"https:\/\/portal.kentik.com\/login?lowres=true\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/portal.kentik.com\/login?lowres=true<\/a> if you are a US Platform user, or <a href=\"https:\/\/portal.kentik.eu\/login?lowres=true\" rel=\"noopener noreferrer noopener noreferrer noopener noreferrer\" target=\"_blank\">https:\/\/portal.kentik.eu\/login?lowres=true<\/a> if you are an EU Platform user.<\/p><h2>Kentik Next for SSO users<\/h2><p><a href=\"https:\/\/next.kentik.com\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/next.kentik.com<\/a> (alternatively <a href=\"https:\/\/next.kentik.eu\" rel=\"noopener noreferrer\" target=\"_blank\">https:\/\/next.kentik.eu<\/a> to our EU users) is a public version of Kentik Portal which is always ahead of our production systems - it is the equivalent of OSes' Nightly Builds, a public pendant to our <a href=\"\/\/portal.kentik.com\" rel=\"noopener noreferrer noopener noreferrer\" target=\"_blank\">portal.kentik.com<\/a> main instance. \"Next\" as we call it, exists for our customers to experience the next features to hit our production systems. <em>(Disclaimer: as paint may constantly be wet on it, we advise users to stick to the product systems to perform production work).\u00a0<\/em><\/p><p>Up until now <em>Next<\/em> was not available to our SSO users - but it is now, so give it a try !<\/p>","url":"https:\/\/new.kentik.com\/low-resolution-login-screen-kentik-next-available-to-sso-users-3wFbDa","title":"Low-Resolution login screen, Kentik Next available to SSO users","summary":"Low Resolution login screenMore often than not, our users may have to access Kentik Portal from a web browser running via Terminal Server or...","date_modified":"2026-01-05T20:22:25.000Z","tags":["Improvement","Core"]},{"id":"424127","content_html":"<p>In our everlasting quest to strengthen security around the Kentik Platform, we're happy to introduce WebAuthN today \u2013 a growing web browser native Web Authentication standard with many benefits over prior ones.<br \/>Until today, we offered Multi-Factor Authentication (MFA) to our users via these 2-Factor (2FA) methods: Time-based One-Time Password (TOTP, also known as Authenticator App-based Tokens) and hardware keys such as YubiKeys from the FIDO Alliance.<br \/>While these methods offer a better security level than plain user\/password authentication and we strongly encourage our users to adopt 2FA, the standards have evolved to new, more secure methods that we are now proud to offer to our user base.<\/p><p>Let's see what this is all about!<\/p><hr class=\"read-more-break\" \/><h2>Authentication security concepts<\/h2><p>Let\u2019s take a look at modern improvements recently achieved in the domain of Web Authentication.<\/p><h3>\"Something you are\"<\/h3><p>In authentication, there are three categories of credentials (or factors) used to verify a user's identity. They are: <strong><em>something you know<\/em><\/strong><em>\u00a0<\/em>(like a password), <strong><em>something you have<\/em><\/strong> (such as a security token), and <strong><em>something you are<\/em><\/strong> (like a fingerprint). Using a combination of two or more of these factors is known as multi-factor authentication (MFA).\u00a0<\/p><p>Modern Authentication favors <strong><em>something you are<\/em><\/strong> with the use of Biometric Methods: Fingerprint Recognition (known as Touch ID for Apple users, or Hello for Microsoft users), or camera-based Face Recognition (known as Face ID for Apple users, Face Unlock for Android users). While a malevolent actor can <strong><em>phish something you know<\/em><\/strong>, <strong><em>steal something you own<\/em><\/strong>, it is much <strong><em>harder to spoof something you are<\/em><\/strong> when it is based on your unique biometric markers.<\/p><h3>Public\/Private keys<\/h3><p>Another recent security improvement on the web is the adoption of browser-based Public-key credentials extensions (WebAuthN, which we\u2019ll talk about in a minute, uses this scheme).<\/p><p>In a public-key based Authentication model, a pair of keys (public key and private key) are used in authentication. The remote authenticating system stores a user's public key (visible to anyone) and a credential ID, not a password. The private key, which is the secret half of the key pair, is stored securely on the user's device, not on the server.\u00a0<\/p><p>This design offers significant security benefits compared to traditional passwords:\u00a0<\/p><ul><li><strong>Security by design<\/strong>: The server has no shared secret with the user that could be compromised. The public key is useless to an attacker on its own.<\/li><li><strong>Phishing resistance<\/strong>: The private key is cryptographically bound to a specific website domain, so it cannot be used on a fake phishing site to trick the user.<\/li><li><strong>Data breach protection:<\/strong> If a server's database is breached, the attacker can only steal public keys and credential IDs, which cannot be used to impersonate a user.