WaveNews
Product updates, technology insights, and news from Wavecrest Computing — the team behind Cyfin employee web use monitoring software.
Why Your Firewall Logs Don’t Actually Show What Employees Are Doing
If your IT team is pulling reports directly from your firewall logs and sending them to HR, there is something important you need to understand: those reports are almost certainly not showing you what you think they…
If your IT team is pulling reports directly from your firewall logs and sending them to HR, there is something important you need to understand: those reports are almost certainly not showing you what you think they are.
This is not a criticism of your IT team. It is a structural problem that goes all the way back to how the internet was built. Understanding it explains why investigating employee web activity is so much harder than it looks, and why the tools you choose to do it matter enormously.
A Quick History Lesson That Changes Everything
In the early days of the internet, before the web browser as we know it existed, every service on the internet had its own dedicated channel. Each was clearly separated and easy to identify:
- Web browsing used one channel
- Email used another
- File transfers used another
- Remote access used another
If you monitored network traffic in those days, you knew exactly what kind of activity generated it. The separation was clean.
Then the browser arrived and transformed everything. As internet use exploded, there was an urgent push to secure web communications. A single encrypted channel became the universal standard. Suddenly the vast majority of all internet communication was flowing through one pipe.
That shift created the foundation of the problem we are dealing with today.
When Everything Moved Into One Channel
As web-based applications took off, they naturally adopted the same communication structure built for websites. Online banking, cloud storage, collaboration tools, SaaS platforms all followed the same path. Why build something new when the existing infrastructure was already everywhere and already trusted?
The result is that today, a single channel carries an enormous mix of traffic: the websites your employees deliberately visit, the web applications your business relies on, and a long list of activity that has nothing to do with human behavior at all.
That last category is where the real problem lives.
The Traffic Nobody Talks About
Here is what is actually flowing through your network alongside your employees’ web activity, and what ends up recorded in your firewall logs:
- Operating system and software updates. Microsoft checks for Windows updates. Adobe verifies software licenses. Your endpoint security platform downloads new threat definitions. Every one of those actions generates network connections that get logged alongside everything else.
- Website trackers. Modern websites are embedded with dozens of third-party tracking scripts that continuously send usage data back to analytics platforms, advertising networks, and content delivery services. A single visit to a news website can silently generate hundreds of outbound connections in the background, none of which represent a deliberate action by your employee.
- Application background activity. Cloud applications, collaboration platforms, and business software regularly check in with their servers for updates, license validation, and performance data. This happens automatically, continuously, and invisibly throughout the workday.
None of this traffic reflects what an employee chose to do. But it all shows up in the firewall log, recorded exactly the same way as an intentional website visit.
The core problem in plain terms:
Your firewall has no way to distinguish between a connection your employee deliberately made and a connection their computer made automatically in the background. It logs them all the same way. A raw firewall report treats them all the same way. And that means any analysis built on raw firewall data is working with fundamentally flawed information.The Second Problem: How Firewalls Actually Log Web Activity
Even setting aside all of the background noise, there is a second fundamental issue with reading firewall logs directly.
Firewalls record network connections, not website visits. Those are not the same thing.
When one of your employees opens their browser and navigates to a single website, their computer may establish dozens or even hundreds of separate network connections to fully load that page. The text, images, stylesheets, fonts, and interactive elements of a modern website often come from multiple different servers and domain names. Each connection is logged individually.
So what HR sees when someone forwards them a raw firewall report is not a clean record showing that an employee visited ESPN. It is potentially 100 separate log entries with different domain names, different connection times, and different data volumes that together represent one single website visit. Without something to reconstruct those connections into a coherent browsing session, the data is essentially unreadable to anyone without deep technical expertise.
Asking a non-technical person in HR to draw conclusions from that is not just unhelpful. It creates a genuine liability risk. Disciplinary action taken on the basis of misread or misunderstood firewall data is exactly the kind of situation that leads to serious HR and legal complications.
Why Not Just Use a Screen Recording or Keystroke Tool?
It is a fair question. If the goal is to know what employees are doing online, why not use something that captures everything directly? Screen recordings and keystroke logging tools sound more thorough on the surface. And from a pure marketing standpoint, they often look impressive in a product demo.
