Login Try for Free
PLATFORM ARCHITECTURE

Container-Native AI Agents.
Runtime Security for Your Workloads.

A single container deploys a full NDR + EDR + Vulnerability Management stack directly onto your edge hosts. All AI/ML inference runs locally — < 1ms detection latency, zero cloud dependency for runtime decisions. Supports x86-64 and ARM-64 across Docker, Kubernetes, OpenShift, and edge orchestration platforms.

Detection Latency
0.8ms
p99 on-device inference
Deployment Footprint
1 container
NDR + EDR + Vuln in one image
Architectures
x86 + ARM
64-bit, Linux kernel ≥ 4.14
Cloud Dependency
Zero
full offline operation supported
Detection Architecture

Multi-Domain Threat Detection Engine

Three parallel detection pipelines — network, endpoint, vulnerability — feed into a unified ML/Stats correlation layer. Each pipeline operates independently with its own data sources, models, and response actions.

NDR

Network Detection & Response

Ingests raw packet data at kernel level via high-performance capture interfaces. Traffic flows through feature extraction, then parallel detection engines: deep neural network classifiers, behavioral models for anomaly detection, and threat intelligence feed matching.

pcap / DPDKDeep CNNBehavioral ModelsIP Blacklistsiptables/ipset
EDR

Endpoint Detection & Response

Kernel-level instrumentation captures syscalls, process lifecycle events, and file system changes via eBPF probes. Events pass through normalization, then multiple detection engines: signature-based scanning, hash verification, and multi-stage behavioral algorithms for APT detection.

eBPF probesSyscall tracingYARA rulesHash analysisAPT algorithms
VUL

Vulnerability Management

Automated asset discovery scans host file systems and container images. Pre-processing evaluates exploitability and runtime state. SBOM generation feeds into centralized risk scoring, enabling prioritized remediation based on real-world exposure.

Asset DiscoverySBOM GenerationExploitabilityRuntime State
API

Cloud Coordination Layer

Agents self-register with per-instance attestation — no open ports or firewall changes required. Communication is event-driven: alerts stream in real time, telemetry is batched, model updates are pulled only when available. All detection logic operates independently of cloud connectivity.

Self-RegistrationReal-time AlertsBatched TelemetryOTA UpdatesOffline Mode
Agent internal architecture
Agentic AI-based Security Platform for Modern Workloads Secure gateway ai agent container Network pipeline pcaplib tcp/udp DPDK FEATURE AI/ML classifiers Deep CNN Behavioral models Threat intel feeds Endpoint pipeline eBPF syscalls OS files NORMALIZE Signature rules Hash verification Runtime rules APT algorithms ML / Stats correlation Dedup / adaptation IP blocking iptables, ipset, firewalls Quarantine zip + encrypt + move Playbooks automated response → block → isolate → execute Vulnerability pipeline Asset discoveryhosts + containers Pre-processingexploitability, runtime state SBOM generationsoftware inventory SBOM export→ cloud API registration, coordination, alerts alerts ↑ Data sources Network detection Endpoint detection Vulnerability Response actions
Data Flow

Edge-Local Processing Pipeline

All data ingestion, feature extraction, ML inference, and response execution happens on the host. No raw data leaves your infrastructure.

Runtime Pipeline — Active
Stage 01
Data Ingestion
Kernel-level packet capture (pcap/DPDK), eBPF syscall hooks, file system watchers, syslog streams
Stage 02
Feature Extraction
Throttling, normalization, statistical feature computation, protocol-aware parsing
Stage 03
AI/ML Inference
On-device ONNX-optimized models — CNNs, behavioral classifiers, anomaly detectors running in parallel
Stage 04
Correlation
Cross-pipeline deduplication, severity scoring, adaptive thresholds, alert enrichment
Stage 05
Response
IP blocking, process kill, file quarantine (zip + encrypt + move), automated playbook execution
Core Capabilities

Built for Autonomous Operation

Every capability runs independently at the edge. The agent operates as a self-contained security appliance — the cloud provides coordination, not computation.

01 — INFERENCE

On-Device AI/ML

Optimized neural network models execute locally within the container. No inference requests to external APIs. Models are pre-loaded and versioned independently of the agent binary.

02 — DEPLOYMENT

Zero-Touch Registration

Agent self-registers via outbound-only connection. No open ports, no firewall rules, no manual configuration. Per-agent cryptographic attestation secures the registration flow.

03 — PREVENTION

Automated IPS

High-severity network threats trigger automatic IP blocking via native OS firewall integration. Configurable playbooks define custom response chains for different threat categories.

04 — RESILIENCE

Offline Operation

Full detection and prevention stack operates without cloud connectivity. Events buffer locally and sync on reconnect. No degradation in security posture during network outages.

05 — OBSERVABILITY

Kernel Instrumentation

eBPF probes provide low-overhead visibility into syscalls, process creation, network connections, and file operations. Kernel module support for broader Linux version compatibility.

06 — UPDATES

OTA Model Refresh

ML models update independently via cloud-coordinated delivery. Supports generic models (all tenants) and personalized models pre-trained on environment-specific traffic patterns.

07 — NETWORK

Multi-Interface Capture

Simultaneous sniffing across multiple NICs per host. Standard pcap for general use, DPDK for multi-Gbps environments requiring line-rate inspection with direct NIC mapping.

08 — DISCOVERY

Network Asset Mapping

Protocol-level discovery via ARP, DNS, DHCP builds a continuously updated inventory of connected devices, services, and network topology without active scanning overhead.

Deployment Models

Three Integration Modes

Select the deployment profile that matches your infrastructure constraints, security requirements, and performance targets.

Recommended

Full Agent — NDR + EDR

Maximum visibility. Combined network and host-based detection with automated prevention. Requires NET_ADMIN capability and privileged mode for syscall instrumentation.

  • Multi-interface network traffic analysis
  • eBPF-based kernel event monitoring
  • Automated IP blocking + playbook execution
  • Malware scanning + file quarantine
  • Full asset and vulnerability discovery
High Throughput

Accelerated NDR

Optimized for multi-Gbps environments. Agent maps directly to NICs via userspace driver, acting as an L2/L3 inline inspection point with prevention capabilities.

  • Line-rate inspection at multi-Gbps
  • Direct NIC-to-agent data path
  • Inline blocking and traffic filtering
  • Scalable core allocation (2n CPU cores)
  • Privileged mode + NIC binding required
Minimal Footprint

Passive / Mirrored NDR

Least-intrusive option. Agent receives a copy of traffic via mirrored port on a separate host. Detection-only — no inline prevention, no host instrumentation required.

  • Zero modification to production hosts
  • Hardware-isolated on dedicated machine
  • Receives mirrored pcap stream via UDP
  • Network anomaly detection only
  • No special permissions required
Platform Compatibility

Runs Everywhere Containers Run

Native container image supports all major orchestration platforms and Linux-based runtimes. Single image, any architecture.

Docker
Kubernetes (Helm)
Kubernetes (YAML)
Red Hat OpenShift
OpenShift Operator
Podman
Edge Orchestrators
x86-64
ARM-64 / aarch64
Linux ≥ 4.14