SYNAPSE
Detect. Decide. Fire.
EDGE DEFENSE ENGINE
High-performance defense that decides at the edge.
Embedded intelligence for API security and application defense. All detection and blocking decisions happen locally at the edge. No cloud round-trips. No external dependencies. The sensor keeps enforcing locally even if the hub is unreachable.
<1ms
Detection Latency
72K+
Sustained RPS
25MB
Sensor Binary
500+
Bot Signatures
8+
Correlation Detectors
22+
DLP Patterns
Status: early and unaudited. Synapse has not undergone third-party security review. It has the potential to protect production one day; it is at the very beginning. Do not place it in front of production traffic you can't afford to have bypassed. Run it, test it, try to break it, and report what you find — that's the most useful thing you can do for the project right now. See SECURITY.md for how to report a vulnerability.
The Platform
SYNAPSE EDGE DEFENSE
Autonomous WAAP Sensor
- Pingora-powered proxy: single Rust binary, zero-downtime reload
- Campaign correlation + graph: 8 detectors + 2nd-degree relationship analysis
- Auto-mitigation: high-confidence campaigns trigger automatic blocking
- Bot detection: 500+ signatures, DNS verification, client integrity
- Credential stuffing: distributed attack correlation, account takeover detection
- API intelligence: schema learning, param value analysis, response profiling
- Trends & anomaly: 13 anomaly types, impossible travel, velocity spikes
- DLP scanning: 22+ sensitive data patterns with validation (Luhn, format checks)
- Interrogation: tarpit, cookie/JS challenges, progressive escalation
SYNAPSE FLEET Intelligence
Collective Defense, Analytics & Remote Management
- Live Threat Map: real-time global attack visualization, geo-IP correlation
- Campaign Map: visual attack infrastructure linking IPs, fingerprints, payloads
- Sigma Rules: industry-standard detection rules, custom queries, hunt workflows
- CyberChef: integrated payload decoder, encoder, analysis toolkit
- War Room: collaborative incident response, quick blocks, automation hooks
- Cross-tenant correlation: threat sharing across fleet, distributed attack detection
- Fleet management: health scoring, config drift, centralized rule distribution
- Hunt API: time-window queries across PostgreSQL + ClickHouse
- Remote access: secure WebSocket tunnels to sensor shell + dashboards
Performance
End-to-End Proxy Benchmarks
Real-world benchmarks with DLP enabled, 100 concurrent VUs, full behavioral tracking. Detection doesn't evaluate all 248 rules per request. A rule index pre-filters based on request characteristics, reducing candidates to ~35 rules before matching begins.
| Scenario | Latency |
|---|---|
| WAF detection (under load) | <50μs |
| Fast path (GET, no body) | ~300μs |
| Standard payload (4-8KB) | ~450μs |
| P95 latency | <1ms |
| Blocked + tarpit | ~1000ms |
Full Stack in Benchmark
248 detection rules (indexed to ~35) · DLP scanning (22+ patterns, parallel) · Campaign correlation (8 detectors) · Graph correlation (2nd-degree) · Credential stuffing detection · Bot detection (500+ signatures) · Client integrity analysis · JA4/JA4H fingerprinting (~3μs) · Actor/Entity/Session stores · Schema learning + validation · Parameter value analysis · Response profiling · Trends/anomaly (13 types) · Auto-mitigation engine · Rate limiting · Tarpit enforcement
Smart Rule Indexing: Index by HTTP method, request features, header presence, content type. Static assets bypass detection entirely. Decode/parse only when a rule condition requires it. Short-circuit after first false condition.
See the WAF rule pipeline → Beyond Rules
Behavioral Intelligence
Rules are table stakes. What differentiates Synapse is embedded intelligence that correlates signals, tracks actors across sessions, and detects coordinated attacks locally, without cloud round-trips.
Campaign Correlation + Graph
| Detector | Weight | Catches |
|---|---|---|
| Attack Sequence | 50 | Same payloads across IPs |
| Auth Token | 45 | Same JWT structure = same actor |
| HTTP Fingerprint | 40 | Different IPs, same browser |
| Graph Correlation | 40 | 2nd-degree relationships |
| TLS Fingerprint | 35 | Same TLS signature = same tooling |
| Behavioral | 30 | Same navigation patterns |
| Timing | 25 | Coordinated timing = botnet |
| Network Proximity | 15 | Same ASN/subnet |
Bot & Crawler Detection
Catches Python scripts claiming to be Chrome
8+
Correlation Detectors
500+
Bot Signatures
100K
Actor LRU Cache
Auto
Campaign Mitigation
Sessions
Session Intelligence
| Detection | Trigger | Risk |
|---|---|---|
| Session Hijacking | Fingerprint change mid-session | HIGH |
| Impossible Travel | Geo-impossible location change | HIGH |
| Credential Stuffing | Auth pattern anomalies | MED |
| Multi-IP Session | >2 IPs per session | MED |
| Fingerprint Velocity | Rapid fingerprint changes | +40 |
Composite Identity: JA4 + JA4H + IP + Auth Token → actor continuity even when cookies cleared. No cloud required.