The answer comes down to legal reality, and it is significant.
In U.S. case law, infrastructure logs including firewall logs are an accepted and well-established legal basis for businesses to monitor activity on company-owned networks and equipment. Employers have a recognized right to monitor how their infrastructure is being used, and properly generated firewall-based reports have consistently held up in workplace investigations, disciplinary proceedings, and litigation.
Screen capture and keystroke logging tools occupy very different legal territory. Depending on your state, your industry, and how those tools are deployed, using them can expose your organization to meaningful legal liability including privacy violation claims from employees. The requirements around disclosure and consent are considerably more complex, and any disciplinary action based on that type of monitoring is far more vulnerable to a legal challenge.
There is also a practical reality that rarely gets discussed openly: who is actually going to review the output? Consider what it means to capture screen recordings for an entire workforce. An hour of video per employee per day. Thousands of keystrokes to read through per person. The volume of data these tools produce is completely unmanageable at any realistic scale. They make for compelling product demonstrations. They do not make for workable investigation workflows.
The bottom line on alternative tools:
Firewall-based reporting done correctly gives HR exactly what they need: a clear, accurate, legally defensible record of what an employee did online, in a format anyone can read, generated in minutes rather than hours. The alternatives that appear to offer more actually deliver less, and at a substantially higher legal and operational cost.Why This Takes More Than a Report Template
Solving the firewall noise problem is not a matter of formatting the log data differently or applying a filter. It requires sophisticated software that can do several things simultaneously:
- Strip out all non-human background traffic before any analysis begins
- Reconstruct individual user browsing sessions from potentially hundreds of separate connection records
- Translate ambiguous technical domain names into recognizable website names that anyone can understand
- Present the results in a format that a non-technical person in HR or management can read, interpret, and act on
This is precisely what Cyfin was built to do, and why it required a dedicated team of developers to build it. The problem it solves is genuinely complex, even if the output looks simple. That simplicity is the entire point.
What This Means for HR and Management
If your organization is trying to investigate employee web activity using raw firewall reports, or any tool that has not specifically solved the noise and session reconstruction problem, you are working with data you cannot trust.
Reports that mix human activity with background noise will overstate what employees are actually doing online. Sessions that span dozens of log entries will be impossible to interpret without proper reconstruction. Any investigation built on that foundation, however well-intentioned, is built on information that will not hold up to scrutiny.
Accurate employee web investigations start with accurate data. Accurate data starts with understanding what firewall logs actually contain. And making that data usable for HR starts with a tool that was specifically designed for that purpose.
About Cyfin
Cyfin by Wavecrest Computing has been purpose-built for employee web use reporting and investigations since 1996. Our noise-filtering engine and session reconstruction technology transform raw firewall log data into clear, human-only reports that HR and management can read, understand, and act on independently, without needing IT to interpret the results.
https://www.wavecrest.net • 321-953-5351Monitoring Employee AI Usage: Reporting for AI Policy Compliance
Generative AI tools like ChatGPT, Copilot, Gemini, and Grok are now part of daily work. That creates a governance gap. HR and management set the AI policy, but without a clear view of how AI tools are actually being…
Generative AI tools like ChatGPT, Copilot, Gemini, and Grok are now part of daily work. That creates a governance gap. HR and management set the AI policy, but without a clear view of how AI tools are actually being used, there is no reliable way to know whether that policy is being followed. Cyfin by Wavecrest Computing gives HR and management that visibility from your existing firewall logs, with no software installed on employee devices.
Why employee AI usage needs oversight
Most organizations have written an AI acceptable use policy, or are about to. The harder part is enforcement. A policy you cannot measure is just a document. Common questions HR and management want answered include:
- Which AI tools are employees actually using, and are any of them outside policy?
- Is AI being used for personal tasks during work hours?
- Which departments rely on AI most, and where might training help?
- Are usage patterns creating risk that should be reviewed?
Without visibility into real usage, these stay guesses. Cyfin turns them into reportable facts.
