TTechclick ⚡ XP 0% All lessons
SonicWall · Next-Gen Firewall · Capture ATP & RTDMIInteractive · L1 / L2 / L3

SonicWall Capture ATP & RTDMI — Cloud Sandboxing for Zero-Day & Fileless Threats

Signatures only catch what is already known. SonicWall Capture ATP sends the unknown to a cloud multi-engine sandbox, and the patented RTDMI engine forces suspect code to reveal its weaponry in memory — so fileless, encrypted and zero-day attacks get caught before they ever reach a user. This lesson maps the whole flow, the RTDMI-vs-RFDPI distinction, and how to scope it sanely.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SonicWall Capture ATP and RTDMI (2026): why signatures alone miss zero-day and fileless attacks, how the cloud multi-engine sandbox submits and analyses unknown files, how the patented Real-Time Deep Memory Inspection engine catches evasive code, RTDMI vs RFDPI, and how Block Until Verdict plus Capture Security Center keep risky files away from users.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why signatures fail

Zero-day and fileless threats have no signature yet.

 2

How Capture ATP works

Cloud multi-engine sandbox and the submission flow.

 3

RTDMI

Memory inspection, and RTDMI vs RFDPI.

 4

Verdict & scoping

Block Until Verdict, reporting, DPI-SSL.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can a signature scanner catch a brand-new, never-seen-before threat?

Answered in Why signatures fail.

2. Where does Capture ATP actually analyse a suspicious file?

Answered in How Capture ATP works.

3. What does RTDMI inspect to catch evasive malware?

Answered in RTDMI.

Most engineers think…

Most people assume a next-gen firewall with gateway antivirus already stops everything — 'it scans files, so we are covered'. That mental model breaks the moment a brand-new (zero-day) or fileless attack arrives, because there is no signature to match.

SonicWall splits the job in two. The on-box RFDPI engine scans flowing traffic for known threats at line rate. Anything unknown is forwarded to Capture ATP, a cloud multi-engine sandbox, where the patented RTDMI engine forces the code to reveal itself in memory — beating the encryption, obfuscation and delayed-execution tricks that fool ordinary sandboxes. Understanding 'known on-box vs unknown in the cloud' is exactly what an interviewer is listening for.

① Why signatures alone fail — and where Capture ATP fits

A traditional gateway scanner works by signatures: it compares a file against a list of known-bad patterns. That is fast and accurate for malware the world has already seen — but it has a fatal blind spot. A zero-day attack has no signature yet, and a fileless attack may never write a file to scan at all.

SonicWall splits detection into two layers. The on-box RFDPI engine handles the known — gateway AV, IPS and app control on flowing traffic. When a file is unknown or suspicious, RFDPI hands it to Capture ATP, the cloud sandbox, which handles the unknown. The interview line: signatures catch what we already know; Capture ATP exists to catch what we don't.

Figure 1 — Known vs unknown — the two-layer split
RFDPI catches what we already know on-box; anything unknown is escalated to the Capture ATP cloud sandbox.Known vs unknown — the two-layer splitInspectRFDPI on flowingtrafficKnown?signature match =blockUnknownno signature yetEscalatesend to Capture ATPVerdictclean or malicious
RFDPI catches what we already know on-box; anything unknown is escalated to the Capture ATP cloud sandbox.
Quick check · Q1 of 10 · Understand

Why can a signature-only scanner miss a zero-day attack?

Correct: b. Signatures match known-bad patterns. A zero-day is brand-new, so no signature exists yet and the scanner has nothing to match — which is exactly the gap Capture ATP fills by detonating the unknown.
👉 So far: Signatures catch only the known; zero-day and fileless attacks have no signature yet. Capture ATP exists to catch the unknown — RFDPI handles known on-box, Capture ATP handles unknown in the cloud.

② How Capture ATP works — the cloud multi-engine sandbox

Capture ATP (Advanced Threat Protection) is a cloud-based, multi-engine sandbox. The firewall does not detonate files itself; instead it extracts a suspicious file from the traffic it is already inspecting and submits it to the SonicWall Capture cloud. There, several analysis engines run in parallel — a virtualised sandbox plus RTDMI — and reach a consensus verdict of clean or malicious.

