Platform Overview

28 modules.
6 security domains.
One unified platform.

T-SecOps integrates every layer of your security operations — from raw packet inspection to autonomous AI analysis and regulatory compliance — into a single self-hosted platform with no external data dependency.

28
Platform Modules
6
Security Domains
7
Threat Intel Providers
5
ML Detection Models
Six Domains. One Platform.

Everything your team needs.
Nothing you don't.

Six purpose-built domains cover the full detection and response lifecycle. Every module shares a common data bus — events flow automatically between the network layer, AI analysis engine, endpoint sensors, and compliance framework.

Domain 1
Network Detection & Response
Suricata IDS/IPS engine inspects all traffic. Firewall log integration with pfSense/OPNsense, pfBlockerNG, and UniFi. Geographic enrichment, threat feed correlation, and MITRE ATT&CK mapping on every alert.
Live Threat Dashboard
Real-time alert feed with severity classification, geographic heatmap, and 24-hour trend charts.
Core
Suricata IDS/IPS
Full Suricata 7 integration — inline IPS mode, custom rule sets, performance statistics, and alert drill-down.
Core
Threat Feed Hub
AbuseIPDB, OTX, VirusTotal, MalwareBazaar, Shodan, Talos, and Feodo. Automatic correlation on every alert.
Core
pfSense Integration
Pulls firewall logs via syslog. Visualises allowed/blocked traffic, GeoIP, top talkers, and bandwidth trends.
Core
pfBlockerNG Module
Block-list analytics — which domains were blocked, by which list, with frequency and trend data.
Core
UniFi Integration
Collects UniFi Network Application logs. Client map, AP health, and VLAN segmentation visibility.
Core
MITRE ATT&CK Overlay
Every Suricata alert tagged to the MITRE matrix. Coverage heatmap shows gaps and hot spots across 14 tactics.
AI
Attack Simulator
Built-in red team scenarios — ICMP flood, port sweep, banner grab, DNS flood. Validates detection coverage without external tools.
New
Domain 2
Autonomous AI SOC
Six specialised Ollama LLM models run locally on your hardware. Five autonomous background jobs classify, correlate, and brief your team — around the clock. All inference stays on-premises.
AI Morning Briefing
Structured security summary at 07:00 — top threats, anomalies, and recommended actions from the past 24 hours.
AI
Threat Classifier
qwen2.5:7b model classifies every alert every 2 minutes. Severity score, attack type, and confidence level.
AI
Correlation Engine
Cross-source correlation runs every 10 minutes. Links network, DNS, and endpoint events into unified incident threads.
AI
C2 Beaconing Detector
HDBSCAN clustering and XGBoost model detect periodic beaconing. Scores regularity, jitter, and byte variance.
AI
pgvector RAG Search
Semantic search across all historical alerts. Ask natural-language questions about past incidents.
AI
Smart Alerting
7 rule engine alerts with AI context enrichment — geo-blocked IPs, new external services, anomalous uploads.
AI
Domain 3
Endpoint XDR
Lightweight mTLS-encrypted agents for Windows 11 and Ubuntu. pySigma detection rule engine with 11 curated rules pre-loaded. Full SigmaHQ library import with one click.
Windows 11 Agent
Collects process events, file changes, network connections, authentication logs. Sigma rule matching in real time.
Core
Ubuntu Linux Agent
Sysmon for Linux integration, auditd log collection, SSH events, crontab monitoring, and service state changes.
Core
Sigma Rule Engine
pySigma backend with 11 curated detection rules. Import thousands of community rules from SigmaHQ with one click.
Core
Endpoint Dashboard
All enrolled endpoints, health status, last seen, and event stream. Cross-agent correlation with network events.
Core
Domain 4
Active Defense & Deception
Deploy realistic honeypot sensors with authentic personas. Every interaction is a high-confidence, zero-false-positive alert. Canary Tokens extend deception into files and documents.
SSH Honeypot
Realistic SSH server that logs every connection attempt, credential probe, and command executed by intruders.
Core
IoT Printer Lure
Emulates a network printer. Triggers on discovery scans, print-job attempts, and admin panel access.
Core
Windows Workstation Lure
SMB/RPC emulation. Captures credential harvesting, lateral movement probes, and ransomware spread attempts.
Core
Canary Tokens
Embed undetectable tripwires in Word docs, PDFs, and scripts. Fires instantly when opened outside your network.
New
Domain 5
DNS Security & Analytics
Deep DNS telemetry for detecting data exfiltration, C2 tunneling, and algorithmically-generated domain names. Passive DNS with historical lookup correlation.
DNS Traffic Analyser
Top queried domains, query frequency charts, NXDOMAIN spike detection, and resolver performance metrics.
Core
DGA Detector
ML model scores every queried domain for algorithmic generation patterns. Catches C2 infrastructure before it beacons.
AI
DNS Tunneling Monitor
Entropy analysis and payload-length heuristics detect data exfiltration via DNS queries.
AI
Fast-Flux Tracker
Monitors TTL patterns and A-record rotation to identify fast-flux infrastructure used by malware operators.
AI
Domain 6
Compliance & Governance
Live scoring against NIS2 Article 21, NIST CSF 2.0, and CIS Controls v8. Automated evidence collection with human-approval workflow. Audit-ready ZIP export in one click.
NIS2 Compliance Engine
Article-by-article scoring for NIS2 Art. 21. Gap analysis with AI-written remediation guidance for each open item.
Core
NIST CSF 2.0 Module
Complete mapping to all 6 NIST functions — Govern, Identify, Protect, Detect, Respond, Recover. Evidence auto-attached.
Core
CIS Controls v8
18 control families with automated evidence from your live telemetry. Score tracked over time for audit trending.
Core
Evidence & Audit Export
Every piece of evidence is logged, timestamped, and stored. Approve via workflow, then export a complete audit ZIP.
New
AI Remediation Advisor
For each compliance gap, the AI analyses your actual telemetry and produces a context-aware remediation plan.
AI
Vulnerability Scanner
Scheduled network-layer vulnerability scans. CVE enrichment from NVD. Prioritised findings fed into compliance scoring.
New
Self-Hosted. Your Rules.