What Cyfin shows you about employee AI use
Cyfin reads your existing firewall logs and produces noise-free, human-only reports focused on employee-initiated activity. For AI specifically, every Cyfin customer can see:
- Which AI tools are being used, identified by name through Cyfin’s Artificial Intelligence category
- Who is using them, across the organization by user and department
- How often each tool is used and how long sessions last
- Historical trends, so you can see whether usage is rising and where
This is usage reporting that HR and management can read and act on independently, without asking IT to interpret raw log data.
Can Cyfin see what employees type into AI tools?
It depends on your firewall. Cyfin’s standard reporting shows which AI tools employees use, how often, and for how long, but not the text they enter. Seeing what an employee actually submitted to an AI tool requires two things: a firewall that exposes AI-specific log fields, such as Palo Alto Networks with its AI visibility add-on, and SSL inspection enabled on that traffic. Where your firewall supports it, Cyfin can surface that deeper detail. Where it does not, you still get complete usage visibility.
Being straight about this matters. Usage-level reporting is what every customer gets and is enough to enforce most AI policies. Content-level visibility is an advanced capability that depends on your infrastructure.
How this helps HR and management
Cyfin is built for HR and management to run their own reviews:
- Enforce your AI policy. Compare actual usage against your acceptable use guidelines and follow up where needed.
- Support workplace investigations. Produce clear, dated records of AI tool use for a specific user or department.
- Target training. See which teams lean on AI and where guidance would help them use it well.
- Keep audit-ready records. Independent, readable reports that support policy decisions and reviews.
Because the reports filter out non-human background traffic, what you see reflects employee-initiated activity, not automated noise.
Works with the firewall you already have
Cyfin is agentless. There is nothing to install on employee devices, because it works from the log data your firewall already produces. It supports the major firewalls in use today, including Palo Alto Networks, Cisco, Fortinet, Check Point, and SonicWall, so it extends the investment you have already made rather than adding another endpoint tool to manage.
Get a clear view of AI use in your organization
You cannot enforce an AI policy you cannot measure. Cyfin gives HR and management the usage visibility to do it, from your existing firewall, without agents.
Learn more on our employee AI usage page, or request a sample AI usage report to see the format before you commit.
Cyfin by Wavecrest Computing has been purpose-built for employee web use reporting and investigations since 1996. Its noise-filtering engine turns raw firewall log data into clear, human-only reports that HR and management can read, understand, and act on independently. https://www.wavecrest.net • 321-953-5351
Cyfin: Employee Web Use Reporting and Investigations from Your Firewall Logs
Cyfin by Wavecrest Computing turns raw firewall log data into clear, human-only reports on employee web activity. HR and management can read those reports and act on them independently, without asking IT to interpret…
Cyfin by Wavecrest Computing turns raw firewall log data into clear, human-only reports on employee web activity. HR and management can read those reports and act on them independently, without asking IT to interpret the data. Cyfin is agentless, so it works from the log data your existing firewall already produces.
That is the whole product in three sentences. The rest of this post explains why it takes purpose-built software to do it, and what it means for the people who actually need the answers.
Why raw firewall reports do not answer HR’s questions
Every organization with a firewall already has web activity data. The problem is that the data was never built to answer the question HR is asking.
Firewalls log network connections. They do not log website visits, and the two are not the same thing. When an employee opens a single web page, their computer may make dozens or hundreds of separate connections to load it. Each one is recorded individually. On top of that, a large share of what a firewall logs was never a human decision at all. Software updates, license checks, security definition downloads, embedded trackers, and background application activity all flow through the same channel and get logged the same way as a deliberate visit.
So a raw firewall report handed to HR is not a record of what someone did. It is a mix of human activity and machine noise, spread across entries that require technical expertise to reassemble. Drawing conclusions from it is difficult at best. Taking disciplinary action based on it is a real liability risk.
What Cyfin does with that data
Cyfin was built specifically to solve that problem. It does several things before you ever see a report:
- Filters out non-human traffic. Background connections are removed before analysis begins, so the report reflects employee-initiated activity.
- Reconstructs browsing sessions. Individual connection records are assembled back into coherent sessions with real start times and durations.
- Translates domains into recognizable names. Ambiguous technical domain names become site names anyone can read.
