NAPSE POD
AI-Native Packet Analysis with NAPSE Engine
Unified IDS/NSM/IPS with 16 protocol parsers, ML inference, and ~10µs kernel-level packet blocking via XDP/eBPF.
Free & Open Source
One node's detection → everyone's protection
Stop paying $50K+/year for cloud SIEMs that can't protect your edge. Deploy a complete SOC on a Raspberry Pi in 5 minutes. Free forever.
Runs on hardware you already own
From $35 Raspberry Pi to enterprise servers - same protection, same simplicity
No complex setup. No consultants. Just paste and go.
$ git clone https://github.com/hookprobe/hookprobe.git
$ cd hookprobe && sudo ./install.shWorks on Linux with Ubuntu, Open vSwitch, OpenFlow, and Podman installed
Enterprise security tools weren't built for the edge. Here's what you're dealing with:
Splunk, Elastic, CrowdStrike - they all want $50,000+/year. For most teams, that's the entire security budget.
Your security data sits on someone else's servers. You pay per GB, per user, per everything.
Cloud SIEMs can't see what's happening at your branch offices, retail locations, or IoT networks.
Weeks of setup, consultants, training, certifications. Security shouldn't require a PhD.
Enterprise-grade security tools, pre-configured and ready to protect your network.
The sensory cortex of the platform. Edge perception that turns raw signals into structured detection — before signatures, before rules, before delay.
AI-native IDS/NSM/IPS with ~10µs XDP kernel-level blocking, 50,000+ detection rules, and 10x less resource usage than legacy tools. AI reasoning runs asynchronously — see FAQ for the full latency breakdown.
Automated threat containment with playbook-driven response. No waiting for cloud round-trips.
Beautiful XSOC dashboard with live threat feeds, network maps, and incident timelines.
Quantified security posture (0-100) updated in real-time. Know exactly where you stand.
Five integrated protocols form the backbone of distributed threat hunting. One node's detection becomes everyone's protection.
Keyless, post-quantum secure transport with NAT traversal. Adaptive streaming across UDP/TCP with anti-blocking fallback.
Byzantine fault-tolerant consensus. 2/3 quorum validates threats. Microblocks with BLS signatures ensure integrity.
Living cryptography where neural weights become keys. Device identity through deterministic weight evolution.
Real-time resilience scoring (0-100%). L2-L7 detection across 27 attack types. GREEN/AMBER/RED status.
Keys emerge from neural state - nobody knows the password. Ephemeral, bound to hardware, temporally unique.
Distributed Mesh Threat Hunting: All edge nodes (Sentinel, Guardian, Fortress, Nexus) form a mesh using HTP transport. When any node detects a threat, it creates a cryptographic microblock and broadcasts via DSM. After 2/3 consensus, all nodes block the threat instantly. Privacy preserved - only anonymized signatures shared, never raw data.
Each POD is a specialized security container designed for edge deployment. Together, they form a complete autonomous SOC.
Unified IDS/NSM/IPS with 16 protocol parsers, ML inference, and ~10µs kernel-level packet blocking via XDP/eBPF.
8 specialized AI agents for cross-layer threat reasoning and autonomous response.
ClickHouse-powered log aggregation with real-time search and correlation.
MISP and STIX/TAXII feeds for up-to-date IOC matching and threat enrichment.
Automated scanning with CVE correlation and risk prioritization.
Playbook-based automated response with human-in-the-loop escalation.
Single-pane-of-glass visibility with Qsecbit scoring and real-time alerts.
Five tiers of deployment - edge nodes form a distributed mesh, MSSP provides centralized management.
The Watchful Eye - a lightweight validator service designed for getting started with HookProbe. Sentinel provides essential edge node validation and health monitoring, perfect for testing the platform or protecting a single device.
The Perfect Mesh for Individuals. Create a protective mesh with up to 3 devices - one of each type. Perfect for small business owners like Mr. George's pizza bakery: a Fortress router for shop WiFi, a Guardian for travel protection, and a Sentinel watchdog.
Your Digital Stronghold - designed for growing businesses needing multi-site protection. Create up to 3 tenants with 9 devices shared across them. Perfect for businesses with multiple locations, franchises, or complex security requirements.
The Regional Brain - an ML/AI compute hub for advanced threat detection, analytics, and intelligence processing. GPU-accelerated machine learning, long-term data retention, and federated learning coordination for security operations at scale. Currently in development.