<\/li><\/ul><h3>What is WebAuthN ?<\/h3><p>WebAuthN is the latest version of the FIDO Alliance\u2019s open authentication standard (FIDO2). It is an effort to bring strong 2FA to the web and is based on the W3C\u2019s Web Authentication API, which is supported by many, if not most, common web browsers.<br \/>In a nutshell, WebAuthN brings these attractive improvements to prior 2FA technologies:<\/p><ul><li>it is the leading <u>open<\/u> authentication standard on the web: it is widely adopted, can be audited, and comes natively in most recent browsers<\/li><li>it adds public-key cryptography to most existing 2FA methods, securing them further (with the exception of TOTP, which becomes the least secure 2FA method)<\/li><li>because most recent browsers are tightly integrated with the hardware and OS they run on, it brings Biometrics (aka \"something you are\") to web authentication, alleviating the need to procure physical keys<\/li><\/ul><h2>What does it look like in Kentik Portal ?\u00a0<\/h2><p>To enable WebAuthN we've made changes to the <a href=\"https:\/\/kb.kentik.com\/docs\/user-profile#authentication-settings\" rel=\"noopener noreferrer\" target=\"_blank\">User Profile section's Authentication tab<\/a>, surfacing these new 2-Factor capabilities now offered to users -\u00a0<\/p><p>but before we dive into these changes, let's summarize the levels of security now offered by Kentik Portal per Authentication method and outline their respective security levels:<\/p><p><img src=\"https:\/\/img.announcekit.app\/c6eea1372441e7b8bae98b7d3f82c2a0?s=52ffd13de133cc77a47812aaa7c8a73d\" class=\"image-align-left\" style=\"width:100%;\" \/><\/p><h3>Multiple 2-Factor Methods per user<\/h3><p>Kentik still offers each user to configure multiple 2-Factor Authentication methods in their User Profile \u2013 this allows users to configure backups or configure alternatives between when they're at home and on the go. A user can configure and name as many of these as they desire.<\/p><p>These Authentication methods are now split in 3 separate tables (click the button on the top right of each table to add one):<\/p><p><img src=\"https:\/\/img.announcekit.app\/1c1e09a52be94d32de745785e6fadedd?s=e66ec4595283ff329b0f899bec50ddf0\" class=\"image-align-left\" \/><\/p><ul><li><strong>(1) Legacy Methods:\u00a0<\/strong><br \/>Least secure 2-Factor - will include your Legacy Hardware Keys such as YubiKeys, and your TOTP.<br \/>You can re-create a new entry for your YubiKey in the <strong>Security Keys<\/strong> table, which will make them WebAuthN compliant (more secure): <strong><em>we strongly encourage you to do so !<\/em><\/strong><br \/>Because Time-Based One-Time Passwords aren't compatible with the WebAuthN standard, they will stay in this \"Legacy Methods\" section, we advise to move away from them.<br \/><em>That being said, they're still a better alternative than no 2-Factor.<\/em><br \/><br \/><\/li><li><strong>(2) Device Authenticators:<\/strong><br \/>These are Hardware\/OS level biometrics such as <a href=\"https:\/\/support.apple.com\/en-us\/105095\" rel=\"noopener noreferrer\" target=\"_blank\">Apple's Touch ID<\/a> and <a href=\"https:\/\/support.microsoft.com\/en-us\/windows\/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0\" rel=\"noopener noreferrer\" target=\"_blank\">Microsoft Hello<\/a> - they are considered to currently be the most secure methods, because they correspond to the \"<em>Something you are<\/em>\" principle.<br \/>Registration of these via the <code>Enroll Device<\/code> button is natively supported by most recent browsers using a common UI.<br \/><br \/><\/li><li><strong>(3) Security Keys:<\/strong><br \/>These authentication factors include both Hardware USB Security Keys (such as <a href=\"https:\/\/yubico.com\" rel=\"noopener noreferrer\" target=\"_blank\">Yubikey<\/a>, or <a href=\"https:\/\/store.google.com\/product\/titan_security_key\" rel=\"noopener noreferrer\" target=\"_blank\">Google's Titan<\/a>- both FIDO and FIDO2), both natively WebAuthN compliant -with FIDO2, they come with a PIN code.<br \/>In addition to these keys, you can also configure a mobile based (both iPhone or Android) WebAuthN compliant methods in this section. In this clever method, a QR code is presented to the user at login time, triggering the device's biometric native UI to proceed with a Face ID \/ Face Unlock verification.<\/li><\/ul><p>When multiple methods are available, authentication will always prioritize the <code>Device Authenticators<\/code> first, via a native browser prompt. If other WebAuthN methods have been configured by the user such as a YubiKey or an iPhone\/Android Mobile Authentication - these will be available as part of the same prompt by choosing <code>Other Methods<\/code>. (<em>see screengrab below)<\/em><\/p><p><img src=\"https:\/\/img.announcekit.app\/bfcff7ba1ebdc15ca318613186085ef5?s=f7168eee2f274d16c792a7bca67689a4\" class=\"image-align-left\" style=\"width:33.18%;\" alt=\"Biometrics authentication is always prioritized in the Native browser integration\" \/><\/p><h3><img src=\"https:\/\/img.announcekit.app\/53b15b7c0625e08c40701e754ecd82f1?s=0585370fcd78b42e159c7d9a36e72e4c\" class=\"image-align-left\" \/>As a user, what should I do ?