- Categorizes activity. Web use is grouped into meaningful categories, including social media, streaming, shopping, news, and AI tools, so patterns are visible without reading individual URLs.
The output is a report a non-technical person can open, understand, and act on. That simplicity is the point, and it is what required a dedicated engineering effort to achieve.
Who this is for
HR. When a concern comes up about an employee’s web use, HR needs an accurate, readable, dated record. Cyfin produces reports HR can run and interpret without IT involvement, which keeps investigations moving and keeps them defensible.
Management. Managers need to know whether acceptable use policy is being followed and where patterns are shifting. Scheduled reports go directly to the managers responsible for those groups, restricted to the groups they are authorized to see.
IT. IT stops being the bottleneck. Instead of fielding ad-hoc report requests and explaining log data, IT configures Cyfin once against the existing firewall and grants managers reporting-only access. Cyfin supports the major firewalls in use today, including Palo Alto Networks, Cisco, Fortinet, Check Point, and SonicWall, so it extends infrastructure you already have.
Investigations and ongoing visibility
Cyfin supports two different workflows, and most organizations need both.
Ongoing visibility means scheduled reports and dashboards that show how web use trends over time across groups and departments. This is what makes an acceptable use policy meaningful rather than a document nobody verifies.
Investigations are targeted. When a specific concern arises, Cyfin can produce a detailed record for a single user over a defined period, with drill-down from a summary to the individual sessions and URLs behind it. Because the underlying data has already been filtered and reconstructed, what HR reviews reflects deliberate activity rather than background noise.
Generative AI tool usage
Employee use of generative AI is now part of the same conversation. Cyfin’s Artificial Intelligence category identifies AI platforms by name in reports, so you can see which tools are being used, by whom, how often, and for how long, and how that usage trends over time. That is the visibility most organizations need to enforce an AI acceptable use policy.
Seeing the actual text an employee submitted to an AI tool is a separate capability. It requires a firewall that exposes AI-specific log fields, such as Palo Alto Networks with its AI visibility add-on, and SSL inspection enabled. Where your environment supports it, Cyfin can surface that detail. Where it does not, you still get complete usage visibility. See our employee AI usage page for what applies to your firewall.
No agents on employee devices
Cyfin does not install software on endpoints. It reads the log data your firewall already generates. That means nothing to deploy or maintain on employee machines, no coverage gaps when someone uses a different device, and a monitoring approach that stays proportionate to the question being asked.
It is also worth noting why firewall-based reporting holds up. Infrastructure logs are a well-established basis for an employer to review activity on company-owned networks and equipment. Screen recording and keystroke capture tools sit in more complicated legal territory and generate volumes of data that no one realistically reviews. Accurate firewall-based reporting gives HR what it actually needs in a form it can use.
Getting an accurate picture
If your organization is reviewing employee web activity using raw firewall reports, you are working with data that overstates activity and obscures what actually happened. Accurate investigations start with accurate data, and accurate data starts with filtering out everything a human did not do.
See what Cyfin reports look like with your own firewall data. Start a free trial or request a sample report, no credit card required.
Cyfin by Wavecrest Computing has been purpose-built for employee web use reporting and investigations since 1996. Its noise-filtering engine and session reconstruction turn raw firewall log data into clear, human-only reports that HR and management can read, understand, and act on independently. https://www.wavecrest.net • 321-953-5351
Cyfin v9.7.1 – Powering Scalable Enterprise Web Monitoring
At Wavecrest, we empower enterprises to monitor user activity with speed and precision, no matter how complex their network. We’re excited to introduce Cyfin v9.7.1, a release that boosts our platform’s ability…
At Wavecrest, we empower enterprises to monitor user activity with speed and precision, no matter how complex their network. We’re excited to introduce Cyfin v9.7.1, a release that boosts our platform’s ability to process massive datasets from today’s firewalls and gateways. With enhanced performance and trusted accuracy, Cyfin v9.7.1 delivers scalable web monitoring for businesses of all sizes.
Scalability for Expanding Networks
As network data surges, enterprises need monitoring solutions that keep up. Cyfin v9.7.1 delivers powerful performance upgrades, building on our expertise in supporting global organizations. These improvements ensure fast, reliable insights, even in data-heavy environments.
