1-SEC
Open Source Security // 2026
One binary.
Total defense.
The next generation of rapid-deployment security layers. Auditable, community-driven, and designed for immediate integration.
[ 16 Defense Modules · 6 Tiers · Automated Enforcement ]
One binary. Every attack surface covered. Each module runs independently on a shared event bus — with built-in collectors, cold archiving, and a real-time response layer.
Network Guardian
DDoS mitigation with volumetric flood detection and amplification/reflection attack handling. Per-IP rate limiting with configurable thresholds. IP reputation scoring with dynamic threat scoring that auto-blocks repeat offenders. Geo-fencing by country code. DNS tunneling detection via entropy analysis and DGA domain flagging. C2 covert channel detection through beaconing interval analysis. Full lateral movement monitoring covering Pass-the-Hash, Kerberoasting, Golden Ticket, DCSync, and RDP/SMB brute force. SYN scan and port scan detection with configurable sensitivity. Protocol anomaly flagging for malformed packets and suspicious traffic patterns.
API Fortress
BOLA and BFLA detection with per-user resource access tracking to catch horizontal and vertical privilege escalation. OpenAPI schema validation that flags undocumented endpoints, missing auth, and parameter type violations. Shadow API discovery that identifies undocumented endpoints receiving live traffic. Per-endpoint rate limiting with burst detection. Mass assignment protection scanning request bodies for unexpected fields. Sensitive data exposure scanning in API responses (SSNs, credit cards, tokens). GraphQL depth and complexity abuse prevention. JWT algorithm confusion and weak signing detection (none, HS256 with public key). SSRF-via-API detection for internal network probing through API parameters. Response anomaly analysis flagging unusual payload sizes and error rate spikes.
IoT & OT Shield
Device inventory with MAC-based fingerprinting, firmware version tracking, and vendor identification. Protocol anomaly detection across Modbus (illegal function codes, out-of-range register writes), DNP3 (unsolicited responses, cold restart commands), OPC-UA (unauthorized browse/write), BACnet (device enumeration, priority array manipulation), MQTT (wildcard subscribe, retained message abuse), and CoAP (observe flooding). OT command validation with safety-critical operation blocking. Default credential scanning for Dell RP4VM, HPE iLO, Lenovo XClarity, and Supermicro IPMI. Device behavior baselining with drift detection. Network segmentation enforcement between IT/OT zones. Persistent firmware implant detection (HiatusRAT-X patterns). ICS wiper malware detection (VoltRuptor signatures). Coordinated multi-protocol OT attack detection (SYLVANITE/PYROXENE/AZURITE campaign patterns).
Injection Shield
Detects SQLi (union-based, blind boolean, blind time-based, error-based, stacked queries), XSS (reflected, stored, DOM-based), SSRF (internal IP, cloud metadata, DNS rebinding), command injection (shell metacharacters, backtick execution, $() substitution), template injection (Jinja2, Twig, Freemarker, Velocity), NoSQL injection (MongoDB operator injection, JavaScript execution), LDAP injection, path traversal, and Zip Slip archive traversal. Deserialization RCE detection for Java (ObjectInputStream), PHP (unserialize), .NET (BinaryFormatter), and Python pickle. All inputs pass through an 8-phase normalization pipeline: hex decoding, HTML entity resolution, backslash escape processing, null byte stripping, SQL comment removal, Unicode whitespace normalization, homoglyph mapping, and space collapsing. Canary token detection for AWS keys, GitHub tokens, Slack tokens, private keys, JWTs, and GCP service accounts. File sentinel monitors for suspicious writes, script drops, and webshell deployment.
Supply Chain Sentinel
SBOM generation and artifact integrity verification via cryptographic hash tracking. Typosquatting detection using Levenshtein distance scoring against known-good package registries (npm, PyPI, crates.io, Maven Central). Dependency confusion prevention by detecting private package name collisions with public registries. CI/CD pipeline hardening with anomalous action detection, unauthorized user flagging, and pipeline configuration drift monitoring. Known-malicious package signature matching. Build artifact provenance verification. Lockfile integrity checking to detect post-install tampering.
Ransomware Interceptor
Encryption pattern detection with configurable threshold (default: 5 files in rapid succession). Canary file monitoring with automatic deployment and instant alerting on access. Data exfiltration tracking via DNS tunneling, HTTP chunked transfer, and bulk upload detection. Wiper detection covering MBR/GPT overwrite, zero-fill disk operations, and partition table destruction. Shadow copy deletion monitoring (vssadmin, wmic, PowerShell). Backup destruction detection targeting backup agents, recovery partitions, and cloud backup APIs. Service stop sequence detection for security tools and backup services. Intermittent and partial encryption detection for evasion-aware ransomware. ESXi/hypervisor targeting detection (vim-cmd, esxcli patterns). Pre-ransomware credential harvesting correlation. Linux-specific ransomware patterns (chmod mass operations, /dev/urandom key generation). Compound attack chain correlation with MITRE ATT&CK mapping across all phases.
