Multi-Tier Agent Architecture
From agentless cloud API scanning to kernel-level eBPF packet interception — three layers of security intelligence that map your entire infrastructure without ever seeing your data in plaintext.
Live Architecture Flow
Data flows from edge agents through ingestion to polyglot storage. Animated particles show active data paths.
Cloud Scanner Agent
Agentless · API-Driven · Multi-Cloud
Runs as a Kubernetes CronJob inside your VPC or our SaaS environment. Uses temporary STS credentials to enumerate cloud resources without deploying a single agent binary. Computes infrastructure state diffs entirely in-memory and emits Protobuf payloads over gRPC. Your Kubernetes cluster surfaces as one asset (the cloud control-plane row — e.g., EKS_cluster:my-prod). Inside-cluster visibility (namespaces, pods, RBAC, NetworkPolicies, CRDs) requires Tier 3.
How It Works — Step by Step
K8s CronJob triggers Go binary every 5 minutes
Fetches temporary STS/IAM credentials from token cache
Queries CloudTrail, EC2, S3, VPC, IAM APIs concurrently
Computes state diff against previous baseline in-memory
Serializes change set as Protobuf → gRPC over TLS 1.3
SaaS ingestion layer validates and queues for processing
Data Flow Path
🔒 Security Guarantee
Temporary STS credentials only. No persistent keys stored. IAM role scoped to read-only.
Capabilities
Tech Stack
Deployment Model
Kubernetes CronJob (customer VPC or SaaS VPC)
Tier Comparison
| Capability | ☁️ Tier 1 | 🌐 Tier 2 | ⚡ Tier 3 |
|---|---|---|---|
| Deployment | CronJob (agentless) | CronJob (auto-destroy) | DaemonSet (persistent) |
| Data Source | Cloud APIs | Network ports/services | Kernel packets |
| Encryption | TLS Transport | AES-256 + TLS | AES-256-GCM ZK + TLS |
| Visibility Depth | Cloud resources | Internal services | Wire-level traffic |
| Overhead | None (API only) | Minimal (rate-limited) | ~0% (XDP pre-skb) |
| Privacy Model | Transport-only | Per-scan encryption | Zero-Knowledge |
| Update Frequency | Every 5 min | Scheduled scans | Real-time streaming |
| Best For | Cloud posture | Shadow IT discovery | Runtime threats |
End-to-End Data Pipeline
From edge collection to 3D blast radius rendering — five stages of security intelligence
Edge Collection
Agents at each tier collect telemetry from their domain — cloud APIs, internal networks, or kernel-level packet flows.
Tier 1 uses STS credentials for API enumeration. Tier 2 spawns bounded worker pools for port scanning. Tier 3 injects eBPF bytecode into the XDP ring for wire-speed interception.
Encryption & Transport
All data is encrypted before leaving the customer environment. Transported over TLS 1.3 gRPC to the SaaS ingestion layer.
Tier 3 uses customer-managed AES-256-GCM keys for Zero-Knowledge encryption. Tiers 1 & 2 use transport-level TLS. Cloudflare WAF scrubs DDoS at the edge.
Ingestion & Buffering
Stateless Go ingester pods validate Protobuf schemas and publish to NATS JetStream for guaranteed delivery.
Redis rate-limiters enforce per-tenant burst quotas. NATS JetStream uses file-backed storage for zero message loss during traffic spikes. Consumer groups balance load across processors.
Stream Processing
Processor workers consume from NATS, extract structural relationships for Neo4j and time-series metrics for ClickHouse.
Structural data (Pod → allows traffic → DB) batched into Cypher MERGE queries. Telemetry metrics bulk-inserted at 100k rows/sec into ClickHouse sharded cluster.
Graph Analysis & Rendering
Neo4j computes Blast Radius using shortest-path algorithms. CVE feeds overlay real-time vulnerability scores onto the topology graph.
Cypher MATCH allShortestPaths maps attack vectors from internet-facing nodes to sensitive data stores. CVSS scores from NVD/CVE feed are multiplied by criticality weights.
Map Your Infrastructure Today
Deploy Tier 1 in under 5 minutes with zero infrastructure changes. Scale to Tier 3 when you need kernel-level visibility. Start free.