Architecture Overview
Gen0Sec is a multi-layer XDR platform that protects infrastructure from kernel level to application layer. The platform consists of four products that work standalone or together for full-stack protection.
Platform Components
Synapse - Firewall & Reverse Proxy
High-performance eBPF-powered firewall and reverse proxy built with Rust. Runs on your servers in two modes:
- Agent Mode - Kernel-level firewall with XDP packet filtering, threat intelligence, TCP fingerprinting, and access rules enforcement. No HTTP proxying.
- Proxy Mode - Full reverse proxy with all agent features plus WAF, JA4+ fingerprinting, CAPTCHA, content scanning, TLS management, and upstream load balancing.
Cerebrum - Inline Hardware Sensor
Compact ARM-based 1U appliance deployed at each network edge:
- Dual NXP LX2160A processors with 30 ports (SFP+, QSFP28 100G)
- 200 Gbps inline eBPF/XDP processing
- IDS/IPS engine with existing signature compatibility
- JA4+ fingerprinting for encrypted traffic analysis
- Runs Synapse agent in native XDP mode
Cerebellum - AI Platform
GPU-accelerated analysis platform powered by NVIDIA Grace Hopper:
- ML inference across all deployed sensors with 528 Tensor Cores
- Cross-site correlation to detect lateral movement and coordinated attacks
- Encrypted traffic classification without TLS decryption
- Continuous learning from threat intelligence and sensor data
- Pushes updated threat verdicts to all sensors in milliseconds
Jailer - Process Sandboxing
eBPF LSM-powered application isolation:
- Mandatory Access Control per process
- File access control - restrict read/write/execute per role
- Network control - limit connections and listeners
- Exec control - prevent unauthorized program execution
- Zero performance overhead, no code changes needed
How It All Connects
Traffic Flow
- Inbound traffic hits the Cerebrum sensor at the network edge
- XDP filtering at wire speed (< 1µs) drops known-bad traffic before the kernel stack
- Cerebrum performs JA4+ fingerprinting and IDS/IPS inspection inline
- Clean traffic flows to your servers where Synapse applies access rules, WAF, and threat intelligence
- Jailer sandboxes application processes with eBPF LSM — file, network, and exec control
- Cerebellum receives metadata from all sensors and servers, runs ML inference, and pushes updated threat verdicts back
Deployment Models
| Model | Components | Use Case |
|---|---|---|
| Agent Only | Synapse (agent mode) | Kernel-level firewall on existing servers |
| Proxy | Synapse (proxy mode) | Reverse proxy with WAF, TLS, load balancing |
| Edge + Server | Cerebrum + Synapse | Hardware sensor at edge + server protection |
| Full Stack | Cerebrum + Synapse + Jailer + Cerebellum | Complete XDR with AI-driven correlation |
Synapse Internals
Core Components
- Multi-Backend Firewall - Automatic fallback: XDP > nftables > iptables > userland
- HTTP/TLS Servers - Traffic handling with ACME certificate management
- Reverse Proxy - Request forwarding with weighted load balancing
- Upstreams Manager - Service discovery via file, Consul, or Kubernetes with hot-reload
- Threat Intelligence - Gen0Sec API + Threat MMDB integration
- GeoIP Manager - Country, ASN, and city-level geolocation via MMDB
- Access Rules Engine - Dynamic IP allow/block lists with periodic API updates
- Fingerprint Engine - Complete JA4+ suite (JA4, JA4H, JA4T, JA4L, JA4S, JA4X)
- WAF Engine - Wirefilter-compatible expression language
- CAPTCHA Engine - hCaptcha, reCAPTCHA, Turnstile
- Content Scanner - ClamAV malware detection
- Event Queue - Unified batch processing for logs, stats, and events
- Redis Cache - Certificates, threat intel, CAPTCHA, and scan results
Configuration Reload
Synapse supports runtime reload via SIGHUP:
kill -HUP $(cat /var/run/synapse.pid)
Hot-reloadable: log level, API credentials, upstreams, security rules, GeoIP databases.
Requires restart: listen addresses, network interfaces, firewall mode, runtime threads, Redis, CAPTCHA, ACME, daemon settings.
Performance
| Metric | Value | Component |
|---|---|---|
| XDP packet filtering | < 1µs | Synapse / Cerebrum |
| Wire-speed throughput | 200 Gbps | Cerebrum (dual processor) |
| JA4+ fingerprinting | Full suite | TLS, TCP, HTTP, SSH, DHCP |
| eBPF sandboxing | Zero overhead | Jailer (BPF LSM) |
| GPU inference | 528 Tensor Cores | Cerebellum (Grace Hopper) |
| Encrypted traffic analysis | 0% decryption | ML-powered classification |