Auth Fortress
Brute force detection with per-IP and per-username lockout thresholds. Credential stuffing detection via unique credential pair velocity tracking. Password spray detection across distributed source IPs. Impossible travel detection using haversine distance calculation between login locations. Session hijack detection via user-agent fingerprint changes and concurrent session anomalies. MFA fatigue detection (rapid repeated push notifications) and MFA bypass tracking. OAuth token abuse monitoring including consent phishing, excessive scope requests, and suspicious redirect URIs. Adversary-in-the-middle (AitM) proxy detection via TLS fingerprint analysis and authentication relay patterns. Passkey/FIDO2/WebAuthn monitoring with auth downgrade detection (fallback from passkey to password). Stolen token reuse detection across geographic regions. Password spray correlation across time windows.
Deepfake Shield
Audio deepfake detection via prosodic analysis (spectral flatness, spectral entropy, zero-crossing rate, pitch variance), MFCC trajectory analysis for temporal consistency, phase coherence checks between frequency bands, and bitrate consistency scoring. Video forensics using frame-difference analysis to detect GAN artifacts, temporal inconsistency scoring across frame sequences, and error level analysis (ELA) for compression artifact detection. AI-generated phishing detection with writing style analysis, urgency scoring, and authority impersonation patterns. Expanded Unicode homoglyph detection covering Cyrillic, Greek, Armenian, and mathematical symbol lookalikes. Punycode domain spoofing detection. Business email compromise (BEC) pattern tracking with sender behavior baselining. High-value request verification for wire transfers, credential resets, and access grants triggered by voice or video.
Identity Fabric Monitor
Synthetic identity scoring using disposable email domain detection (1000+ known providers), name generation heuristic analysis (entropy, character distribution, common pattern matching), and high-entropy field detection across registration data. Privilege escalation tracking with role-change velocity monitoring and admin grant alerting outside change windows. Service account behavioral baselining with anomaly detection for dormant account reactivation, unusual access patterns, and off-hours activity. Identity lifecycle monitoring covering creation, modification, and deletion anomalies. Cross-system identity correlation to detect the same synthetic identity across multiple services.
LLM Firewall
65+ prompt injection patterns covering direct injection ("ignore previous instructions"), indirect injection via documents and tool outputs, and encoding evasion (Base64, ROT13, Unicode homoglyphs, mixed-language). Jailbreak detection for role-play escapes, DAN-style prompts, multi-turn context shifting, and instruction override attempts. Output filtering for system prompt leakage, PII exposure, and hallucinated code execution. Multi-turn conversation tracking with session state to detect slow-burn context manipulation across messages. Token budget monitoring to catch resource exhaustion attacks. RAG/embedding weakness analysis for retrieval poisoning. Misinformation detection via citation verification and factual consistency scoring. Excessive agency monitoring for agents requesting capabilities beyond their scope. Multimodal hidden injection scanning: three-layer heuristic detection of prompt injection hidden in images (EXIF, PNG tEXt, JPEG COM, XMP metadata), HTML/CSS (display:none, font-size:0, white text, opacity:0, off-screen positioning), and PDFs (invisible render mode, zero-size fonts, white-on-white text). Zero ML, zero OCR, zero external dependencies — pure structural analysis. Runs entirely in-process with zero LLM calls and zero latency overhead.
AI Agent Containment
Purpose-built for securing autonomous AI agent deployments — OpenClaw, Manus, Claude Desktop, Amazon Q, and any MCP-connected agent framework. Action sandboxing with configurable tool-use policies (allowlist/blocklist per agent role). Shadow AI detection via network traffic analysis to known AI service endpoints (OpenAI, Anthropic, Google, Hugging Face, Replicate, and 20+ others). MCP tool poisoning detection scanning tool descriptions for hidden adversarial instructions (Invariant Labs 2025). MCP rug pull detection via description hash pinning with alerts on post-approval changes. Cross-server tool shadowing detection. Goal hijack monitoring (ASI01) tracking agent objective divergence after processing external content. Memory poisoning detection (ASI06) scanning memory writes for embedded instructions, context overflow attempts, and cross-session contamination. Cascading failure monitoring (ASI08) detecting retry storms and multi-agent error propagation. Rogue agent loop detection (ASI10) flagging repetitive action patterns. Agent spawn depth tracking with configurable limits. Agentic web access monitoring: llms.txt endpoint probing and content integrity tracking, markdown pre-ingestion scanning for injection payloads and hidden directives (zero-width Unicode, HTML comments) before content reaches the LLM context, x402/Coinbase Agentic Wallet payment monitoring with spending limit enforcement and suspicious recipient detection, and agent identity delegation chain validation with expiry checks and scope escalation prevention. Ships with the vps-agent enforcement preset tuned specifically for single-service AI agent hosts. Full OWASP Agentic AI Top 10 (2025-2026) coverage.