See the risk scoring lifecycle → DLP
Data Loss Prevention
FINANCIAL
Credit Card (Luhn) · Bank Account · Routing Number · IBAN
IDENTITY
SSN (format check) · Passport · Driver License · National ID
CREDENTIALS
AWS Keys · GitHub Tokens · Stripe/Twilio Keys · Private Keys
HEALTHCARE
Medical Record # · DEA Number · NPI · HIPAA identifiers
Parallel scanning: DLP runs DURING network setup, not before. 4KB payload ~29μs, 8KB payload ~71μs. 8KB cap for bounded latency.
See DLP at the edge → Active Defense
Interrogator System
Progressive challenge escalation separates bots from humans without blocking legitimate traffic.
Challenge Progression
Honeypot Traps
Configurable trap paths that instantly max risk for any actor that touches them.
/.env, /wp-admin, /admin/config
// Hit = instant risk 100
// Hit = instant risk 100
De-escalation: Good behavior reduces challenge level. Legitimate users who pass challenges get remembered and flow freely on subsequent requests.
10K
Tarpit States
50K
Cookie Tracker
10K
JS Challenges
30s
Max Tarpit
Horizon
SOC Analyst Tooling
Beyond fleet management, Horizon provides purpose-built tools for security analysts. Real-time visualization, industry-standard detection rules, and integrated analysis utilities.
Live Threat Map
Campaign Map
Sigma Rules
CyberChef Integration
∞
Sensors Supported
<100ms
Sync Latency
80+
API Endpoints
100%
Self-Hostable
In Action
[11:19:35] CRITICAL Shell command injection /api/orders · 198.51.100.12
[11:19:35] CAMPAIGN C-2847 escalated 12 IPs · 3 ASNs · credential stuffing
[11:19:35] JA4 Fingerprint rotation detected 3 prints / 60s · 198.51.100.12
[11:19:36] BLOCKED 198.51.100.12 risk 87 · auto-block · campaign C-2847
[11:19:36] DLP Credit card detected in response /api/users/export · Luhn validated · BLOCKED
[11:19:37] INTERROGATE Level 2 JS challenge issued 203.0.113.42 · failed cookie check
Detection: <50μs avg · 38,291 evals/sec · 0 drops · 248 rules (35 indexed)
Deep Dives
Technical Infographics
Interactive visual references for Synapse's core capabilities. Each is built in the Synapse design system.
Start Here · Platform Overview
Platform Architecture
Full stack from clients to consumers. Five layers spanning edge sensors, central hub, storage, and downstream integrations with data flow paths.
→
Campaign Correlation
7 Weighted Detectors
How Synapse links distributed attacks into unified campaigns. Seven detectors, confidence thresholds, fleet-wide correlation.
DLP at the Edge
Inline Response Inspection
Data Loss Prevention built into the WAF decision path. 5 detection categories, real-time blocking, traditional vs edge architecture.
Request Processing
Complete Lifecycle
Six-stage sequential pipeline from TLS fingerprint to decision. Stage timing, challenge escalation, edge vs cloud latency comparison.
Risk Scoring
Lifecycle & Thresholds
How Synapse computes per-entity risk scores from multiple signal sources. Decay, escalation thresholds, and action triggers.
Interrogator System
Edge Intelligence Pipeline
Deep packet inspection and entity profiling. How Synapse builds behavioral models from traffic patterns in real time.
WAF Rule Pipeline
Two-Phase Evaluation
248 detection rules across 30 threat classes. Body-phase pass, deferred DLP-aware pass, and a single canonical 403 exit point.
Schema Learning
Validate Now, Train Later
How Synapse infers per-endpoint JSON schemas from live traffic. Microsecond validation, deferred training, poison-resistant baselines.
Threat Intel Feedback Loop
Observe · Correlate · Re-Arm
Signals observed at one IP turn into blocks at every related IP. Closed-loop enforcement runs in-process with O(1) fingerprint lookups and no backend round-trip.
Deployment Topology
Control Plane + Edge Fleet
One control plane, a fleet of edge sensors, and a persistent WebSocket tunnel carry config in and telemetry out. Tenant isolation applies at every layer.
Synapse Fleet Telemetry
10K signals/sec → ClickHouse
From edge sensors to hunt-ready rollups. Authenticated ingest, tiered retention, and ten materialized views that keep dashboards snappy.
Client Integration
CLI · SDK · 4 Steps
Install the CLI, point it at a running Synapse, inspect rules, evaluate requests, and manage blocks from the terminal or a TypeScript program.
Analyst Incident Workflow
Human-in-the-Loop
How a Synapse Fleet analyst turns a spiking dashboard into a deployed rule. Four stages anchored in real UI surfaces and API endpoints.
Writing
Long-form deep dives
Architectural essays on how Synapse and Synapse Fleet Intelligence actually work, and the decisions behind them.
A fleet that shares fingerprints, not data
12 min read · Synapse Fleet Intelligence
The coordination plane for a Synapse deployment, and how it does collective defense without centralizing a payload. Anonymized SHA-256 fingerprints, an 8-factor campaign correlator, ~50ms fleet-wide pushes, and an air-gapped deployment mode that keeps running with no outbound connection.
Every sensor is a brain
12 min read · Synapse Architecture
Rebuilding a WAF without a cloud backend. Twelve inline capabilities in a single 25MB binary, no network round-trip, and a command plane that's genuinely optional.
Line-rate DLP
11 min read · Edge DLP
Sub-millisecond data loss prevention on multi-megabyte payloads with zero false positives. Aho-Corasick, zero-allocation validators, and parallel execution with upstream I/O.
Embedded Intelligence. Zero External Dependencies.