The Central Brain - a self-hosted management platform that aggregates all edge nodes into a single pane of glass. MSSP provides unified IAM, multi-tenant device management, and centralized security monitoring for the entire distributed mesh. Stand-alone, self-controlled.
Qsecbit is HookProbe's proprietary quantum-resilient security metric. Unlike traditional security scores that rely on point-in-time assessments, Qsecbit provides continuous, real-time measurement of your infrastructure's true security posture.
From home labs to enterprise edge networks - HookProbe protects them all.
Protect your self-hosted services, NAS, and home network with enterprise-grade security on a Raspberry Pi.
Perfect for: Proxmox, TrueNAS, Home AssistantGet SOC-level protection without the SOC-level budget. Protect your office network, POS systems, and remote workers.
Perfect for: Retail, Clinics, Law FirmsDeploy HookProbe at every client site for centralized monitoring. One dashboard, unlimited endpoints.
Perfect for: Multi-tenant securityFull packet capture, NAPSE detection logs, and AEGIS AI analysis for your honeypots, malware labs, and CTF environments.
Perfect for: Threat hunting, CTF, ResearchAir-gapped, offline-capable IDS for manufacturing, utilities, and critical infrastructure.
Perfect for: SCADA, PLCs, ICSTeach cybersecurity with real tools. Students deploy, configure, and operate a full SOC stack.
Perfect for: Universities, BootcampsYes, HookProbe is 100% free and open-source under the AGPL license. No subscription fees, no cloud costs, no per-user pricing. You own your data and infrastructure completely.
Commercial SIEMs typically cost $50,000+/year and require cloud connectivity. HookProbe is free, runs on low-cost hardware like Raspberry Pi, and operates at the edge without cloud dependency. Enterprise-grade detection, zero cost.
Absolutely. HookProbe is optimized for Raspberry Pi 4/5, NVIDIA Jetson, and any ARM64/x86_64 device. A single Raspberry Pi 5 can monitor networks with 50+ devices.
Under 5 minutes. Run our automated installer on any Linux device, and all 7 PODs are automatically configured and protecting your network. No consultants required.
No. HookProbe is 100% self-hosted and works completely offline. All threat detection, log analysis, and incident response happens locally. Your data never leaves your network.
NAPSE for unified AI-native detection (50,000+ rules, sub-ms latency), AEGIS for autonomous AI defense, ClickHouse for log management, MISP for threat intel, plus automated response playbooks.
Qsecbit is HookProbe's real-time security score (0-100%) that measures your infrastructure's actual security posture. Score above 55% means GREEN (Protected), 30-55% is AMBER (Stay alert), below 30% is RED (Under attack). Updates continuously based on threat activity and defense effectiveness.
Home lab enthusiasts, small businesses, MSPs, security researchers, and anyone who wants enterprise-grade security without enterprise costs. If you have devices on a network, HookProbe can protect them.
Honest answers to the hard questions. Source code is public — verify everything at github.com/hookprobe/hookprobe.
We don't. HookProbe has two separate latency budgets: (1) kernel-level packet blocking via XDP/eBPF executes in ~10 microseconds per decision — pure LPM_TRIE map lookup, no AI in the critical path, (2) AI reasoning via Multi-RAG 3-silo consensus runs asynchronously in 500ms-5s and populates the kernel's blocklist maps. The AI decides slowly, writes to a map once, then the kernel uses that map at wire speed. These are independent systems. Any claim attaching AI inference to the microsecond latency is wrong — ours or anyone else's.
No. HookProbe has no MITM proxy and does not break encryption. We provide L2-L4 deep inspection (Ethernet, IP, TCP/UDP, flags, payload length, Shannon entropy) plus L5-L7 metadata fingerprinting: JA3 TLS fingerprints, SNI, DNS query patterns, DoH endpoint detection. This works on encrypted traffic without decrypting it. If anyone claims full L7 decryption without a decryption proxy, they're either wrong or selling you something that will break TLS 1.3.
No, and we don't claim it can. Gemma 4 31B needs ~20GB VRAM; Pi 5 has 8GB max.
On Guardian tier (Pi 5 / edge SBC), the reasoning layer runs via
cloud API (OpenRouter, rate-limited 8 calls/min on the free tier) while the kernel
defense layer runs 100% locally. On Fortress tier (16GB+ RAM),
local LLM inference is supported. XDP/eBPF kernel blocking is identical across
tiers — only the reasoning location changes. Documented in
products/guardian/lib/aegis_lite.py.