Key enhancements include:
- Rapid Data Imports: Threading bulk inserts into our metric server accelerates processing of large log files, enabling seamless handling of enterprise-scale data.
- Streamlined Parsing: An optimized parser with pre-configured patterns and efficient visit analysis processes complex logs quickly while preserving accuracy.
- Faster Session Analysis: Threaded app lookups and a new timeout configuration speed up user activity reporting across your network.
These updates position Cyfin to tackle growing data demands with ease.
Precision You Can Rely On
Cyfin excels at delivering accurate user activity insights. With v9.7.1, refinements like improved doc ID handling and removal of outdated domain checks ensure your reports are dependable for productivity, security, and compliance.
Why Cyfin Leads the Way
Cyfin v9.7.1 is built to manage the rising tide of firewall and gateway data with efficiency and precision. Features like syslog SSL cert configuration by port add flexibility for enterprise needs. This release solidifies Cyfin’s place as a top solution for web monitoring.
Scale Without Limits
From small businesses to global enterprises, Cyfin v9.7.1 adapts to your network’s demands. Discover how Cyfin can elevate your monitoring—contact our team (mailto:support@wavecrest.net) or view the v9.7.1 release notes for more.
Thank you for choosing Wavecrest. Let’s drive your monitoring forward!
The Wavecrest Team
Introducing Our Latest Update: Artificial Intelligence Category for Cyfin and CyBlock
At Wavecrest Computing, we are committed to continually improving our products to keep pace with the ever-evolving digital landscape. Today, we are excited to announce a significant enhancement to our Cyfin and…
At Wavecrest Computing, we are committed to continually improving our products to keep pace with the ever-evolving digital landscape. Today, we are excited to announce a significant enhancement to our Cyfin and CyBlock products – the introduction of a new category: Artificial Intelligence.
What is the Artificial Intelligence Category?
As AI technologies become increasingly integral to various aspects of business and daily life, we recognized the need to provide our users with more precise and relevant categorization. Our new Artificial Intelligence category encompasses websites that employ AI technologies such as machine learning and deep learning to deliver human-like services.
This category includes platforms offering:
- Chatbots: Interactive AI-driven customer service tools.
- Productivity Tools: Applications designed to streamline workflow and boost efficiency using AI.
- Summarizers: Services that condense information into digestible summaries.
- Transcription Services: Tools that convert audio or video content into written text.
- No-Code Solutions: Platforms enabling users to build applications without programming knowledge, powered by AI.
- Multimedia Editing: Advanced AI-driven tools for editing images, videos, and audio.
Why This Update Matters
AI technologies are not just a trend; they are reshaping industries and transforming how we interact with digital content. By introducing this category, we aim to:
- Enhance Visibility: Provide detailed insights into how and when AI technologies are being utilized within your organization.
- Improve Management: Help IT administrators and management teams better understand and control the use of AI-based tools and services.
- Stay Current: Ensure that our product offerings are aligned with the latest technological advancements, offering you the most up-to-date solutions.
How It Works
The Artificial Intelligence category is meticulously designed to target sites that are actively hosting AI functionalities, rather than those merely providing information about AI. This distinction is crucial for organizations looking to manage and monitor the practical use of AI tools in their operations.
By leveraging our advanced categorization technology, Cyfin and CyBlock can now identify and report on AI-driven activities more accurately, providing you with a clear view of how AI technologies are impacting your network.
Continuous Improvement
This update is part of our ongoing commitment to enhance our products and provide our customers with the best possible tools for managing and understanding their web traffic. We are dedicated to adapting to the dynamic digital environment and ensuring that our solutions remain relevant and effective.
Stay tuned for more updates as we continue to innovate and expand our product capabilities. If you have any questions or need assistance with the new Artificial Intelligence category, our U.S.-based expert technical support team is always here to help.
Experience the Future of Web Filtering and Reporting with Wavecrest Computing
To learn more about our Cyfin and CyBlock products and how the new Artificial Intelligence category can benefit your organization, visit our website or contact our support team today.