Overview¶
What Fenrir actually does¶
Fenrir is a single Python service (p3guardian) that runs on one Linux server. While it's running, three things happen continuously:
- It watches. Nine monitors tail logs, snapshot system state, and poll the package feed.
- It classifies. A rule engine turns raw events into typed
ThreatEvents with a severity (INFO→CRITICAL) and a confidence score. - It acts. HIGH and CRITICAL events trigger an autonomous AI investigation. Confirmed threats trigger low-risk auto-actions (e.g.
fail2banban) and a Telegram alert.
Everything else — the dashboard, the database, the Telegram bot, the compliance audits — is built on this loop.
Who it's for¶
Fenrir is built for small and medium businesses that run their own servers and want a Tier-1 SOC without paying for a 24/7 SOC team or a six-figure XDR licence.
It fits well if any of these are true:
- You run 5 to 50 servers with mixed workloads (web apps, internal tools, databases, mail).
- You need to show GDPR/NIS2/ISO 27001 evidence but don't have a dedicated security team.
- You need on-prem AI — your data can't leave EU, can't go through a US cloud LLM raw.
- You're already using fail2ban + nginx + systemd + PostgreSQL/MySQL — Fenrir plugs into that stack natively.
It does not fit if:
- You need endpoint (EDR) coverage on user laptops/phones — Fenrir watches servers.
- You need multi-tenant SaaS-style SOC for many independent clients — single-tenant by design.
- You're a regulated bank/critical infrastructure — Fenrir is good but not a substitute for a real MSSP with 24/7 humans.
What's in the box¶
| Component | Purpose |
|---|---|
| 9 monitors | Tail logs, snapshot state, poll feeds |
| Rule engine | Classify raw events → ThreatEvent with severity/confidence |
| AI analyst agent | Auto-investigate HIGH/CRITICAL with per-category playbooks |
| PII anonymizer | Redact personal data before any cloud LLM call |
| Web dashboard | Live attack map, recent events, AI investigations table |
| Telegram bot | Real-time alerts + interactive admin chat |
| Compliance scheduler | Daily audit against GDPR/ISO 27001 with evidence pack |
| GDPR breach tracker | Article 33 — 72h deadline tracker with escalation |
A typical install of Fenrir uses ~150 MB of disk (excluding the AI model cache) and ~200 MB of RAM at idle, ~400 MB during an investigation.
How long does it take to deploy¶
| Step | Time |
|---|---|
| Install Python deps + service unit | 5 min |
Configure .env (Telegram token, OpenRouter key) |
5 min |
| First boot + DB schema creation | 30 sec |
| First baseline scan (no alerts, just snapshots) | 2 min |
| Smoke test (trigger a fake honeypot hit) | 2 min |
| Total to "Fenrir running and watching" | ~15 min |
Then come back the next day and look at the dashboard — Fenrir will already have something to show you.
What it does NOT replace¶
We say this loudly because it matters:
- Backups. Fenrir won't restore from ransomware. Your backups will. Fenrir tells you ransomware is happening; restoration is yours.
- Patching. Fenrir tells you
4 security upgrades pending. It doesn't apply them. You decide your maintenance window. - Identity. Fenrir watches sshd, sudo, web auth. It doesn't manage users. SSO/MFA/IAM is a separate stack (Authentik, Keycloak, Okta).
- Network segmentation. Fenrir reports what it sees on the host. It doesn't reconfigure your firewall to micro-segment.
- A human SOC analyst. The AI analyst handles Tier 1. Tier 2/3 is still you (or a real MSSP).
Next: Architecture →