Enterprise networks are vulnerable to attacks ranging from data leaks to the spread of malware to insider threats. Previous defenses have largely focused on securing hosts; unfortunately, when hosts are compromised, these defenses become ineffective. Rather than attempting to harden the host against every possible attack (which is impractical) or constraining the software that can run on a host (which is inconvenient), we place a small amount of trusted code on the host to assist with tracking the provenance of network traffic, moving the rest of the trust and function to the network. We present Pedigree, a system that tracks information flow across processes and hosts within a network by annotating traffic with taints that reflect the process that generated the traffic and the inputs that process has taken (we call this function traffic tainting). A tagger on the host annotates network traffic with information about the “taints” that the sending process has acquired. Network devices act as arbiters to take appropriate actions (e.g., blocking) based on the taints associated with the traffic and the enterprise network’s security policy. We have implemented Pedigree’s host-based tagger as a Linux kernel module and the arbiter using the OpenFlow platform. This demonstration presents a prototype deployment of Pedigree that identifies and prevents both sensitive data leaks and the spread of malware in a typical enterprise network setting. The demonstration will show that Pedigree can defend against these attacks without significant overhead at the host or the filtering device.