The submission flow

The path is: RFDPI flags an unknown file ▸ the firewall forwards it to the Capture cloud ▸ the engines detonate and observe it ▸ a verdict and a detailed report come back. Coverage spans PE/EXE, Office documents, PDFs, archives and scripts — i.e. the file types attackers actually weaponise. Identical files seen later are answered instantly from cache.

Figure 2 — The Capture ATP file-submission flow
A suspicious file is extracted, submitted to the cloud, detonated across engines, and a verdict plus report come back.The Capture ATP file-submission flowExtractfile pulled fromtrafficSubmitto the Capture cloudDetonatemulti-engine sandboxVerdictclean / maliciousReportin Security Center
A suspicious file is extracted, submitted to the cloud, detonated across engines, and a verdict plus report come back.
☁️
Capture ATP
tap to flip

SonicWall's cloud-based, multi-engine sandbox. The firewall submits unknown files; several engines analyse them in parallel and return a clean-or-malicious verdict.

🧠
RTDMI
tap to flip

Real-Time Deep Memory Inspection — the patented engine that watches code in memory in real time, catching fileless, encrypted and zero-day threats that fool ordinary sandboxes.

⏸️
Block Until Verdict
tap to flip

Holds a first-seen download at the gateway until the cloud verdict returns, so a risky file never reaches the user before analysis. Slight delay on first sight only.

🔎
RFDPI
tap to flip

Reassembly-Free Deep Packet Inspection — the on-box, single-pass engine that scans flowing traffic for known threats. Different layer from RTDMI: known vs unknown.

Say 'cloud sandbox', not 'firewall scans it'

In an interview, be precise: the firewall does not detonate files itself — it extracts the unknown file and submits it to the Capture cloud, where multiple engines analyse it in parallel. The on-box job is RFDPI; the detonation job is the cloud.

Quick check · Q2 of 10 · Remember

Where does Capture ATP actually detonate and analyse a suspicious file?

Correct: a. Capture ATP is a cloud-based, multi-engine sandbox. The firewall extracts the file and submits it to the Capture cloud, where several engines analyse it in parallel and return a verdict.
👉 So far: Capture ATP is a cloud multi-engine sandbox. The firewall extracts a suspicious file, submits it to the Capture cloud, multiple engines detonate it in parallel, and a verdict plus report come back.

③ RTDMI — memory inspection, and RTDMI vs RFDPI

RTDMI (Real-Time Deep Memory Inspection) is SonicWall's patented engine at the heart of Capture ATP. Instead of only watching a file's actions in a sandbox, it inspects what the code does in memory, in real time. That forces malware to reveal its weaponry the instant it executes — so it catches fileless attacks, encrypted and obfuscated malware, zero-day exploits, side-channel attacks and weaponised Office/PDF documents that slip past ordinary sandboxes. Crucially, RTDMI complements the older sandbox engines; it does not replace them.

RTDMI is not RFDPI

A classic interview trap. RFDPI (Reassembly-Free Deep Packet Inspection) is the on-box, single-pass engine that scans flowing traffic for known threats. RTDMI is the cloud memory-inspection engine that detonates the unknown. RFDPI asks 'do I already know this is bad?'; RTDMI asks 'this is unknown — what does it actually do?'

Figure 3 — RTDMI vs RFDPI
The classic distinction: a cloud memory engine for the unknown versus an on-box single-pass engine for the known.RTDMI vs RFDPIRTDMI (cloud)Inside Capture ATP cloudInspects code in memoryCatches zero-day / filelessDetonates the unknownRFDPI (on-box)Runs on the firewallSingle-pass packet scanSignature / AV / IPSCatches the known
The classic distinction: a cloud memory engine for the unknown versus an on-box single-pass engine for the known.
Figure 4 — What RTDMI catches
Memory inspection in real time exposes the evasive threats that fool ordinary sandboxes.What RTDMI catchesRTDMImemory inspectionFileless attacksEncrypted malwareZero-day exploitsSide-channelMalicious OfficeWeaponised PDFs
Memory inspection in real time exposes the evasive threats that fool ordinary sandboxes.
Don't confuse RTDMI with RFDPI

RFDPI is the on-box, single-pass engine for known threats; RTDMI is the cloud memory-inspection engine for unknown ones. Saying 'RTDMI scans packets on the firewall' is the classic wrong answer. Known on-box vs unknown in the cloud.

