The Kestrel Security Stack is one analysis engine spanning iOS and iPadOS — and soon, macOS. Lite and Sight ship on iPhone and iPad today. Pro is in active development, and Talon brings the same engine to the Mac — also in development. Processed on device. No accounts, no cloud uploads, no analytics, no third-party dependencies.
On iOS and iPadOS, Kestrel is a progression of three editions — free field triage, professional analysis with bookmarks and raw search, and detailed reports with audit log. Lite and Sight are shipping today; Pro is in active development. On macOS, Talon adds live capture from any interface.
Packet capture analysis for iPhone and iPad, capped at the first 50,000 packets per file. Dashboard, packets, flows, hosts, DNS, streams, timeline, and audit log with SHA-256 evidence hashing. TCP stream reassembly for files under 1 GB. Ideal for field triage, quick inspections, and learning the app.
Everything in Lite, with no 50,000-packet cap. Adds analyst bookmarks (flag any packet, flow, host, DNS query, or stream with a note — included in PDF export), raw data search across arbitrary byte sequences, enhanced IPv6 with canonical RFC 5952 display, and refined PDF reports with paginated bookmarks and properly sized columns. TCP stream reassembly is automatic for captures under 1 GB.
Everything in Sight, with advanced detection and reporting. Sensitive Data Scanner reports credentials and API keys as salted SHA-256 fingerprints — raw values never touch disk. Anomaly detection covers beaconing, DGA domains, exfiltration, NXDOMAIN bursts, port scans, and reconnaissance tooling patterns. File carving extracts JPEG, PNG, GIF, PDF, ZIP, HTML, JavaScript, JSON, and XML with dual SHA-256/MD5 fingerprints. Session events are linked into a cryptographic hash chain following Schneier–Kelsey 1999 — the chain is verifiable from any exported PDF.
The core analysis engine is identical across all three. Each tier adds capabilities on top.
Honest, published limits. What happens at each file size and when features degrade.
Full feature set across all three editions. Automatic TCP reassembly, complete analysis, optimized in-memory access.
Pro uses streaming TCP reassembly that spills large streams to protected disk storage with bounded RAM per segment. On Lite and Sight, TCP reassembly automatically disables above 1 GB to protect device memory — packets, flows, hosts, DNS, and timeline remain fully functional.
Pro’s Findings Mode opens larger captures with explicit user consent. When a file exceeds what the device can safely analyze in memory, you choose how to proceed — Kestrel Pro then analyzes the agreed portion and discloses exactly what was and wasn’t covered in both the audit log and a full-page PDF disclaimer.
If your work involves opening PCAPs anywhere other than a secure workstation, Kestrel is built for you.
Live capture belongs on a desktop. Kestrel Talon brings the same analysis engines to the Mac, with native packet capture from any interface.
Live packet capture on macOS, with the same analysis engines that will power Kestrel on iOS — from protocol parsing through TCP reassembly. Native export to Wireshark-ready PCAPNG. Future integration with Kestrel Link (in development) will let you start a capture on your Mac and view it live on your iPhone.
100% offline — Every byte processed on-device. No outbound connections. No analytics.
For the full policy, read the privacy policy. For questions, reach out directly.
Kestrel analyzes pre-captured PCAP files only — live network capture is not permitted within iOS by the platform itself. Screenshots may combine demo and real data for illustration. Large captures may extend load times. Devices with 6 GB RAM or more are recommended for full-speed multi-gigabyte analysis — Pro’s Findings Mode adapts to the available memory budget and works on smaller devices with a proportionally smaller coverage budget. The demo section uses fabricated sample packets.
Kestrel is designed as an analytical and educational starting point. Detection features — including the Pro sensitive-data scanner and anomaly detection — use heuristic techniques and may produce false positives or miss findings. Always verify results independently before acting on them. Kestrel is not a substitute for a qualified analyst or a dedicated forensic workstation, and should not be used alone where evidentiary admissibility matters.
While Kestrel has been designed with security as a core priority, no software can guarantee absolute security. Users handling sensitive captures should follow their organization’s evidence-handling procedures.