Antiy Labs Persistent Threat Detection System (PTD) is a network threat detection appliance deployed out-of-path via switch mirroring ports. It performs full-traffic capture and real-time analysis across multiple levels including packets, flows, sessions, files, protocol metadata, network behaviors, and file behaviors. PTD uses Antiy's AVL SDK antivirus engine, which includes a local virus database of 30 million virus signatures capable of detecting over 8 million virus samples. This enables identification of known malware including viruses, Trojans, and worms, while also supporting detection of unknown and advanced threats through dynamic analysis and behavior extraction. The system collects fine-grained metadata including IPs, domain names, URLs, files, and account information from network traffic. It supports protocol analysis, content restoration, and simulation execution of executable payloads to extract behavior characteristics. PTD employs a tagging and scenario-based detection approach, allowing custom detection rules to be built around a user's specific network infrastructure and business context. It tracks C&C channels, monitors pre-attack scan and detection activities, and supports lateral movement detection within internal networks. Traceability and forensic capabilities are provided through continuous threat tracking, regular threat tracking packages, and support for emergency forensics. PTD supports multiple deployment models: internet-facing (egress monitoring), intranet (internal switch mirroring), distributed (multi-branch environments), and linkage deployment with Antiy's Persistent Threat Analysis System (PTA) for enhanced file analysis and security situational awareness.