Architecture

A clear operational flow, end to end.

Wardex is organised around the work the operator actually does: collect telemetry, detect, triage, investigate, respond, govern, deploy, and report. Each stage is a named subsystem with clear inputs and outputs.

Platform Flow

From endpoint signal to auditable response.

Eight stages, one data model, one control plane.

1

Collect

Cross-platform agents emit structured telemetry from macOS (EndpointSecurity), Linux (eBPF), and Windows (ETW). Encrypted spool buffers events during outages.

2

Detect

Adaptive scoring, Sigma rules, YARA scanning, side-channel fusion, and kernel-event bridging converge on a single per-event risk assessment.

3

Triage

Priority queue with SLAs, acknowledgement, assignment, escalation. Bulk actions and the false-positive advisor keep noise controlled.

4

Investigate

Entity pivots, process trees, timelines, storyline views, and lateral-movement graphs all share the same underlying event index.

5

Respond

Playbook engine executes approval-gated actions — isolation, quarantine, remediation — with automatic rollback on health-check failure.

6

Govern

RBAC, OIDC/SCIM, session rotation, admin audit export, and change control provide enterprise guardrails around the product itself.

7

Deploy

Release publishing, rollout groups, rollback, and per-agent activity snapshots give operators a controlled path to keep endpoint software current.

8

Report

SIEM forwarding, ClickHouse archive, OpenAPI, manager summaries, and compliance templates keep external systems and stakeholders aligned.

Component Map

How the pieces fit together.

Six subsystems, one binary. Each subsystem owns its domain and communicates through a well-defined API.

Agent

Cross-platform telemetry collection, encrypted local spool, auto-update participation, heartbeat, FIM, and live-response shell.

RusteBPFETWEndpointSecurity

Control Plane

HTTP API server, authentication, RBAC enforcement, session management, policy distribution, and rollout orchestration.

AxumTokiomTLS

Detection Engine

Sigma compilation, YARA scanning, adaptive scoring, anomaly detection, and multi-signal fusion.

SigmaYARAEWMA

SOC Workbench

Alert queue, case management, investigation pivots, entity extraction, and storyline view. Browser-based, shipped with the binary.

ReactTypeScriptPlaywright-tested

Storage

Local embedded storage for hot events and recent state; optional ClickHouse archive for cold storage and long-range analytics.

TantivyClickHouse

Response Orchestrator

Playbook DSL, approval workflows, remediation scripts, quarantine management, and tamper-evident audit chain.

DSLAudit chain

Deployment Models

Ship it where it needs to live.

From a single-host lab to a multi-region relay fleet, Wardex adapts without re-architecting.

Standalone

Single Host

Everything in one binary on one machine. Ideal for labs, small teams, or a first production pilot.

  • One command to install
  • Embedded web console
  • Runs on any Linux, macOS, or Windows host
Enterprise

Control Plane + Fleet

Dedicated control plane serves thousands of agents with optional ClickHouse archive for long-term retention.

  • Horizontal agent scaling
  • ClickHouse cold archive
  • SIEM forwarding to your existing stack
Federated

Multi-Region Relay

Regional relays terminate agent connections locally and forward aggregated signals to a central SOC — perfect for MSSPs and global teams.

  • Locality-preserving data paths
  • Multi-tenant isolation
  • Federated learning across regions
Air-Gap

Disconnected Environment

Operate entirely offline with manually synchronised update bundles and offline policy packages. No outbound internet required.

  • Offline update bundles
  • Signed policy packages
  • Local threat-feed ingestion

Deployment Guide →

Supply-Chain Trust

Verify everything. Trust nothing silently.

Every release is signed, attested, and reproducible. Trust is earned through verification, not asserted on a slide.

SLSA Build Provenance

Every release archive and container image ships with signed SLSA provenance attestations issued by GitHub's attestation system. Verify with gh attestation verify.

CycloneDX SBOM

Machine-readable dependency inventory bundled with every release. Feed it straight into your vulnerability management pipeline.

Cosign-Signed Images

Container images are keyless-signed with sigstore cosign. Verify with cosign verify against the public transparency log.

SHA-Pinned CI

Every GitHub Action in the pipeline is pinned by commit SHA. No silent supply-chain surprises from a tag-rewrite attack.

Secret Scanning

Gitleaks runs on every pull request and push. Credentials never reach a release archive.

Reproducible Builds

Release builds are bit-for-bit reproducible from the tagged commit. Step-by-step verification documented in the repo.

Reproducibility Guide →

Curious how it looks in code?

The source is open to read. Every module is small and focused — no mystery frameworks, no hidden daemons.

Read the Docs Browse Source