Performance Benchmarks
Real numbers. Real conditions. Full security stack active. No features turned off to hit a headline number.
501K
Peak CPS
Synthetic stress test
Full stack active
Synthetic stress test
Full stack active
34K
Production CPS
Real adversarial traffic
46% CPU still idle
Real adversarial traffic
46% CPU still idle
503K
Peak EPS
Events per second
Enriched + stored
Events per second
Enriched + stored
171B
Events stored
26.94 GiB compressed
Sub-second queries
26.94 GiB compressed
Sub-second queries
2M
Concurrent sessions
Kernel conntrack
48% table utilization
Kernel conntrack
48% table utilization
0
Kernel packet drops
At 500K CPS
Zero loss threshold
At 500K CPS
Zero loss threshold
Why We Publish Two Numbers
Most vendors publish one number. We publish two — and explain the difference.
Vendor Datasheets
- Maximum rated capacity
- Synthetic lab traffic (clean, predictable)
- Advanced features often disabled to hit the headline
- The ceiling — what the appliance can do when pushed to its limit
PacketViper Production Benchmark
- 34,622 CPS measured under real adversarial traffic
- 294 source IPs across 91 countries
- Full security stack active throughout
- 46% CPU idle — this is the platform cruising, not its ceiling
When Palo Alto publishes 39,000 CPS for the PA-5250, that is the appliance at its limit — tested with most advanced features disabled. PacketViper’s 34,622 CPS is measured under full production load with deception, AMTD, geo-IP enrichment, and 2,301 threat intelligence ipsets all active. With 46% CPU idle, the platform has not been pushed to its ceiling. Estimated maximum capacity: 60,000+ CPS.
Connection Rate Comparison
PacketViper vs. published vendor datasheets. Conditions matter — read the footnotes.
| Platform | CPS | Conditions | Est. Price |
|---|---|---|---|
| PacketViper v2631 Production load | 34,622 | Real adversarial traffic, full stack active, 46% CPU idle | Commodity server |
| PacketViper v2631 Stress test | 501,496 | Synthetic SYN-flood, full stack active, zero drops | Commodity server |
| Palo Alto PA-5250 Vendor ceiling | 39,000 | Datasheet max, App-ID enabled. No deception, no AMTD. | $60K–$100K |
| Palo Alto PA-5260 Vendor ceiling | 68,000 | Datasheet max, App-ID enabled. No deception, no AMTD. | $100K–$150K |
| Palo Alto PA-7050 Vendor ceiling | 720,000 | Datasheet max, 4–6 NPC cards required. Chassis system. | $200K–$350K |
| Fortinet FG-600E Vendor ceiling | 90,000 | Datasheet max, hardware ASIC. No deception capability. | $30K+ |
| Fortinet FG-3700F Vendor ceiling | 280,000 | Datasheet max, NP7/CP9 ASIC. No deception capability. | $150K+ |
| Check Point Quantum 16200 Vendor ceiling | 435,000 | Datasheet max, RFC 3511 lab conditions. No AMTD. | $50K+ |
| Cisco Firepower 4115 Vendor ceiling | 848,000 | Datasheet max. With AVC enabled: 350,000 CPS. | $40K+ |
| Cisco Firepower 4145 Vendor ceiling | 1,500,000 | Datasheet max. With AVC enabled: 350,000 CPS. | $80K+ |
Reading this table correctly: Vendor numbers represent maximum rated capacity under lab conditions, typically with a subset of security features active. PacketViper’s production number (34,622 CPS) was measured under real adversarial internet traffic with the full security stack active. PacketViper’s stress test number (501,496 CPS) was measured with a synthetic SYN-flood generator on a 10 GbE link, full stack active, zero drops. Neither is a vendor-rated ceiling — both are measured results.
