Horizon + Synapse — Edge Protection Platform

HORIZON

See Further. Act Faster.

SYNAPSE

On-Board Intelligence

Embedded intelligence for API security and application defense. All detection and blocking decisions happen locally at the edge. No cloud round-trips. No external dependencies. Full protection continues even with backend down.

<1ms

Detection Latency

15MB

Sensor Binary

500+

Bot Signatures

Correlation Detectors

22+

DLP Patterns

The Platform

Synapse

Autonomous Edge Sensor

Pingora-powered proxy — single Rust binary, zero-downtime reload
Campaign correlation + graph — 8 detectors + 2nd-degree relationship analysis
Auto-mitigation — high-confidence campaigns trigger automatic blocking
Bot detection — 500+ signatures, DNS verification, client integrity
Credential stuffing — distributed attack correlation, account takeover detection
API intelligence — schema learning, param value analysis, response profiling
Trends & anomaly — 13 anomaly types, impossible travel, velocity spikes
DLP scanning — 22+ sensitive data patterns with validation (Luhn, format checks)
Interrogation — tarpit, cookie/JS challenges, progressive escalation

Horizon

Fleet Intelligence & SOC Platform

Live Threat Map — real-time global attack visualization, geo-IP correlation
Campaign Map — visual attack infrastructure linking IPs, fingerprints, payloads
Sigma Rules — industry-standard detection rules, custom queries, hunt workflows
CyberChef — integrated payload decoder, encoder, analysis toolkit
War Room — collaborative incident response, quick blocks, automation hooks
Cross-tenant correlation — threat sharing across fleet, distributed attack detection
Fleet management — health scoring, config drift, centralized rule distribution
Hunt API — time-window queries across PostgreSQL + ClickHouse
Remote access — secure WebSocket tunnels to sensor shell + dashboards

Performance

End-to-End Proxy Benchmarks

Real-world benchmarks with DLP enabled, 100 concurrent VUs, full behavioral tracking. Detection doesn't evaluate all 237 rules per request — a rule index pre-filters based on request characteristics, reducing candidates to ~35 rules before matching begins.

Scenario	Latency
WAF detection (under load)	<50μs
Fast path (GET, no body)	~300μs
Standard payload (4-8KB)	~450μs
P95 latency	<1ms
Blocked + tarpit	~1000ms

Full Stack in Benchmark

237 production rules (indexed to ~35) · DLP scanning (22+ patterns, parallel) · Campaign correlation (8 detectors) · Graph correlation (2nd-degree) · Credential stuffing detection · Bot detection (500+ signatures) · Client integrity analysis · JA4/JA4H fingerprinting (~3μs) · Actor/Entity/Session stores · Schema learning + validation · Parameter value analysis · Response profiling · Trends/anomaly (13 types) · Auto-mitigation engine · Rate limiting · Tarpit enforcement

Smart Rule Indexing: Index by HTTP method, request features, header presence, content type. Static assets bypass detection entirely. Decode/parse only when a rule condition requires it. Short-circuit after first false condition.

Beyond Rules

Behavioral Intelligence

Rules are table stakes. What differentiates Synapse is embedded intelligence that correlates signals, tracks actors across sessions, and detects coordinated attacks — all locally, without cloud round-trips.

Campaign Correlation + Graph

Detector	Weight	Catches
Attack Sequence	50	Same payloads across IPs
Auth Token	45	Same JWT structure = same actor
HTTP Fingerprint	40	Different IPs, same browser
Graph Correlation	40	2nd-degree relationships
TLS Fingerprint	35	Same TLS signature = same tooling
Behavioral	30	Same navigation patterns
Timing	25	Coordinated timing = botnet
Network Proximity	15	Same ASN/subnet

Bot & Crawler Detection

Known Crawlers (500+) — Googlebot, Bingbot, social bots, SEO tools, classified by trust

DNS Reversal Verification — reverse DNS → forward lookup validates crawler claims

