7-POD Stack
HookProbe uses a modular POD architecture where each POD handles a specific function. This separation enables scaling, isolation, and maintainability.
POD Overview
POD Function Key Services POD-001 Web UI / API Gateway / DMZ Nginx, API Gateway POD-002 IAM / Identity / RBAC Keycloak, SSO POD-003 Persistent Database PostgreSQL POD-004 Transient Data / Cache Redis/Valkey POD-005 Metrics / Dashboards Prometheus, Grafana POD-006 Kernel Packet Intake Aegis (Zig + eBPF/XDP) POD-007 AI Detection + Response Napse (Mojo AI), AEGIS Orchestrator POD-008 Workflow Automation n8n, Playbooks POD-009 Notifications Email, Cloudflare Tunnel POD-010 DSM Ledger Consensus Engine
POD-001: Web Management UI
Purpose : Entry point for all web and API traffic.
Services
Service Port Function Nginx Proxy 80, 443 TLS termination, routing API Gateway 8080 Request routing, rate limiting Static Assets - Dashboard UI
Configuration
- dashboard : 172.30.0.11:3000
POD-002: Identity & Access
Purpose : Authentication, authorization, and user management.
Services
Service Port Function Keycloak 8080 OIDC provider LDAP Sync - Directory integration
Roles
Role Permissions master_admin Full platform access admin Tenant administration soc_analyst Security analysis editor Content management customer Standard user
POD-003: Persistent Database
Purpose : Durable data storage.
Services
Service Port Function PostgreSQL 5432 Primary database Backup Agent - Automated backups
Schemas
device_id TEXT PRIMARY KEY ,
device_type TEXT NOT NULL ,
hardware_fingerprint TEXT NOT NULL ,
CREATE TABLE dsm_checkpoints (
epoch INTEGER PRIMARY KEY ,
merkle_root TEXT NOT NULL ,
validator_id TEXT NOT NULL ,
POD-004: Cache & Queues
Purpose : Fast transient data and message queuing.
Services
Service Port Function Valkey/Redis 6379 Cache, sessions Message Queue - Event distribution
Use Cases
Data Type TTL Purpose Sessions 24h User authentication Rate limits 1min Request throttling Pending intents 5min Intent aggregation Model cache 1h ML inference cache
POD-005: Metrics & Dashboards
Purpose : Observability and visualization.
Services
Service Port Function Prometheus 9090 Metrics collection Grafana 3000 Dashboards VictoriaMetrics 8428 Long-term storage
Key Metrics
Metric Type Description qsecbit_scoreGauge Current security score aegis_packets_droppedCounter Aegis XDP DDoS mitigation napse_intents_totalCounter Napse intent classifications dns_blocks_totalCounter dnsXai blocks
POD-006: Kernel Packet Intake (Aegis)
Purpose : Kernel-level packet intake, feature extraction, and early filtering.
Services
Service Function Aegis XDP Zig + eBPF kernel-level packet processing Ring Buffer Manager BPF ring buffer for zero-copy Aegis-to-Napse communication
Aegis Pipeline
Aegis XDP (kernel) -- Drop DDoS, rate limit
Feature extraction (entropy, protocol class, 32-byte vector)
BPF Ring Buffer (16 MB shared memory, zero-copy)
POD-007: AI Detection + Response (Napse + AEGIS)
Purpose : AI-powered intent classification and autonomous threat response.
Napse (Mojo AI) consumes observations from the Aegis ring buffer and performs Bayesian intent classification. AEGIS (Adaptive Endpoint Guardian with Intelligent Security) is HookProbe’s AI orchestrator that bridges all detection systems into unified reasoning with plain-English explanations.
Services
Service Function Napse (Mojo AI) SIMD-vectorized Bayesian intent classification Napse HMM Kill chain state tracking (Viterbi decoding) dnsXai AI DNS protection Layer Detector L2-L7 analysis AEGIS Orchestrator 8-agent AI coordination ML Inference Threat classification Response Engine Automated actions
Specialized Agents (AEGIS)
Agent Domain Function GUARDIAN Network Defense DDoS, port scans, L3-L4 attacks WATCHDOG DNS Protection DGA detection, DNS tunneling SHIELD Endpoint Protection Device classification, policy VIGIL Authorization TLS downgrade, cert issues SCOUT Reconnaissance Port scans, enumeration FORGE Hardening Proactive audits, configuration MEDIC Incident Response Cross-layer correlation, forensics ORACLE Forecasting Trend analysis, recommendations
Detection Pipeline
Aegis Ring Buffer (from POD-006)
Napse Bayesian Classifier -- Intent classification
Napse HMM -- Kill chain state tracking
dnsXai -- DNS classification
AEGIS -- Autonomous response
Response Actions
Trigger Action QSecBit AMBER Increase logging QSecBit RED Enable full mitigation High-confidence C2 intent Block source via Aegis XDP C2 detected Quarantine device
POD-008: Workflow Automation
Purpose : Security orchestration.
Services
Service Port Function n8n 5678 Workflow automation Playbook Engine - Defensive playbooks
Example Workflows
Threat -> Slack notification -> Ticket creation
Alert -> Email -> Escalation
Detection -> Block -> Forensic capture
POD-009: Notifications
Purpose : External communication.
Services
Service Function Email Service Alert notifications Cloudflare Tunnel Secure external access Webhook Delivery Integration events
POD-010: DSM Ledger
Purpose : Decentralized consensus.
Services
Service Function DSM Node Microblock creation DSM Validator Checkpoint aggregation Consensus Engine BLS signature aggregation DSM API Query interface
Data Structures
Microblock :
"node_id" : " edge-uuid-12345 " ,
"prev" : " hash-of-previous " ,
"timestamp" : " 2025-12-07T18:35:00Z " ,
"payload_hash" : " sha256-of-event " ,
"signature" : " tpm-signed "
Checkpoint :
"merkle_root" : " root-hash " ,
"edge-12345" : [ 1840 , 1850 ]
"agg_signature" : " bls-aggregated "
Network Topology
+---------------------------------------------------------------+
| POD Network (172.30.0.0/24) |
+---------------------------------------------------------------+
| +---------+ +---------+ +---------+ |
| | POD-001 | | POD-002 | | POD-003 | |
| | Proxy | | IAM | | DB | |
| | .2 | | .40 | | .30 | |
| +----+----+ +----+----+ +----+----+ |
| -----+--------------+--------------+---------- |
| -----+--------------+--------------+---------- |
| +----+----+ +---------+ +----+----+ |
| | POD-004 | | POD-005 | | POD-006 | |
| | Cache | | Metrics | | Aegis | |
| | .31 | | .50 | | .60 | |
| +---------+ +---------+ +----+----+ |
+---------------------------------------------------------------+
Deployment
Start All PODs
Start Specific POD
podman-compose up -d pod-006
View POD Status
podman ps -a | grep hookprobe
View POD Logs
podman logs hookprobe-<pod-name> --tail 50
Resource Allocation
POD CPU RAM Storage POD-001 0.5 256MB 100MB POD-002 1.0 512MB 100MB POD-003 1.0 1GB 10GB POD-004 0.5 256MB 1GB POD-005 1.0 512MB 5GB POD-006 (Aegis) 1.0 1GB 500MB POD-007 (Napse + AEGIS) 2.0 2GB 1GB
Next Steps