Sources:
• Palo Alto PA-5250 / PA-5260 / PA-7050: Palo Alto Networks PA-Series Datasheet
• Fortinet FG-600E / FG-3700F: Fortinet FortiGate Datasheets (FG-3700F PDF)
• Check Point Quantum 16200: Check Point Quantum 16200 Datasheet
• Cisco Firepower 4115 / 4145: Cisco Firepower 4100 Series Datasheet
• PacketViper v2631: PacketViper Engineering Benchmark Reports, March 2026 (v1.0 and v2.1)
Sources:
• Palo Alto PA-5250 / PA-5260 / PA-7050: Palo Alto Networks PA-Series Datasheet
• Fortinet FG-600E / FG-3700F: Fortinet FortiGate Datasheets (FG-3700F PDF)
• Check Point Quantum 16200: Check Point Quantum 16200 Datasheet
• Cisco Firepower 4115 / 4145: Cisco Firepower 4100 Series Datasheet
• PacketViper v2631: PacketViper Engineering Benchmark Reports, March 2026 (v1.0 and v2.1)
What Was Running During the Test
Every capability below was active and processing traffic during both benchmark measurements.
| Capability | PacketViper | PA-5250 | FG-3700F | CP Quantum 16200 | Cisco FPR-4145 |
|---|---|---|---|---|---|
| Stateful Firewall | Yes | Yes | Yes | Yes | Yes |
| Native Deception Technology | Yes — 44 profiles active | No | No | No | No |
| Automated Moving Target Defense | Yes — active rotation | No | No | No | No |
| Real-time Geo-IP (every packet) | Yes — 2,301 ipsets | Add-on | Add-on | Add-on | Add-on |
| Embedded Long-term Analytics | Yes — 171B events on-box | Requires Panorama/CDL | Requires FortiAnalyzer | Requires SmartEvent | Requires Stealthwatch |
| Passive Asset Discovery | Yes — agentless | No | No | No | No |
| Threat Intel Ipsets (included) | 2,301 active | Subscription required | Subscription required | Subscription required | Subscription required |
| Application-Layer Inspection | No | Yes — App-ID | Yes — IPS/IDS | Yes — APCL | Yes — AVC/Snort |
| SSL/TLS Decryption | No | Yes | Yes | Yes | Yes |
| Runs on commodity hardware | Yes | Dedicated appliance | Dedicated appliance | Dedicated appliance | Dedicated appliance |
PacketViper does not replace an NGFW for application-layer inspection or SSL decryption — those are different security problems. PacketViper excels at network-level deception, moving target defense, contextual enforcement, and OT environments where agentless visibility and automated inline response matter more than deep packet inspection. The two approaches are complementary, not interchangeable.
Storage and Analytics Performance
171 billion events. On-box. Sub-second queries. No separate analytics appliance required.
| Metric | Value |
|---|---|
| Total events stored | 171 billion rows |
| Compressed disk usage | 26.94 GiB |
| COUNT query across 171B rows | < 0.1 seconds |
| Country aggregation across 171B rows | < 3 seconds |
| Real-time ingest rate (peak) | 503,427 events/second |
| Storage engine | PacketViper embedded analytics engine (on-appliance) |
Benchmark Methodology
Production Benchmark (March 6, 2026)
- Real internet traffic, 294 source IPs, 91 countries
- Adversarial traffic mix: TCP scans, UDP probes, ICMP
- Full security stack active throughout
- Measured via PacketViper analytics engine uniqExact 5-tuple counting
- RFC 9411 compliant methodology
- 34,622 CPS peak — 46% CPU idle
Stress Test Benchmark (March 18, 2026)
- Synthetic SYN-flood, 10 GbE, fully randomized 5-tuples
- Worst-case scenario: every packet is a new connection
- Full security stack active throughout
- Three consecutive 10-second intervals above 498K CPS
- Zero kernel packet drops at 500K CPS
- 501,496 CPS peak
Hardware: Intel Xeon Silver 4215R (8 cores / 16 threads @ 3.2 GHz), 62 GB DDR4, 10 GbE NIC, PacketViper v2631. Security stack during both tests: 341 mangle rules, 51 chains, 44 deception profiles, AMTD rotation active, 2,301 threat intelligence ipsets, real-time geo-IP enrichment on every event, embedded analytics engine active. Competitive note: Vendor CPS numbers sourced from published datasheets. Vendor numbers represent maximum rated capacity under lab conditions; PacketViper numbers represent measured results under full production security stack.
Datasheet sources (accessed March 2026): Palo Alto PA-Series • Fortinet FG-3700F • Check Point Quantum 16200 • Cisco Firepower 4100 Series
Datasheet sources (accessed March 2026): Palo Alto PA-Series • Fortinet FG-3700F • Check Point Quantum 16200 • Cisco Firepower 4100 Series
See It Live on Your Network
We run demos against real traffic. No synthetic slides. No marketing numbers.
Book a Demo