If you've ever posted about security architecture online, you've heard it: "That's nothing special. Anyone could build that." The message is always the same — what you built is trivial.
Maybe it is. But here's the thing about "anyone could build it" — anyone could build a house, too. The difference between blueprints and a standing structure is the work.
This is the first in a two-part series on what actually goes into a security system that doesn't just detect and block, but analyzes, documents, and responds.
Most security stacks are a single service running on a single box. Maybe a reverse proxy with some rate limiting. Maybe a WAF in front of a web app. This was never that.
The system runs as four independent agents across four separate servers, each with exactly one job:
Every inbound request hits Shield first. It runs deterministic rules — IP blocks, rate limits, regex-based prompt injection detection, unicode homograph scanning, base64 payload decoding — before any AI call is made. Only gray-zone traffic (where rules are ambiguous) gets escalated to a model. Clean traffic passes through. Hostile traffic gets blocked, tarpitted, or redirected to a dedicated counter-attack server.
Soul handles the AI pipeline: threat classification, forensics, evidence packet generation. It enriches traffic data with VirusTotal, URLhaus, and Cisco Umbrella intelligence in real-time. It generates forensic reports in formats that would hold up in a federal filing. When a connection looks suspicious, it doesn't just block it — it documents everything.
Intentionally isolated on separate cloud infrastructure (GCP). When Shield identifies a hostile IP, Strike takes over — tarpits the connection (holds it open at 1 byte per 20 seconds, wasting attacker resources), serves decoy pages (fake WordPress logins, fake admin dashboards). If the counter-attack server gets banned, the main infrastructure stays clean.
Runs 24/7 on a separate server with high bandwidth capacity, probing 500+ client sites every 4 hours. SSL certificate validation, security header checks, DNS configuration, TLS version compliance. Every site gets a 100-point security score, recalculated continuously. Results push to a compliance dashboard that clients can actually read.
Every internal server-to-server connection uses WireGuard — encrypted tunnel, no public ports exposed. SSH, HTTP, database queries — all over the WireGuard mesh. The firewall runs default-DROP on every server. Only explicitly allowed ports are open to the internet.
This means even if one server is compromised, the attacker sees a mesh of unrouteable internal addresses with no open ports. There's nothing to scan.
There's no SaaS product that does coordinated counter-attack with an isolated strike server while running 500-site compliance monitoring with AI-powered forensic documentation. You can buy pieces — a WAF, a monitoring tool, an email outreach platform — but stitching them together with secure inter-server communication, evidence pipelines, and multi-agent orchestration is integration work that most organizations don't do and most vendors don't offer.
— Part 1 of 2. Read Part 2: The AI, The Honesty, The Bottom Line →