1-SEC
Architecture6 min read

Why We Built Our Security Event Bus on NATS JetStream

The technical story behind 1-SEC's embedded event bus. Why we chose NATS JetStream over Kafka, RabbitMQ, and Redis for a security-focused event streaming architecture.

1S

Engineering Team

NATS JetStreamevent bussecurity architectureopen source infrastructureevent streamingmicroservicesGo programming

Why Security Needs an Event Bus

Security events don't happen in isolation. A brute force attack triggers both the Auth Fortress and the Network Guardian. A supply chain compromise involves both the Supply Chain Sentinel and the Runtime Watcher. An LLM attack might span the LLM Firewall, the AI Agent Containment, and the API Fortress simultaneously.

Without a shared event bus, each module is an island. With one, every module sees every event, and cross-module correlation happens automatically. The event bus is the thing that turns 16 independent detectors into a unified security platform.

Why NATS JetStream

We evaluated Kafka, RabbitMQ, Redis Streams, and NATS JetStream. NATS won on three criteria that matter for an embedded security platform.

Embeddable Server

NATS can run as an embedded server within a Go binary. That's the entire reason 1-SEC is a single binary. Kafka requires ZooKeeper (or KRaft). RabbitMQ requires Erlang. Redis requires a separate server process. NATS embeds directly into our Go process with zero external dependencies.

Performance at Security Scale

Security events are high-volume and low-latency. A busy network generates thousands of events per second. NATS handles millions of messages per second with sub-millisecond latency. That's more than enough headroom for any deployment, from a single server to a multi-node cluster.

Built-in Persistence

JetStream adds durable persistence with configurable retention policies. Security events are retained for 7 days, alerts for 30 days. Durable consumers ensure that even if the Rust engine restarts, it doesn't miss events. The persistence is file-based with no external database required.

What the Event Bus Enables

The three-stream architecture — events, alerts, and pattern matches — gives us composable security. New modules subscribe to the events they care about. The AI Analysis Engine consumes events from all modules for cross-cutting correlation. External integrations (Slack, PagerDuty, SIEM) subscribe to the alerts stream.

If you want to build a custom module, you implement the Module interface and publish SecurityEvents to the bus. The entire platform is designed around this extensibility.

Continue Reading

Architecture

Drop-In Security: How a Single Binary Replaces Your Entire Security Stack

Learn how 1-SEC's single-binary architecture consolidates 16 security modules into one executable. No containers, no dependencies, no configuration required — just download and run.

Deep Dive

Normalization Pipelines: The Secret to Stopping Sophisticated Injection Attacks

Attackers use encoding and double-obfuscation to bypass WAFs. Learn how 1-SEC's 8-phase normalization pipeline peels back the layers to reveal the hidden threat.

AI Agent Security

Agentic AI Security Architecture in 2026: Lessons from OpenClaw and Manus

AI agents are the new insider threat. Learn the security architecture principles every organization needs when deploying OpenClaw, Manus, or any autonomous AI agent framework.

← Browse all 84 articles

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.

View on GitHubRead the Docs