Documentation

v1.0.0 // Command Reference & Guides

Getting Started

1-SEC deploys as a single binary. No dependencies, no containers required for basic operation. All 16 modules are enabled by default with sane defaults — zero-config works out of the box.

Install & Run

# Download the latest release
curl -fsSL https://1-sec.dev/get | sh

# Or build from source
git clone https://github.com/cutmob/1-SEC.git
cd 1-SEC && go build ./cmd/1sec/

# Start all modules with defaults
1sec up

# Start with a custom config file
1sec up --config /path/to/config.yaml

CLI Reference

1sec up

Start the 1-SEC engine with all enabled modules.

# Start with default config (configs/default.yaml)
1sec up

# Start with custom config
1sec up --config /path/to/config.yaml

1sec status

Fetch and display the running engine status (version, modules, alerts, bus connection).

1sec status

# Output:
# ● 1-SEC Status
#
#   Version:           1.0.0
#   Status:            running
#   Bus Connected:     true
#   Modules Active:    16
#   Total Alerts:      42
#
#   Modules:
#     ● network_guardian         DDoS mitigation, rate limiting...
#     ● injection_shield         SQLi, XSS, SSRF detection...
#     ...

# Output as JSON
1sec status --json

# Custom host/port
1sec status --host 10.0.0.5 --port 1780

1sec modules

List all 16 available defense modules with tier and description.

1sec modules

# Output:
# Available Defense Modules:
#
#   1. [Application   ] injection_shield     SQLi, XSS, SSRF, command injection...
#   2. [Network       ] network_guardian     DDoS mitigation, rate limiting...
#   3. [Identity      ] auth_fortress        Brute force, credential stuffing...
#   ...
#
# Total: 16 modules

1sec version

Print the current version.

1sec version
# 1-SEC v1.0.0

1sec alerts

Fetch recent alerts from a running 1SEC instance.

# Fetch all recent alerts
1sec alerts

# Filter by severity
1sec alerts --severity CRITICAL

# Filter by module
1sec alerts --severity HIGH --module injection_shield

# Output as JSON, save to file
1sec alerts --severity CRITICAL --json --output alerts.json

# Limit results
1sec alerts --limit 50

1sec scan

Submit a payload for on-demand analysis. Reads from stdin or a file.

# Scan for SQL injection
echo '{"query": "1 OR 1=1"}' | 1sec scan --module injection_shield

# Scan a file for prompt injection
1sec scan --input payload.json --module llm_firewall --type prompt_check

# Pipe from curl
curl -s https://example.com/api | 1sec scan --module api_fortress

1sec config

Show the fully resolved configuration with defaults applied.

# Show resolved config
1sec config

# Validate config and exit
1sec config --validate

# Output as JSON
1sec config --json

1sec check

Run pre-flight diagnostics to verify the system is ready.

1sec check

# Checks performed:
#   ✓ Config file is valid and loadable
#   ✓ API port 1780 is available
#   ✓ NATS port 4222 is available
#   ✓ Data directory is writable
#   ✓ AI API keys configured (if AI engine enabled)

1sec stop

Gracefully stop a running 1SEC instance via the API.

# Stop the running instance
1sec stop

# Stop with custom host/port
1sec stop --host 10.0.0.5 --port 1780

1sec docker

Manage the 1SEC Docker Compose deployment without leaving the CLI.

# Start via Docker Compose (detached)
1sec docker up

# Follow container logs
1sec docker logs

# Show container status
1sec docker status

# Stop and remove containers
1sec docker down

# Build image from source
1sec docker build

# Use a custom compose file or .env
1sec docker up --compose-file /path/to/docker-compose.yml

1sec help

Show help for any command.

1sec help
1sec help up
1sec help alerts
1sec help docker

API Endpoints

The REST API runs on port 1780 by default. All endpoints return JSON. CORS is enabled for all origins.

GET/healthHealth check endpoint.

GET/api/v1/statusEngine status, module list, bus connection, and alert count.

GET/api/v1/modulesList all registered modules with name, description, and enabled state.

GET/api/v1/alertsRecent alerts. Supports ?limit=N and ?min_severity=CRITICAL|HIGH|MEDIUM|LOW.

GET/api/v1/configCurrent engine configuration.

POST/api/v1/eventsIngest an external SecurityEvent into the event bus.

Example: Fetch alerts

curl -s http://localhost:1780/api/v1/alerts?min_severity=CRITICAL&limit=10 | jq .

