Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term AMP for Networks

Training Camp • Cybersecurity Glossary

What is AMP for Networks?

AMP for Networks is Cisco's network-based Advanced Malware Protection using sandboxing, file reputation, trajectory, and retrospective detection to catch threats over time.

Glossary > Threats, Malware & Attacks > AMP for Networks

AMP for Networks — AMP for Networks is Cisco's network-based Advanced Malware Protection using sandboxing

Understanding AMP for Networks

AMP for Networks (Advanced Malware Protection for Networks) is Cisco's network-based malware defense that inspects traffic crossing the network to detect, block, and continuously track malicious files. It targets advanced threats such as zero-day malware and targeted attacks that evade traditional signature-only defenses, and it is deployed on Cisco Firepower/Secure Firewall sensors. Cisco's broader AMP technology is now branded Cisco Secure Endpoint and Secure Malware Analytics.

It combines several detection methods. File reputation checks the cryptographic hash of files against Cisco Talos threat intelligence to block known-bad files instantly. Unknown files are sent to a sandbox for dynamic file analysis, where they are detonated to observe malicious behavior. File trajectory maps which hosts a file touched and how it spread across the network. Its hallmark capability is retrospective security: AMP keeps analyzing files after they pass, so if a file later proves malicious as new intelligence arrives, it retroactively alerts on every system that received it, closing the gap left by point-in-time scanning.

For security, this continuous model addresses a core weakness of conventional gateways, which make an allow/deny decision once at the moment a file crosses the perimeter and never reconsider. Because sophisticated malware can be unknown at first contact, retrospection and trajectory let defenders find and contain threats that initially slipped through, dramatically speeding detection and scoping during incident response. As a network control it complements endpoint protection, giving visibility into lateral movement and into devices that lack an agent.

For example, a user downloads an attachment that was clean against all known signatures, so AMP for Networks lets it through but records its hash and trajectory. Hours later Talos classifies that file's hash as malicious. AMP's retrospective alert fires, identifying the original user's host and three other machines the file later reached. The security team isolates those endpoints and remediates before the malware can establish persistence, catching an attack that a one-time gateway scan would have permanently missed.

Learn More About AMP for Networks:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →