Exports and reports

Whatever you find in Beacon, you usually need to get it out of Beacon and into a ticket, an email, a SIEM, or a board presentation. This page walks through the three export types and when to use each one.

CSV exports

A CSV is a comma-separated spreadsheet file that opens in Excel, Google Sheets, or anything that reads tables. It's also what most SIEMs, ticketing systems, and automation scripts want when you need to move data into them.

From the Detections view, click Export. You'll see two options:

• All pairs. Every source/destination pair in the upload, scored or not. Useful for diffing against another tool's view of the same traffic.
• All flagged pairs only. Just the rows that made Beacon's flagged list. Smaller and focused.

Both CSVs include these columns:

• Source and destination IPs, ports, byte totals, session counts
• Behavior score and severity
• JA3, JA4, JA4H, and JA4X fingerprints, plus any known-bad matches
• Destination ASN, organization name, country, reverse DNS
• Threat-intel result for each feed (one column per provider)
• Every severity modifier that applied, with direction (+ or −)
• Your verdict (Malicious, Benign, or empty)
• Any notes you've attached

Column names are lowercase with underscores (e.g. src_ip, ja4_hash) so they're safe to import into SQL or any automation pipeline without quoting.

Executive PDF

A short summary intended for someone who wasn't in the investigation with you, such as a director, a CISO, or a client sponsor. Runs one to three pages. Structure:

• Summary. Upload window, total pairs scored, total flagged, count of confirmed-malicious pairs.
• Key findings. Up to five of your confirmed-malicious pairs, each explained in plain English (no jargon; this page is written for a non-analyst).
• Recommended actions. Suggestions derived from what was found: which IPs to block at the firewall, which endpoints to quarantine, what to hand off to IR.
• Appendix. Full list of flagged pairs with severity, in case the reader wants depth.

Generated from the Reports page. Tier-gated at Hunter and above.

IR Handoff PDF

IR stands for incident response: the team or person who takes over after something is confirmed to be a real attack. This report is built for them. Technical, dense, everything needed to keep the investigation going without losing context.

Includes:

• Confirmed-malicious pairs with all their evidence: fingerprints, intel, pattern summary, the full Explain-Why breakdown, your notes, and timestamps.
• Indicators of compromise (IoCs). A clean list of the IPs, domains, JA3/JA4/JA4H/JA4X hashes, and certificate fingerprints involved, formatted so an IR platform or SIEM can ingest them directly.
• Timeline. First-seen and last-seen timestamps for every pair.

Generated from the Reports page. Tier-gated at Hunter and above.

White-label reports (Partner tier)

If you're an MSSP (a security firm delivering services to other companies), you can replace the StryxlLabs branding on both PDFs with your own logo, colors, and firm name. Clients see your report, not ours.

Set this up once per workspace: Settings → Reports → White-label. Available on Partner plans only.

API access

Pulling reports and pair data programmatically (instead of clicking Export every time) is a Partner-plan feature. REST API documentation is coming. If you need it before then, email info@stryxllabs.com.