Client Integrity Analysis — User-Agent vs Sec-CH-UA, Fetch Metadata consistency

Bad Bot Blocklist — SQLMap, Nikto, Nmap, Metasploit → instant block

Catches Python scripts claiming to be Chrome

Correlation Detectors

500+

Bot Signatures

100K

Actor LRU Cache

Auto

Campaign Mitigation

Sessions

Session Intelligence

Detection	Trigger	Risk
Session Hijacking	Fingerprint change mid-session	HIGH
Impossible Travel	Geo-impossible location change	HIGH
Credential Stuffing	Auth pattern anomalies	MED
Multi-IP Session	>2 IPs per session	MED
Fingerprint Velocity	Rapid fingerprint changes	+40

Composite Identity: JA4 + JA4H + IP + Auth Token → actor continuity even when cookies cleared. No cloud required.

DLP

Data Loss Prevention

FINANCIAL

Credit Card (Luhn) · Bank Account · Routing Number · IBAN

IDENTITY

SSN (format check) · Passport · Driver License · National ID

CREDENTIALS

AWS Keys · GitHub Tokens · Stripe/Twilio Keys · Private Keys

HEALTHCARE

Medical Record # · DEA Number · NPI · HIPAA identifiers

Parallel scanning: DLP runs DURING network setup, not before. 4KB payload ~29μs, 8KB payload ~71μs. 8KB cap for bounded latency.

Active Defense

Interrogator System

Progressive challenge escalation separates bots from humans without blocking legitimate traffic. Suspicious actors face increasing friction; clean traffic flows unimpeded.

Challenge Progression

Level 1: Cookie Challenge — set tracking cookie, verify acceptance

Level 2: JavaScript PoW — SHA-256 proof-of-work computation

Level 3: CAPTCHA — human verification challenge

Level 4: Tarpit — progressive delays: 1.5^level (max 30s)

Honeypot Traps

Configurable trap paths that instantly max risk for any actor that touches them.

/.env, /wp-admin, /admin/config
// Hit = instant risk 100

De-escalation: Good behavior reduces challenge level. Legitimate users who pass challenges get remembered and flow freely on subsequent requests.

10K

Tarpit States

50K

Cookie Tracker

10K

JS Challenges

30s

Max Tarpit

Horizon

SOC Analyst Tooling

Beyond fleet management, Horizon provides purpose-built tools for security analysts. Real-time visualization, industry-standard detection rules, and integrated analysis utilities.

Live Threat Map

Geo-IP attack origin visualization

Attack type breakdown (SQLi, XSS, etc.)

Top targeted endpoints

Real-time block/allow counters

Sensor health status overlay

Campaign Map

Node types: IPs, JA4 fingerprints, auth tokens, ASNs

Edge relationships with confidence weights

2nd-degree connection discovery

Campaign timeline view

One-click block entire campaign

Sigma Rules

Native Sigma rule parsing and execution

Import from SigmaHQ repository

Custom rule editor with syntax highlighting

Rule testing against historical data

Scheduled hunt jobs with alerting

CyberChef Integration

Base64, URL, HTML entity decoding

Hex/binary conversion

Hash computation (MD5, SHA-256)

Regex extraction and testing

Recipe chaining for complex transforms

∞

Sensors Supported

<100ms

Sync Latency

80+

API Endpoints

100%

Self-Hostable

In Action

synapse — detection feed

[11:19:35] CRITICAL Shell command injection /api/orders · 198.51.100.12

[11:19:35] CAMPAIGN C-2847 escalated 12 IPs · 3 ASNs · credential stuffing

[11:19:35] JA4 Fingerprint rotation detected 3 prints / 60s · 198.51.100.12

[11:19:36] BLOCKED 198.51.100.12 risk 87 · auto-block · campaign C-2847

[11:19:36] DLP Credit card detected in response /api/users/export · Luhn validated · BLOCKED

[11:19:37] INTERROGATE Level 2 JS challenge issued 203.0.113.42 · failed cookie check

Detection: <50μs avg · 38,291 evals/sec · 0 drops · 237 rules (35 indexed)