# Response:
# {
#   "alerts": [
#     {
#       "id": "a-29f1c...",
#       "module": "injection_shield",
#       "severity": "CRITICAL",
#       "title": "SQL injection detected in /api/users",
#       "status": "OPEN",
#       "timestamp": "2026-02-19T10:32:00Z"
#     }
#   ],
#   "total": 1
# }

Example: Ingest external event

curl -X POST http://localhost:1780/api/v1/events \
  -H "Content-Type: application/json" \
  -d '{
    "module": "external_scanner",
    "type": "vulnerability_found",
    "severity": "HIGH",
    "summary": "CVE-2026-1234 detected on host 10.0.0.5"
  }'

# Response:
# { "status": "accepted", "event_id": "ext-20260219103200.000" }

Configuration

1SEC uses YAML configuration. Zero-config works out of the box with sane defaults. Place your config at configs/default.yaml or pass --config.

configs/default.yaml

server:
  host: "0.0.0.0"
  port: 1780

bus:
  url: "nats://127.0.0.1:4222"
  embedded: true
  data_dir: "./data/nats"
  port: 4222
  cluster_id: "1sec-cluster"

alerts:
  max_store: 10000
  enable_console: true
  # webhook_urls:
  #   - "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"

logging:
  level: "info"       # debug, info, warn, error
  format: "console"   # console, json

modules:
  network_guardian:
    enabled: true
    settings:
      max_requests_per_minute: 1000
      burst_size: 100
  injection_shield:
    enabled: true
  auth_fortress:
    enabled: true
    settings:
      max_failures_per_minute: 10
      lockout_duration_seconds: 300
      stuffing_threshold: 50
  ransomware:
    enabled: true
    settings:
      encryption_threshold: 10
      exfil_mb_threshold: 100
  llm_firewall:
    enabled: true
    settings:
      token_budget_per_hour: 100000
  runtime_watcher:
    enabled: true
    settings:
      scan_interval_seconds: 300

  ai_analysis_engine:
    enabled: true
    settings:
      triage_model: "gemini-flash-lite-latest"
      deep_model: "gemini-flash-latest"
      triage_workers: 4
      deep_workers: 2

AI API keys are read from environment variables: GEMINI_API_KEY, GEMINI_API_KEY_2, GEMINI_API_KEY_3, etc. Multiple keys enable automatic rotation for rate limit management. You can also set them directly in the YAML under ai_analysis_engine.settings.gemini_api_key or gemini_api_keys (array).

Modules

[ Tier 1: Network & Perimeter ]

Network Guardian

network_guardian

DDoS mitigation, rate limiting, IP reputation, geo-fencing, DNS tunneling and DGA detection, C2 beaconing analysis, lateral movement monitoring (Pass-the-Hash, Kerberoasting, Golden Ticket, DCSync), port scan detection, and amplification/reflection attack handling.

API Fortress

api_fortress

BOLA detection, API schema validation against OpenAPI specs, shadow API discovery, and per-endpoint rate limiting.

IoT & OT Shield

iot_shield

Device fingerprinting, protocol anomaly detection for MQTT/CoAP/Modbus, firmware integrity verification, and default credential detection.

[ Tier 2: Application Layer ]

Injection Shield

injection_shield

Detects and blocks SQLi, XSS, SSRF, command injection, template injection, NoSQL injection, and path traversal across all input vectors.

Supply Chain Sentinel

supply_chain

SBOM generation, package integrity verification, CI/CD pipeline hardening, typosquatting detection, and dependency confusion prevention.

Ransomware Interceptor

ransomware

Encryption pattern detection, canary files, exfiltration monitoring, wiper detection (MBR/GPT overwrite, zero-fill, partition destruction), shadow copy deletion, backup destruction, service stop detection, and compound attack correlation with MITRE ATT&CK mapping.

[ Tier 3: Identity & Access ]

Auth Fortress

auth_fortress

Brute force protection, credential stuffing, session hijack, impossible travel, MFA bypass and fatigue detection, OAuth token abuse, consent phishing, password spray detection, and stolen token tracking.

Deepfake Shield

deepfake_shield

Synthetic voice and video detection, AI-generated phishing content identification, domain spoofing, and BEC detection.

Identity Fabric Monitor

identity_monitor

Synthetic identity detection, privilege escalation monitoring, and service account anomaly tracking.

[ Tier 4: AI-Specific Defense ]

LLM Firewall

llm_firewall

55+ prompt injection patterns, jailbreak detection, output filtering, multi-turn attack tracking, encoding evasion detection, tool-chain abuse monitoring, and token budget enforcement. Zero LLM calls required.

AI Agent Containment

ai_containment

Action sandboxing for autonomous agents, tool-use monitoring, shadow AI detection, and policy enforcement.

Data Poisoning Guard

data_poisoning

Training data integrity verification, RAG pipeline validation, adversarial input detection, and model drift monitoring.

[ Tier 5: Cryptography ]

Quantum-Ready Crypto

quantum_crypto

Cryptographic inventory scanning, post-quantum migration readiness, TLS auditing, certificate monitoring, crypto-agility enforcement, and harvest-now-decrypt-later (HNDL) pattern detection for bulk encrypted traffic capture targeting quantum-vulnerable ciphers.

