Advanced Search


Fingerbank is a suite of tools for the identification of networking devices based on their network fingerprints.


FingerBank uses a database of millions of DHCP, TCP, DNS, and other traffic fingerprints to identify nearly 35,000 classes of devices and provide anomaly detection based on observed device behavior, such as IoT device network visits, which can be useful in the development of Zero Trust infrastructures. Fingerbank Profiling encompasses the following:

  • Client change detection (specifies when to trigger a device class change alert)
  • Combinations of fingerprint specifications
  • Device types
  • DHCP fingerprints
  • DHCP vendors and versions.
  • DHCPv6 fingerprints
  • DHCPv6 enterprises
  • MAC vendors
  • User agents
Device identification

A device fingerprint can be used for various applications. For instance, it can be used by Network Access Control (NAC) solutions to grant specific network access authorization, based on device type. This means that networks systems can be taught to differentiate between, for example, gaming consoles and laptops, and adjust their access rights based on which device group they belong to.

Anomaly detection

Fingerbank can distinguish between normal and anomalous behavior of devices in the network. Through continuous data mining, the Fingerbank technology can extract common patterns from networking devices and raise alerts when it encounters abnormalities in their functioning.

Network layers
Multi-layer fingerprinting

When a device connects to a network, it exposes data on different layers of the networking stack. The Fingerbank Collector can construct a precise fingerprint of the device and use the Fingerbank Cloud API to identify the device.

Fingerbank Cloud API

The Fingerbank Cloud API (Application Programming Interface) is a closed-source, licensable SaaS device identification solution capable of tracking network device behavior patterns and detecting anomalies. The Fingerbank Cloud API can be integrated in any solutions requiring device identification or anomaly detection services.

It provides a RESTful API for device identification, tracking of network behavior patterns, and user management with authentication, authorization, and accounting services. Registered users can perform up to 300 requests per hour for free, and 1 million API requests per month are available for purchase via subscription at $250 monthly.


The Fingerbank Cloud API is based on the Kubernetes (also known as K8s) technology. The official version is hosted on the Google Compute Engine in multiple data centers in order to achieve low latency across various geographical locations.

Fingerbank Processor

The Fingerbank Processor is a device identification technology that powers the Fingerbank Cloud API. It is a rule-based engine that can be queried using a simple RESTful API. In contrast to the Fingerbank Cloud API, the Fingerbank Processor does not require Internet access and provides low latency response times.

It is suitable for integration in firewalls, WiFi controllers, L2/L3 switches, IPS/IDS and other solutions. Following integration, these systems can query a self-contained local service for any device identification needs and perform their own anomaly detection based on the network behavior patterns provided by the Fingerbank Processor.


The Fingerbank Processor is a self-contained software solution. It does not have any dependencies and has a low memory and CPU footprint. It can run on various architectures, including x86, amd64, ARM, MIPS, etc., and operating systems, including Linux, BSD, Windows, Mac OS X, Solaris, and more. Upon launch, the Fingerbank Processor loads all the device identification rules from the filesystem.

The Fingerbank Processor also provides a small HTTP service exposing its RESTful API for device identification and anomaly detection. The provided API is a subset of the Fingerbank Cloud API.


The Fingerbank Processor is a self-contained binary with no dependency, meaning that it can be embedded into third-party security and network solutions. It is a more basic version of the Fingerbank Cloud API with response times under 20 ms, making it suitable for carrier grade usage.

Fingerbank Collector

The Fingerbank Collector allows network and security vendors to integrate device fingerprinting and profiling technologies within their products. Firewalls, access points, WiFi controllers, switches, proxies, and other solutions can use the Fingerbank Collector to identify endpoints on networks.

These solutions can then apply network and security policies based on the device type. In addition, the Fingerbank Collector can detect anomalies by utilizing the Fingerbank Cloud API's network behavior patterns.


Like the Fingerbank Processor, the Fingerbank Collector is a self-contained software solution that has a low memory and CPU footprint and can operate in various architectures. The Fingerbank Collector captures multiple protocols upon launch. The Collector retains part of the data it deems significant (akin to MAC vendors, DHCP v4 fingerprint, TCP fingerprint, DNS OS update lists, etc.) in-memory.

After it is set up, the Fingerbank Collector can be queried over HTTP using a RESTful API in order to obtain endpoint details based on the IP or MAC address. During this process the Collector interacts with the public Fingerbank Cloud hosted by Inverse.

The Collector automizes data discovery and collection processes. It has access to the latest data from the public Fingerbank Cloud, which is continuously updated by thousands of PacketFence (an open-source network access control system) deployments worldwide.

Fingerbank SQLite3 Database

The Fingerbank SQLite3 database contains DHCP v4/v6 fingerprints, User-Agents, MAC vendors, combinations and derivations of devices. It is a few gigabytes in size and not suitable for embedding on routers, access points, or small equipment.

Combinations produced by the SQLite3 database are the result of the rules evaluation from the Fingerbank Cloud API; this database does not include its own identification rules. Moreover, unlike the Fingerbank Processor engine, the SQLite3 Database does not contain other identification attributes such as mDNS, uPNP, TCP signatures, and more.


The Fingerbank SQLite3 database is a self-contained database file based on the SQLite3 format.


The Fingerbank SQLite3 database has been developed for offline usage where performance is not prioritized (e.g. for reporting purposes).

Enterprise customers

Nokia, Adtran, Cisco, Mojo Networks, Meraki, Kaspersky, and Aruba Networks/HP are among Fingerbank's enterprise customers.




Further reading


Documentaries, videos and podcasts





Golden logo
Text is available under the Creative Commons Attribution-ShareAlike 4.0; additional terms apply. By using this site, you agree to our Terms & Conditions.