Data Poisoning Guard
Training data integrity validation via cryptographic hash tracking with per-dataset change history. Bulk-update anomaly detection flagging changes that exceed historical change rate thresholds. Untrusted data source detection against configurable allowlists. RAG pipeline verification scanning retrieved content for injection patterns (30+ patterns including delimiter injection, instruction override, and data exfiltration prompts) with source reputation scoring. Model weight drift monitoring using confidence distribution analysis with Jensen-Shannon divergence calculation and automatic baseline rotation. Adversarial input detection at inference time via low-confidence anomaly flagging. Model supply chain attack detection: slopsquatting (AI-hallucinated package names registered by attackers), typosquatting on model hubs, unsigned model download blocking, and suspicious model name pattern matching. Agentic web content integrity: llms.txt and markdown endpoint content hash tracking over time with change delta calculation, rapid content mutation detection, and new domain baseline establishment for integrity monitoring.
Quantum-Ready Crypto
Cryptographic inventory scanning across your entire stack identifying every algorithm, key size, and cipher suite in use. PQC migration readiness scoring with per-component assessment against NIST post-quantum standards (ML-KEM, ML-DSA, SLH-DSA). TLS configuration auditing flagging deprecated versions (TLS 1.0/1.1), weak cipher suites, and missing forward secrecy. Certificate expiry monitoring with configurable warning thresholds. Weak cipher and key size detection (RSA < 2048, ECC < 256, 3DES, RC4, MD5, SHA-1). Harvest-now-decrypt-later (HNDL) detection identifying bulk encrypted traffic capture patterns targeting quantum-vulnerable key exchanges — attackers recording encrypted sessions today for decryption when quantum computers become available. Crypto-agility assessment scoring how quickly your infrastructure can rotate to new algorithms.
Runtime Watcher
File integrity monitoring with SHA-256 hash baselining and real-time change detection. Container escape detection via namespace breakout, privileged container abuse, and CVE-specific exploit patterns (runc, containerd). Privilege escalation detection covering setuid changes, capability modifications, and sudo abuse. 40+ LOLBin signatures with MITRE ATT&CK IDs (certutil, mshta, regsvr32, rundll32, wmic, bitsadmin, and more). Memory injection detection: process hollowing, DLL injection, reflective DLL loading, and thread injection. Persistence mechanism tracking across scheduled tasks, WMI event subscriptions, registry run keys, startup items, cron jobs, systemd services, and launchd plists. Firmware/UEFI tampering detection with secure boot validation and bootloader integrity checks. Fileless malware detection for PowerShell, WMI, and MSHTA execution chains. Symlink attack detection. ETW bypass monitoring. Lua shellcode detection patterns.
Cloud Posture Manager
Configuration drift detection with per-resource change tracking, security degradation scoring, and automatic baseline comparison. Misconfiguration scanning for public S3 buckets, open security groups, publicly accessible databases, overly permissive IAM policies, and unencrypted storage. Secrets sprawl detection scanning application logs, config files, environment variables, and git history for AWS keys, API tokens, database credentials, and private keys. Kubernetes RBAC auditing with excessive permission detection, cluster-admin binding alerts, and admission controller policy enforcement. Container posture checks for privileged containers, host network access, and missing security contexts. Multi-cloud policy evaluation against CIS benchmarks, SOC 2, HIPAA, and PCI-DSS frameworks with pass/fail scoring and remediation guidance. Infrastructure-as-code drift detection comparing deployed state against Terraform/CloudFormation definitions.
[ How It Works ]
Single binary
One download. Run 1sec up and every module starts. No containers, no orchestration, no config files required.
Shared event bus
130+ canonical event types on a durable stream. Correlate threats across layers — a brute force that triggers a supply chain scan, automatically.
AI is additive
Every module works standalone with zero AI dependency. The optional analysis engine adds cross-module correlation and threat classification on top.
Automated enforcement
Respond to threats in real-time. Block IPs, kill processes, fire webhooks — with dry-run mode, approval gates, and tunable presets from safe to strict.
Collectors + archive
Built-in log tailers for nginx, auth, pfSense, and GitHub Actions. Every event archived to compressed NDJSON — restore any time range on demand.
Cloud dashboard
Monitor your fleet from anywhere. Enforcement history, attack chain correlations, instance health — real-time dashboard with API-key access.
Ship secure. Sleep well.
1-SEC is free and open source. Reach out about Enterprise — custom deployments, dedicated support, SLA guarantees, and team management at scale.
We respond within one business day.