No. The Emotion Engine implements Russell's circumplex model
with two genuinely independent dimensions: valence (-1.0 to +1.0) and arousal
(0.0 to 1.0). These are computed from separate stimulus inputs with independent
decay constants. The 5 emotional states are quadrants of the 2D plane,
not thresholds of a single score: high arousal + negative valence + known threat
= ANGRY; very negative valence + very high arousal = FEARFUL. Each emotion maps
to a different wired response: FEARFUL → honeypot deployment, ANGRY →
tarpit activation, SERENE → camouflage disabled. The wiring writes to BPF
camouflage maps at kernel level. See core/cno/emotion_engine.py
and adaptive_camouflage.py.
Yes — with five safety layers before deployment: (1) constrained prompt (allowed BCC macros, bounded helpers, banned patterns enforced), (2) static analysis rejects banned patterns before compile, (3) Linux BPF verifier rejects unbounded loops, out-of-bounds access, unsafe helpers, (4) compilation validation, (5) automatic 300-second rollback if no improvement observed. Rate limit: max 2 generated programs per hour. It only fires when no template matches — in production, 95%+ of threats match pre-vetted templates and the LLM is never invoked. Every generation attempt is audited in ClickHouse. Phase 20 is a dormant capability, not a primary path.
Enforced in code at shared/dsm/consensus.py. We use the correct BFT
formula n - (n-1)//3 (not threshold multiplication, which truncates
under BFT limits). Signature validation runs before quorum counting —
malformed signatures never contribute to the count. Proof of Possession (PoP)
verification gates signature acceptance, blocking rogue-key attacks.
QuorumNotReached exception on insufficient sigs — no silent fallback.
Caveat: v5.0 uses RSA multi-sig fallback; native BLS aggregation is planned for
v5.1. The RSA fallback still enforces 2/3 quorum + PoP — security unchanged,
only aggregation efficiency differs.
Four defense layers on incoming Bloom filters: (1) size validation (max 16MB, rejects OOM attacks), (2) density validation (rejects ≥90% saturation / all-1s DoS), (3) consistency validation (declared IP count vs observed density, 20% tolerance), (4) peer reputation with exponential trust decay. BFT voting requires 2+ trusted peers to agree before any mesh-derived IP is blocked locally. Individual IPs are never transmitted — only differential-privacy-noised Bloom filters (ε=1.0, flip probability ≈0.269), so anonymization is not reversible. Known tradeoff: new peers start at 0.5 trust (above acceptance threshold); lowering initial trust to 0.1 with an introduction handshake is on the security roadmap.
Neither is a black box — source code is public. QSecBit weights are inline in
qsecbit_engine.py: threat 35%, network 25%, detection 25%,
response 15%. The 7-component dashboard version has each weight documented.
NAPSE intent classification is rule-based heuristics with explicit
thresholds, not neural: DDoS requires 10+ distributed sources at
5000+ pps, port scan requires 25+ non-standard ports, brute force requires
50+ SYN packets to auth ports in 60s. Multi-RAG consensus also generates
natural-language reasoning per verdict, persisted to ClickHouse for XAI
audit trail. Verify every claim at
github.com/hookprobe/hookprobe.
Yes — measured. Current production runs 24 containers (9 web + 15 IDS) using
~4.3GB actual RAM (54% headroom under 8GB). Verifiable via
podman stats. Most containers are small Python services;
ClickHouse and PostgreSQL dominate memory use but stay under 2GB combined
in typical workloads. Guardian edge tier has its own 1.5GB
budget with cloud-assisted LLM. For deployments above 200 monitored IPs, we
recommend 16GB for peak-traffic headroom.
The architecture is decentralized — federation, BFT peer voting, DP-noised Bloom filter sharing, peer reputation scoring are all implemented. Current reference deployment is single-node for simplicity; multi-node peering is ready but not yet activated with a peer network. "Decentralized-capable" is the precise claim. The code path for federation is identical whether you run one node or fifty — only the peer count differs. Federation activates automatically when MSSP_API_URL or mesh peers are configured.
The public repository: github.com/hookprobe/hookprobe. Every claim on this page maps to a specific file and line number in that repo. If you find a claim that the code contradicts, open an issue — we'll fix either the claim or the code. The Alexandria audit framework continuously validates the CNO against its own specification; current score 10.0/10 across 20 phases, 95 documented lessons learned from real production incidents.
Your first Raspberry Pi SOC is 5 minutes away. No credit card. No sales calls. Just security.
Open source. Self-hosted. Free forever.