▶ Watch an unknown download get held, detonated and blocked

How one HTTPS download is inspected end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① DownloadA user in Hyderabad downloads an unknown invoice document over HTTPS through the SonicWall firewall.
② Decrypt + scanDPI-SSL decrypts the HTTPS stream; RFDPI scans it, finds no known signature, but flags the file as suspicious.
③ Submit + detonateThe firewall holds the file (Block Until Verdict) and submits it to Capture ATP; RTDMI inspects its behaviour in memory.
④ Verdict + blockRTDMI returns 'malicious'; the held download is blocked and the report appears in Capture Security Center.
Press Play to step through the healthy block path. Then press Break it.
Quick check · Q3 of 10 · Analyze

What makes RTDMI catch evasive malware that a normal sandbox misses?

Correct: c. RTDMI's Real-Time Deep Memory Inspection forces code to reveal its weaponry in memory as it executes, defeating encryption, obfuscation and delayed-execution tricks that fool a conventional sandbox.
👉 So far: RTDMI = patented Real-Time Deep Memory Inspection in the cloud, catching fileless/encrypted/zero-day code by watching memory. RFDPI = on-box single-pass engine for known threats. Unknown vs known.

④ Block Until Verdict, reporting & sane scoping

Analysis takes a moment, so what happens to the file meanwhile? Block Until Verdict tells the gateway to hold a first-seen file at the firewall until the cloud returns its verdict — nothing risky reaches the user before it has been analysed. The trade-off is a slight delay the first time a file is seen; later identical files are served instantly from cache.

Read it, then scope it

Verdicts and per-file analysis reports appear in Capture Security Center, SonicWall's cloud portal, and the same intelligence ties in with Capture Client on the endpoint. Two scoping rules matter: pick sensible file types to submit, and turn on DPI-SSL — because most downloads are HTTPS, and without decryption the firewall only sees encrypted bytes and can never extract the file to submit it.

Figure 5 — What Capture ATP needs to work
Three things must line up before a download can be held and analysed.What Capture ATP needs to workCapture ATP licensethe service must be licensed and enabledDPI-SSL ondecrypt HTTPS so files can be extractedBlock Until Verdicthold first-seen files until the cloud replies
Three things must line up before a download can be held and analysed.

Priya at a Hyderabad fintech faces this

A finance user opens a macro-laden invoice .docx downloaded over HTTPS and the endpoint later beacons out — even though Capture ATP is licensed and 'enabled'.

Likely cause

DPI-SSL is off, so the firewall only saw encrypted bytes and never extracted the document to submit it to Capture ATP — the file was never analysed.

Diagnosis

In Capture Security Center the document has no analysis record at all (proof it was never submitted); on the firewall, DPI-SSL client inspection is disabled for outbound HTTPS.

Firewall ▸ DPI-SSL ▸ Client Inspection + Capture ATP ▸ File Types & Settings
Fix

Enable DPI-SSL client inspection with a sane bypass list (banking/health), confirm Office docs are in the Capture ATP file-type scope, and turn on Block Until Verdict so first-seen files are held.

Verify

Re-download a known-suspicious test file over HTTPS — the firewall holds it, RTDMI returns a malicious verdict, the download is blocked, and the per-file report now appears in Capture Security Center.

Prove it from Capture Security Center

Never assume a file was checked. Capture Security Center shows the per-file verdict and analysis report. If a download has no record there, it was never submitted — usually because DPI-SSL was off or the file type was out of scope.

Quick check · Q4 of 10 · Apply

Files download fine but Capture ATP never analyses anything over HTTPS. The most likely cause?

Correct: d. Without DPI-SSL the firewall cannot decrypt HTTPS, so it never sees the file to extract and submit. Turn on DPI-SSL (with a sane bypass list) so Capture ATP receives the file.
👉 So far: Block Until Verdict holds a first-seen file until the cloud replies; verdicts and reports live in Capture Security Center. It needs the Capture ATP license and DPI-SSL on to extract files from HTTPS.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Capture ATP is best described as…

Correct: a. Capture ATP runs in the SonicWall Capture cloud, where several engines analyse submitted files in parallel. The firewall extracts and submits; the cloud detonates and decides.
Q6 · Understand

What does RTDMI stand for, and what does it inspect?

Correct: b. RTDMI is Real-Time Deep Memory Inspection — the patented engine that observes what code does in memory in real time, exposing evasive, fileless and zero-day behaviour.
Q7 · Analyze

Which statement correctly distinguishes RTDMI from RFDPI?

