Skip to content

Fenrir SOC

Autonomous Security Operations Center for small and medium businesses. On-prem, sovereign, audit-ready. No data leaves your boundary.

Fenrir runs alongside your infrastructure as a single Linux service. It tails system logs, watches kernel events, snapshots system state, and queries the package feed. When something looks wrong, an AI analyst opens an investigation, follows a playbook, decides a verdict, and writes the evidence pack auditors actually need.

Where to start

  • Get started

    What Fenrir is, who it's for, and a 5-minute install on a fresh Ubuntu host.

  • Architecture

    The 5 components and how data flows from log line to Telegram alert.

  • Monitors

    The 9 detectors that feed the rule engine. What each one sees, and how often.

  • AI Investigations

    How HIGH/CRITICAL alerts trigger an autonomous Tier-1 analyst that writes structured reports.

  • Autonomous response

    Five revertible actions (kill, quarantine, stop, isolate, rollback) gated by analyst confidence. Off by default, dry-run on first enable.

  • Compliance

    GDPR, NIS2, ISO 27001 controls Fenrir helps you evidence — with audit-ready reports.

  • Configuration

    Every environment variable, with safe defaults and what happens when you change them.

Why Fenrir

We're allergic to marketing buzzwords with no substance. Here's how we earn the ones we use.

  • Secure by design. Runs as the unprivileged p3guardian user. Sudo paths in code are gated by os.geteuid() == 0 — no mail_badpass storms. Reverse proxy with mandatory basic auth on the dashboard. No inbound ports required (Cloudflare Tunnel + nginx reverse-proxy by default).

  • Continuous monitoring. Nine monitors run permanently in a single async process. Six tail logs in real time (sub-second latency from log line to detection). Three poll system state on timers (10 min for baseline drift, 6 h for CVE feed).

  • Privacy-preserving AI. When we route an alert to a cloud LLM, the PII anonymizer replaces personal identifiers with opaque tokens before the prompt leaves your server. The cloud model reasons about <PRIVATE_PERSON_1> and <PRIVATE_IP_2>. Real values are restored only in the final report on your side.

  • Sovereign by default. Self-hosted on your hardware (or your EU cloud). Local LLM via Ollama is a fully supported alternative to cloud — no data leaves your boundary at all if you don't want it to.

  • Audit-ready evidence. Every event is stored. Every investigation has a transcript. Every auto-action is logged with tool, args, result. Daily compliance audits run automatically against GDPR, NIS2, ISO 27001 — with PDF export.

  • Revertible autonomous response. The analyst can kill a process, quarantine a file, stop a service, block egress to an IP, or remove a package — but only with high confidence, only outside the operator-defined whitelist, and only after a one-week mandatory dry-run. Every action is one click away from being undone, both from Telegram and the dashboard. See Autonomous response for the safety rails.

  • Honest about scope. Fenrir watches your server, not your laptops. It is not an EDR, not an XDR, not an MSSP replacement. It is a Tier-1 SOC for the boxes you run yourself. We say what it doesn't do in the Threat model.

  • Practitioner-first. The defaults work on a fresh Ubuntu in 15 minutes. The runbook fits in a few pages. You can git clone, read every line, break-fix without a vendor call.

Status

Fenrir is at version 0.5.x — production-deployed, actively developed, single-tenant by design. Open core, source on GitHub.