[ Tier 6: Runtime & Infrastructure ]

Runtime Watcher

runtime_watcher

File integrity monitoring, container escape detection, privilege escalation, LOLBin detection (40+ Living Off the Land Binaries with MITRE ATT&CK IDs), memory injection detection (process hollowing, DLL injection, reflective loading), persistence mechanism detection (scheduled tasks, WMI, registry, cron, systemd), firmware/UEFI tampering, and fileless malware detection.

Cloud Posture Manager

cloud_posture

Configuration drift detection, misconfiguration scanning, secrets sprawl prevention, and compliance checks.

[ Cross-Cutting ]

AI Analysis Engine

ai_analysis_engine

Two-tier LLM pipeline: Gemini Flash Lite for high-volume triage and false positive discard, Gemini Flash for deep threat classification and cross-module correlation. Supports multi-key rotation for rate limit management.

Architecture

All 16 modules communicate through an embedded NATS JetStream event bus. Each module implements the Module interface (Name, Description, Start, Stop, HandleEvent) and publishes SecurityEvent structs to typed subjects. Alerts flow through an AlertPipeline with configurable handlers (console logging, webhooks).

Architecture Overview

┌─────────────────────────────────────────────────┐
│                   1SEC CLI / API                 │
├─────────────────────────────────────────────────┤
│              NATS JetStream Event Bus            │
├────┬────┬────┬────┬────┬────┬────┬────┬────┬────┤
│Net │API │IoT │Inj │SC  │Ran │Auth│DF  │... │CP  │
└────┴────┴────┴────┴────┴────┴────┴────┴────┴────┘
         │              │              │
    ┌────┴────┐   ┌─────┴─────┐  ┌────┴────┐
    │  Rust   │   │  Python   │  │Dashboard│
    │ Engines │   │  AI Layer │  │React/TS │
    └─────────┘   └───────────┘  └─────────┘

Module Interface (Go)

type Module interface {
    Name() string
    Description() string
    Start(ctx context.Context, bus *EventBus, pipeline *AlertPipeline, cfg *Config) error
    Stop() error
    HandleEvent(event *SecurityEvent) error
}

The AI Analysis Engine operates as a cross-cutting concern with two tiers:

Tier 1 (Triage): Gemini Flash Lite — high-volume event pre-filtering and false positive discard
Tier 2 (Deep Analysis): Gemini Flash — threat classification and cross-module correlation

Event bus streams:

sec.events.> — SecurityEvent stream (7-day retention, 1GB max)
sec.alerts.> — Alert stream (30-day retention, 512MB max)

Deployment

Single Binary

# Download and run
curl -fsSL https://1-sec.dev/get | sh
1sec up

Docker Compose

# From the repo root — uses deploy/docker/docker-compose.yml
cd deploy/docker
echo "GEMINI_API_KEY=your_key" > .env
docker compose up -d
docker compose logs -f

# Or use the CLI shortcut from anywhere in the repo:
1sec docker up
1sec docker logs
1sec docker status
1sec docker down

Environment Variables

GEMINI_API_KEY        # Primary Gemini API key for AI Analysis Engine
GEMINI_API_KEY_2      # Additional keys for rotation (rate limit management)
GEMINI_API_KEY_3      # ...
ONESEC_API_KEY        # Secure the REST API (optional)
ONESEC_CLOUD_KEY      # Pro/Enterprise cloud dashboard key

Kubernetes

The Helm chart at deploy/helm/ deploys 1SEC to any Kubernetes cluster. It includes a PVC for NATS JetStream persistence, health probes, a non-root security context, and optional Ingress.

Install

# Install with defaults
helm install 1sec ./deploy/helm

# Install with Gemini AI key
helm install 1sec ./deploy/helm \
  --set env.GEMINI_API_KEY=your_key_here

# Install with custom config
helm install 1sec ./deploy/helm \
  --set env.GEMINI_API_KEY=your_key_here \
  --set-string config="$(cat my-config.yaml)"

# Upgrade
helm upgrade 1sec ./deploy/helm --reuse-values

Operations

# Check engine status
kubectl exec deploy/1sec -- 1sec status

# Run pre-flight diagnostics
kubectl exec deploy/1sec -- 1sec check

# Fetch recent critical alerts
kubectl exec deploy/1sec -- 1sec alerts --severity CRITICAL --json

# Follow logs
kubectl logs -l app.kubernetes.io/name=1sec -f

# Port-forward the REST API locally
kubectl port-forward svc/1sec 1780:1780

values.yaml — key overrides

# Use an existing Kubernetes Secret instead of inline env vars
existingSecret: "my-1sec-secrets"

# Increase resource limits for high-traffic environments
resources:
  limits:
    cpu: "4"
    memory: 1Gi

# Enable Ingress for the REST API
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: 1sec.example.com
      paths:
        - path: /api
          pathType: Prefix
  tls:
    - secretName: 1sec-tls
      hosts:
        - 1sec.example.com

# Expand NATS storage
persistence:
  size: 20Gi