The previous four papers covered the problem, the technology, the market, and the mechanics. This one is about the reality of using Ignix day-to-day: what you'll see in the first two weeks, what patterns tend to emerge, how ROI actually materialises, and what the ongoing experience looks like. No sales language — just what we've seen in practice.
The first two weeks are the behavioural baseline period. Ignix is building its model of your network — learning what "normal" looks like before it can reliably identify what isn't. During this period, you'll typically receive early insights but the AI will be more cautious about flagging anomalies until it has sufficient data to calibrate.
Your firewall is configured to export NetFlow to Ignix. First flow data arrives within minutes. You'll receive a confirmation that data is flowing and an initial count of flow records received.
Within 48 hours, Ignix can begin producing its first inventory: which external services your network communicates with, how many distinct internal devices are active, and what the rough traffic volume profile looks like. You'll often see services you didn't know were in use.
After a full week of data, the AI has a working model of your normal weekday traffic. The first weekly summary report gives you a picture of your network's "normal" that most businesses have never seen before.
Two full weeks includes a complete weekday/weekend cycle and enough variation to distinguish normal fluctuations from genuine anomalies. Anomaly detection becomes significantly more precise from this point. Real-time alerting is now calibrated to your specific environment.
Across clients, certain categories of findings come up consistently. These aren't rare edge cases — they're typical for most business networks that haven't been monitored at this level before.
Every client we've onboarded has had cloud services in use that the business wasn't formally aware of. File-sharing platforms, AI tools, personal cloud storage, project management apps. In most cases these are benign — staff finding tools to do their jobs. But some carry data protection implications, and all carry risk if they're not part of your security policy.
Unusual volumes of data moving to or from legitimate services — Microsoft 365, accounting platforms, CRM systems — often at unexpected times. Usually benign (automated backups, batch processes), but occasionally pointing to something worth investigating.
CCTV cameras, smart printers, network switches, and access control systems that are generating traffic their owners didn't expect — often connecting to manufacturer cloud services for telemetry or updates, occasionally something more concerning.
Queries to newly registered domains, connections to domains that have changed ownership recently, or unusually high query volumes from specific devices. DNS is a common attack channel precisely because it's rarely monitored.
VPN connections or internal access outside normal working hours. Often legitimate — staff working late, automated processes. Sometimes worth a conversation. Occasionally something that needs immediate action.
The hours IT managers spend trying to understand "is this normal?" are replaced by a report that answers the question directly. Five minutes reading a weekly summary versus hours of log digging.
The most direct ROI: detecting a slow data exfiltration, a compromised device, or a shadow IT data leak before it becomes an incident. One avoided breach pays for years of monitoring.
Cyber Essentials, GDPR accountability, NIS2 — all require evidence of monitoring. Ignix reports double as compliance documentation, reducing audit overhead.
Harder to quantify, but consistently cited. Knowing that someone is watching — and that you'll hear about it within minutes if something looks wrong — changes how confidently you can operate.
The ROI calculation for most SMBs is straightforward. The average cost of a data breach for a small business in the UK is estimated at £8,000–£30,000 once you account for incident response, regulatory notification, customer communication, and operational disruption. Cyber insurance premiums are rising — and insurers are asking harder questions about what monitoring is in place. Ignix pays for itself if it catches one significant incident, or helps you avoid one premium increase.
Once the baseline period is complete, your ongoing experience with Ignix has two components: a regular summary report, and real-time alerts when something warrants immediate attention.
That's the typical weekly experience for a business where everything is broadly normal — two low-to-medium items worth a quick look, and clear confirmation that the things you'd most worry about are behaving as expected. It takes five minutes to read. Most weeks, that's all it takes.
Real-time alerts fire within minutes of a suspicious pattern being detected — not the next morning. The alert includes a plain-English description of what was seen, why it's unusual, what it might indicate, and what to do about it. You don't need to log into a dashboard or interpret raw data. The AI has already done that work.
In the vast majority of cases, Ignix requires no new hardware at all. You simply configure your existing firewall to export its NetFlow data to the Ignix collection platform. That's a settings change — not a purchase, not an installation, not a site visit.
We support all major business firewall platforms: Fortinet FortiGate, SonicWall, Palo Alto Networks, WatchGuard, MikroTik, Cisco, and others. If your firewall supports NetFlow, IPFIX, or sFlow export — which the vast majority of business-grade firewalls do — you're ready to go.
However, a small number of very old or entry-level firewalls don't support NetFlow export at all. If that's the case, we'll tell you straight away during the free assessment. We won't leave you hanging — we'll advise on the most cost-effective path forward. A popular option we often recommend is the MikroTik RB5009, which is a capable, reliable business router at a few hundred pounds and supports IPFIX natively. In most cases a firewall upgrade makes sense for reasons beyond Ignix anyway, but we'll only recommend it if it's genuinely necessary.
Across the five papers in this series, we've covered a lot of ground. The problem: most businesses are running blind, with tools that only catch known threats and no visibility into what's actually happening on their network. The solution: AI-powered NetFlow analysis that watches continuously, explains clearly, and alerts immediately when something warrants attention.
What we haven't talked about is risk. Because Ignix is designed so that there isn't any — at least not in trying it. Every new customer starts with a completely free 14-day assessment. We connect to your existing firewall (or advise on a simple upgrade if needed), run the exact same analysis described across this series, and deliver your first personalised reports within 48 hours. No commitment. No disruption. No cost.
You'll see exactly what your network is really doing — and whether any of the patterns we've described across these papers are present in your business. Most of the time the answer is "broadly fine, with a few things worth knowing about." Sometimes it's more significant. Either way, you'll know.
The question isn't whether your network is worth monitoring. Every business network is. The question is how long you're comfortable not knowing what's happening on it.
Start with a completely free 14-day assessment. We connect to your existing firewall, deliver your first reports within 48 hours, and show you exactly what your network is doing. No commitment. No disruption. No cost.
hello@ignix.co.uk