<\/h3><p>This choice depends a lot on the Security policy dictated by your company, which you should always conform to.<br \/>With that said, as outlined by the previous diagram in this article comparing the security level of the various available methods, Kentik highly suggests that you always opt for the most secure one possible, which is encompassed in the following recommendations:<\/p><ul><li>Always use 2-Factor \u2013 plain password authentication is unsafe.<\/li><li>If your current 2-Factor is TOTP, you should consider adding a WebAuthN compatible one now \u2013 in this case HW based biometrics are your best choice since they\u2019re available on any recent laptop or mobile device.<\/li><li><p>If your current 2-Factor is a YubiKey, you should consider<\/p><ul><li>re-registering it in the Security Keys section to add WebAuthN to it<\/li><li>adding a biometrics-based Device Authenticator if your computer allows it, it will be prioritized over the YubiKey<\/li><\/ul><\/li><li>Try to have at least two methods configured, in case you lose one of them or if it happens to get compromised \u2013 so that you won't lose access to Kentik portal.<\/li><\/ul><h3>As someone who is responsible for Kentik App Security, what should I do ?<\/h3><p>As a security focused Kentik Administrator, \u00a0you want to increase Authentication Security for all your SaaS Applications, Kentik being no exception. To make your job easier of migrating users from a weaker 2FA to a stronger, WebAuthN 2FA, we added a filter in the <code>Company Settings &gt; Users<\/code> screen to identify users based on their 2FA settings:<\/p><p><img src=\"https:\/\/img.announcekit.app\/3e2e9b9500378f9c9295e25c7939edea?s=f911f7aed0d74480aa9e7a61dd34cf63\" class=\"image-align-left\" \/>...where Strong points to WebAuthN 2FA methods and Weak (Legacy) all the other, least preferred ones. Note that the <strong>Only Weak<\/strong> option will let you identify those of your users that haven't yet migrated to a stronger, WebAuthN based 2FA method.<\/p><p>Additionally, a new <strong>Custom<\/strong> button appeared at the top right of the Users table, which will let you add two new columns in - to help Kentik admins track 2 Factor adoption within their company:<\/p><ul><li>Strong Authenticators: number of WebAuthN 2Factor Authenticators configured<\/li><li>Weak Authenticators: number of non-WebAuthN 2Factor Authenticators configured<\/li><\/ul><h2>What's next for Kentik Portal Authentication ?<\/h2><h3>Making 2-Factor authentication mandatory<\/h3><p>At this juncture, we're seriously considering this further step as the next one. There are a couple ways we could go about doing so:\u00a0<\/p><ul><li>In a first step, we could expose a company-wide setting where your security staff could set it as mandatory for your tenant to respect your company's security stance, with a disabled default to make for a smooth and easy transition.<\/li><li>In a second step, we could make it mandatory by default and bake it in the user registration\/onboarding process.<\/li><\/ul><p>One of the reasons we haven't made a call about it yet is that a lot of customers have a centralized AAA strategy to access their SaaS apps that goes through centrally managing it via SSO, with the implication that the underlying SSO should take care of the multi-factor strategy.<\/p><p>Do let us know what your preference would be on the matter!<\/p><p><strong>Do let us know what your preference would be on the matter !<\/strong><\/p><h3>A note on Password-less authentication<\/h3><p>One of the eventual benefits of WebAuthN is password-less authentication such as PassKeys: this standard converges towards allowing users to register to a web application without providing the proverbial insecure password and exclusively replace it in our user profiles data store with the generated Public Key from the initial WebAuthN challenge.<br \/><strong><em>While this is one of our long term goals, password-less is not part of this release, as it requires us to completely overhaul the user registration process.<\/em><\/strong><\/p><p>Still, do let us know if password-less authentication is something you'd like to see in the product in the future.<\/p>","url":"https:\/\/new.kentik.com\/webauthn-authentication-in-kentik-portal-is-here-3voxDW","title":"WebAuthN Authentication in Kentik Portal is here!","summary":"In our everlasting quest to strengthen security around the Kentik Platform, we're happy to introduce WebAuthN today \u2013 a growing web browser ...","date_modified":"2025-12-09T19:15:00.000Z","tags":["Improvement","Core","New feature"]}]}