Built for Security Operations at Scale
A multi-tenant platform engineered for reliability, speed, and auditability. Every component is designed to operate at enterprise scale without sacrificing security or transparency.
Architecture
Three layers working together: a centralized control plane, distributed edge collectors, and a secure mesh that connects them.
Control Plane
FastAPI backend with 298+ API endpoints across 32 routers. PostgreSQL with 80+ tables and 30 schema migrations. Multi-tenant by design with row-level security on every query. Serves the dashboard, orchestrates collectors, and runs the detection pipeline.
Collectors
Lightweight edge nodes deployed inside customer networks. Each collector runs honeypot services (ADE) and passive network sensors (NetWatch). Outbound-only communication to the control plane. Operates independently during network partitions with local event buffering.
Mesh Connectivity
Tailscale-based secure mesh connects collectors to the control plane without exposing inbound ports. Encrypted WireGuard tunnels with automatic key rotation. NAT traversal handles complex network topologies without firewall changes.
Detection Pipeline
An 8-stage worker pipeline that processes every detection event from raw signal to correlated, scored incident. Each stage runs on its own interval for optimal throughput.
| Stage | Interval | Function |
|---|---|---|
| Mapper | 2s | MITRE ATT&CK technique classification for every detection event |
| Incidentizer | 5s | Deduplication and correlation of events into unified incidents |
| Consequence | 30s | Risk scoring based on asset value, technique severity, and blast radius |
| Profiler | 30s | Adversary session building by source IP with TTP tracking and dwell analysis |
| Scoring | 5min | Coverage scoring across MITRE matrix and detection confidence calibration |
| Deployer | 10s | Orchestration of decoy deployment, updates, and health checks across collectors |
| Inventory | 60s | Asset inventory synchronization and network topology mapping |
| Threat Intel | 5min | IOC correlation against 7+ enrichment sources with result caching |
AI-Powered Analysis
Claude API integration augments analyst workflows with contextual intelligence generated from platform data.
Threat Briefings
Automated executive summaries of active incidents with risk context, affected assets, and recommended actions. Generated on demand or on a schedule for leadership reporting.
Incident Analysis
Deep-dive analysis of individual incidents including TTP mapping, adversary intent assessment, and historical correlation with similar activity patterns across the tenant.
Playbook Suggestions
Context-aware response recommendations based on the specific techniques observed, asset criticality, and organizational containment policies. Actionable, not generic.
Hunt Leads
AI-generated hunt hypotheses derived from observed adversary behavior, gaps in detection coverage, and threat intelligence correlation. Includes suggested queries and IOCs to investigate.
Security & Compliance
| Control | Implementation |
|---|---|
| SOC 2 Auto-Evidence | Automated evidence collection across 7 trust service criteria with continuous control monitoring |
| Row-Level Security | RLS policies enforced on 27+ tables ensuring strict tenant data isolation at the database layer |
| Audit Logging | Every API call, configuration change, and user action recorded with timestamp, actor, and context |
| SSRF Protection | Webhook and integration URLs validated against internal network ranges to prevent server-side request forgery |
| Encrypted Backups | Automated database backups with AES-256 encryption and verified restore testing |
| Infrastructure Hardening | UFW firewall rules, SSH key-only authentication, and minimal attack surface on all control plane hosts |
Deployment Models
Deploy where your environment requires — cloud-hosted with on-prem collectors, or fully air-gapped with no external dependencies.
Cloud
Control plane hosted and managed by Nythrix. Lightweight collectors deploy on-premises inside your network. Outbound-only communication from collectors to the control plane — no inbound ports, no VPN tunnels, no firewall changes required.
Air-Gapped
Full platform deployed on-premises with no external dependencies. Docker Compose stack includes all services on a single server. Threat intelligence enrichment and AI analysis degrade gracefully when disconnected. All core detection and response capabilities remain fully operational.
Platform Stats
| Component | Count |
|---|---|
| API Routers | 32 |
| API Endpoints | 298+ |
| Database Tables | 80+ |
| Schema Migrations | 30 |
| Dashboard Pages | 32 |
| Docker Containers | 16+ |
See the Platform in Action
Walk through the architecture, detection pipeline, and deployment options with our engineering team.