Three security start-ups will debut this week at the RSA Conference looking to make a mark in protecting enterprise customers against attack from inside and outside their organizations.

Intrusic is expected to unveil a server application called Zephon, which runs on FreeBSD. Zephon can find intruders invading compromised systems by copying and analyzing network traffic.

"Zephon is the name from the Old Testament - and John Milton's Paradise Lost - for the angel who guards heaven," says Intrusic CEO Bruce Linton. The angel Zephon touches a frog to reveal Satan. Intrusic's Zephon software is supposed to unmask hackers masquerading as insiders after successfully stealing the network credentials of employees or trading partners.

Zephon - which Intrusic co-founder and President Jonathan Bingham says is being installed at The Home Depot in Atlanta; Caritas Christi Health Care in Boston, a chain of six hospitals; and Mohegan Sun Casinos in Uncasville, Conn. - works by analyzing servers, desktops, applications and traffic flows.

Network activity "will seem complex and chaotic at first," Linton says. "But it's rare that a desktop will act as a server, for example. And there are certain ways a mail server should behave." Zephon is designed to zero in on a compromise and deliver that information to a management console. The software sells for roughly $150,000.

Intrusic has 12 employees, with security guru and @Stake founder Peiter "Mudge" Zatko the chief scientist. The company is funded with less than $1 million from venture firm Draper Fisher Jervetson plus undisclosed funding from the founders.

Privately funded Tablus is tackling the prickly problem of keeping sensitive corporate data from flying out via a network. The Tablus product, an appliance called Content Alarm, monitors outbound network traffic for sensitive content, says Jim Nisbet, founder and CEO.

"We have to make an analysis quickly when it's a question of proprietary source code or human resources document, for example," Nisbet says.

The Tablus Content Alarm, which starts at $29,000, works by having agent software on servers where there's sensitive data subject to restricted access. It tracks changes to that content, and Content Alarm recognizes when portions of it might be sent out of the network.