Choose the right architecture
for your environment

T-SecOps runs entirely on your hardware. Three deployment modes address different network topologies and security requirements — from a single-server lab to an air-gapped production network.

Integrated Mode
All platform services run on a single server alongside the sensor. Ideal for small networks, lab environments, and initial deployments.
Single-server deployment
Docker Compose — single command
Supports x86-64, ARM64
GPU acceleration optional
Network path separation
Recommended
Segmented Mode
Sensor runs on a dedicated machine in the network path. Analysis server sits in a management VLAN. Stronger security posture for production environments.
Sensor / server separation
Management VLAN isolation
mTLS between all components
Supports multi-site sensors
GPU acceleration supported
Physical Diode Mode
Data flows through a one-way hardware diode. No return path from the analysis server to the monitored network. Designed for OT/ICS and high-security networks.
Hardware data diode support
Zero back-channel from server
OT / ICS network ready
Air-gap compatible
Regulatory-grade isolation
Honest Capability Assessment.

What T-SecOps does —
and doesn't do

T-SecOps is a detection, analysis, and compliance platform. It is not a managed service, and it does not replace your firewall or endpoint AV.

T-SecOps handles this
Real-time network intrusion detection and prevention
AI-assisted threat classification and correlation
Endpoint process, file, and network event collection
Honeypot and deception infrastructure management
DNS anomaly detection — DGA, tunneling, fast-flux
NIS2 / NIST / CIS compliance scoring and evidence
Autonomous morning briefing and alert enrichment
MITRE ATT&CK coverage mapping
Not in scope
Firewall rule management (works alongside pfSense/OPNsense)
Antivirus / malware removal on endpoints
Managed detection & response (MDR) service
SIEM log archival beyond 12-month rolling window
Cloud-native workload monitoring (AWS/Azure/GCP)
Identity and access management
Capability Matrix

Feature availability by deployment mode

Feature Integrated Segmented Physical Diode
Suricata IDS/IPS
Network Detection
7 Threat Feed Providers
Threat Intelligence
Autonomous AI SOC
AI Analysis
GPU Acceleration
AI Analysis
Endpoint XDR Agents
Endpoint
Honeypot Sensors
Active Defense
DNS Analytics
DNS Security
NIS2 / NIST / CIS Compliance
Compliance
Multi-site Sensors
Architecture
Hardware Data Diode
Architecture

Ready to deploy?

Get the full T-SecOps platform running on your own hardware in under an hour.

Deployment Guide Architecture Deep-Dive →