By Mark Evans, VP Marketing, Endace
A growing ecosystem, driven by increased demand
Endace’s Fusion Partner Program is expanding rapidly, with new partners, including Microsoft Sentinel, Google SecOps, Sumo Logic and Exabeam (and more coming), and updated integrations to solutions from Cisco, Splunk, Palo Alto Networks, Elastic, Sumo Logic, Fortinet, and others.
On the surface, this looks like steady ecosystem growth. In reality, it reflects a clear shift in what customers are asking for.
Organizations are rethinking how their security and network operations stacks work together and, more importantly, where reliable data comes from. As that conversation evolves, one thing is becoming clear. Full packet capture is no longer a niche requirement, but rather a foundational need.
The growth of the Fusion Partner ecosystem is a direct response to that shift. More vendors are integrating with Endace because their customers want immediate access to packet-level evidence inside the tools they already use. When something happens on the network, teams need to be able to go straight from alerts to the ground truth. And quickly!
Integration first: from tools to a unified evidence layer
One of the biggest changes happening in security operations is how tools work together. Detection platforms are no longer enough on their own. They need access to reliable, underlying data to more accurately detect complex threats and malicious behaviour, and link together attacker activities to create an accurate picture for security teams.
Full packet capture strengthens existing platforms by acting as a shared evidence layer across the SOC and NOC stack. Instead of operating in silos, systems such as SIEM, SOAR, XDR, and NDR can all draw from the same packet-level data to enable SOC and NOC teams to investigate incidents quickly and make confident, evidence-backed decisions.
Through the Fusion Partner Program, this capability is embedded directly into existing tools and workflows, enabling analysts to move seamlessly from detection to deep investigation without leaving their primary tools.
From alerts to evidence
Rather than replacing existing platforms, packet capture strengthens them by acting as a common evidence layer across the SOC and NOC stack. Whether an alert originates in a SIEM, an XDR platform, or a performance monitoring tool, analysts can pivot directly to packet-level data to see exactly what happened.
This is what the Fusion Partner Program is designed to enable. It integrates packet data directly into platforms like Microsoft Sentinel, Google SecOps, and Splunk, so analysts have definitive forensic evidence at their fingertips when they need it most. It is a simple idea, but it changes everything about how investigations are conducted.
AI is raising the bar for evidence
The rise of AI in security operations is accelerating this shift. AI can identify patterns, surface potential threats, and recommend actions, but those outputs still need validation. Without access to underlying network data, teams are relying on probability rather than proof.
Packet capture provides the validation layer that AI necessitates. It enables teams to confirm whether alerts are real, supports more accurate automated responses, and helps ensure that investigations are grounded in evidence.
At the same time, AI is making packet data more accessible. As AI-assisted investigation improves, teams no longer need arcane, packet wrangling skills to extract value from pcap data. AI-enabled investigation and automation tools can put relevant pcap evidence right at their fingertips. This accelerates investigations, removes a potential barrier to packet capture adoption, and broadens its relevance.
Compliance is making packet capture unavoidable
Regulation is another major force driving packet capture adoption. Across global frameworks and industry standards, organizations are being asked to collect more detailed telemetry, respond to incidents more quickly, and provide stronger evidence when required. Increasingly, these expectations point directly to full packet capture.
Research shows that regulatory bodies are either explicitly requiring packet capture or setting requirements that cannot realistically be met without it. For example, in the SANS whitepaper Full Packet Capture as Strategic and Regulatory Imperative, author Matt Bromiley explains that some frameworks now mandate short retention windows for full packet data, while others emphasize comprehensive logging, forensic evidence preservation, and rapid incident reporting which implicitly require packet capture in order to meet their requirements.
Mandated packet capture requirements are already in place at the U.S. federal level. The U.S. government’s OMB M-21-31 requires US federal agencies to implement at least 72 hours of full packet capture (FPC) as part of baseline cybersecurity logging.
Many regulatory reporting timelines now also depend on forensic-grade network evidence. For example, under the EU’s NIS2 Directive, organizations must issue 24-hour early incident notifications and 72-hour full incident reports with detailed forensic evidence. These deadlines are nearly impossible to meet without full packet-level visibility, reinforcing full packet capture as a compliance enabler.
At the same time, best practice cybersecurity standards such as NIST CSF and ISO 27001 are placing greater emphasis on continuous monitoring and the ability to reconstruct complete network activity, rather than relying on logs or sampled data alone. In practice, this means organizations need access to full packet data to meet both compliance and operational requirements.
This is being reinforced across major frameworks. Requirements for continuous monitoring, detailed logging, and rapid incident reporting all point toward the same conclusion: logs and sampled data are not enough on their own. Organizations need complete visibility into network activity to meet both operational and compliance expectations.
The result is a shift in mindset. Packet capture is no longer a nice-to-have. It is becoming table stakes for both security architecture and compliance strategy. Packet capture provides a single, authoritative source of network truth to support detection, investigation, response, reporting, and auditing, while also strengthening overall security posture.
The shift to evidence-based network security and performance ecosystems
The expansion of the Endace Fusion Partner Program is a clear signal of where the market is heading. As demand for packet-level visibility grows, more vendors are looking to integrate it into their platforms to enhance incident detection, investigation, and response.
2026 may well be remembered as the year organizations recognized the limits of detection without evidence. As that realization spreads, packet capture is becoming a foundational component of modern security operations architecture.
As we move forward, we’ll continue to see real operational impact and faster, more confident responses. Most importantly, decisions are based on what actually happened on the network, rather than assumptions or partial visibility. And increasingly, the ecosystem forming around packet capture will define how security operations evolve next.