Correct: c. RFDPI is the on-box, single-pass engine for known threats; RTDMI is the cloud memory-inspection engine for unknown ones. Known on-box vs unknown in the cloud.
Q8 · Apply

A first-seen file must not reach the user before it is analysed. Which feature ensures that?

Correct: d. Block Until Verdict holds the first-seen file at the gateway until the cloud verdict returns. Signatures alone cannot catch the unknown, and DPI-SSL bypass would do the opposite.
Q9 · Evaluate

Capture ATP is licensed and enabled, yet HTTPS downloads are never analysed. The best fix?

Correct: b. Without DPI-SSL the firewall only sees encrypted bytes and cannot extract files to submit. Enabling DPI-SSL (with a sensible bypass list) lets Capture ATP receive and analyse the files.
Q10 · Evaluate

Why is RTDMI described as complementing, not replacing, the older sandbox engines?

Correct: c. RTDMI adds real-time memory inspection as an extra engine within Capture ATP, widening coverage to fileless/encrypted/zero-day threats while the virtualised sandbox engines keep running in parallel.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: in your own words, why does Capture ATP exist if the firewall already has gateway antivirus? Then compare with the expert version.

Expert version: Because gateway antivirus (part of RFDPI) only catches the known — it matches signatures, so a brand-new zero-day or a fileless attack with no signature sails straight through. Capture ATP exists to catch the unknown: the firewall extracts a suspicious file and submits it to a cloud multi-engine sandbox, where the patented RTDMI engine watches what the code actually does in memory in real time. Block Until Verdict holds the file until the cloud answers, and the verdict and report land in Capture Security Center. Known on-box (RFDPI) plus unknown in the cloud (Capture ATP + RTDMI) is the complete picture.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Capture ATP
SonicWall's cloud-based, multi-engine sandbox. The firewall submits unknown files; several engines analyse them in parallel and return a clean-or-malicious verdict.
RTDMI
Real-Time Deep Memory Inspection — the patented cloud engine that watches code behaviour in memory in real time to catch evasive, fileless and zero-day threats.
RFDPI
Reassembly-Free Deep Packet Inspection — the firewall's on-box, single-pass engine that scans flowing traffic for known threats (AV/IPS/app control).
Sandbox
An isolated environment where a suspect file is detonated and observed safely so its behaviour can be judged clean or malicious.
Block Until Verdict
A gateway feature that holds a first-seen file at the firewall until the cloud verdict returns, so a risky file never reaches the user pre-analysis.
Zero-day
A brand-new threat with no existing signature, so signature-only tools cannot recognise it — exactly what cloud sandboxing targets.
Fileless malware
Malicious code that runs in memory without writing a file to disk, evading file-based scanners — a key thing RTDMI's memory inspection catches.
DPI-SSL
Deep Packet Inspection of SSL/TLS — decrypts HTTPS so the firewall can inspect and extract files to submit to Capture ATP.
Capture Security Center
SonicWall's cloud portal where Capture ATP verdicts and per-file analysis reports appear and policy is managed.
Capture Client
SonicWall's endpoint agent that extends the same threat intelligence to the device for a coordinated network-plus-endpoint defence.

📚 Sources

  1. SonicWall — Capture Advanced Threat Protection (Capture ATP) product page. sonicwall.com/products/firewalls/security-services/capture-advanced-threat-protection
  2. SonicWall — Real-Time Deep Memory Inspection (RTDMI) technology overview. sonicwall.com
  3. SonicWall — Capture ATP datasheet: multi-engine cloud sandboxing & Block Until Verdict. sonicwall.com
  4. SonicWall — Capture Security Center: cloud management, verdicts and reporting. sonicwall.com
  5. SonicWall Administration Guide — DPI-SSL and the Capture ATP file-submission dependency. docs.sonicwall.com
  6. SonicWall — 2026 Cyber Threat Report: RTDMI never-before-seen malware discoveries. sonicwall.com

What's next?

Capture ATP can only analyse a file if the firewall can see it — and most downloads are encrypted. Next, go deep on DPI-SSL: client and server TLS inspection, how the firewall decrypts and re-signs traffic, and the bypass lists that keep it safe and legal.

Next · All interview lessons → Practice on exam.techclick.in →