Zedmos
ENDE
Get Started
Engine v0.0.1 · GACTI Hub v2.5.1SD-WAN · TestSASE · TestWAF · Roadmap

One engine. One pane.
Every network layer.

Zedmos is an inline security engine that fuses routing, encryption, deep inspection, and curated threat intel into a single data plane. Installed as an OPNsense plugin, it integrates seamlessly into an existing appliance. Same policies, same data plane, same UI.

Deploy on OPNsense →See SASE architecture
ZEDMOS CONSOLE · SINGLE PANE OF GLASSPoliciesIdentitiesCTI HubSLA / SD-WANEventsNGFW + DPIL7 · TLS · IDS/IPSSD-WANPer-policy routingTESTCTI HubSASETESTIdentityAD · Azure · SCIMONE ENGINE BINARY · INLINE FAST PATHcaptureparseclassifyti-lookupevaluatedecideenforceINOUT
BY THE NUMBERS

Verified, datacenter-aware, and inline

The CTI Hub feeds the same engine that runs your firewall. Every IOC is scored, every ASN ranked, every country and TLD weighted before the snapshot reaches your data plane.

5.0M+
IOCs scored
STIX 2.1 confidence · 8 signals
34
Threat categories
Domains · IPs · SHA256 · JA3/JA4
65+
Curated feeds
Verified · Trusted · Community
12.1k
ASNs scored
210 countries · 40 TLDs
100%
Ground-truth detection
feodotracker cross-validation
<10s
HA failover
Hot-reload, zero packet loss
INLINE THREAT INTEL

Threat sources from across the globe — one decision per packet

The Zedmos CTI Hub continuously ingests curated feeds, scores every indicator with STIX 2.1 confidence, and ships only the corroborated set to your firewalls. Hot-reload, zero packet loss, datacenter-aware allowlist so legitimate cloud SaaS never breaks.

  • Multi-source consensus → verified tier promotion
  • Offline GeoASN lookup at line rate (3.3M ops/s)
  • Cloud-AS exception keeps Microsoft 365 / Google Workspace alive
  • Public verification endpoint for cross-validation
See the CTI architecture
WHAT AN NGFW SHOULD HAVE

Every layer a modern firewall owes you — in one engine

Instead of stitching an IDS, a DPI layer, a TLS proxy, a content scanner, and a separate SASE overlay together, Zedmos ships one binary that runs every layer on the same zero-copy path.

Packet & protocol
  • Stateful packet inspection
    In-engine flow table
    GA
  • Deep packet inspection
    200+ protocols
    GA
  • TLS / SSL inspection
    SNI · TLS fingerprinting · bump
    GA
  • QUIC / DoT / DoH control
    GA
  • IDS / IPS
    Aho-Corasick binary rules
    GA
Access & routing
  • Application control
    GA
  • URL / web filtering
    Suffix trie + TI feeds
    GA
  • Identity-aware policy (ZTNA)
    AD · Azure · SCIM
    GA
  • Encrypted VPN overlay
    Native fast-path integration
    GA
  • SD-WAN per-policy steering
    SLA-aware failover
    Test
  • Centralized SASE hub-spoke
    Test
Content & threat
  • Anti-malware (inline)
    Streaming payload inspection
    GA
  • Threat intelligence feeds
    IP · domain · URL · TLS fingerprint
    GA
  • WAF / reverse proxy
    Design complete, shipping in a later release
    Roadmap
  • File type / MIME filtering
    GA
Operations
  • Centralized mgmt (single pane)
    GA
  • Sub-10 s failover
    In-process daemon
    GA
  • Hot-reload policies & feeds
    Zero packet loss
    GA
  • SIEM / S3 / Kafka export
    unified log plane
    GA
TWO DEPLOYMENTS, ONE ENGINE

Run Zedmos on your hardware, or as a mesh you manage centrally

Same binary. Same policies. The only difference is where the packet path lives — on your own OPNsense box, or at distributed encrypted hubs that your spokes dial into.

Console modeOn-prem OPNsense appliance

Every packet stays on your box. No cloud dependency.

  • Ships as a signed OPNsense module
  • Monitor, bridge, or routed posture on your interfaces
  • Local event store — data stays inside the perimeter
  • Management UI served from the appliance itself
  • Atomic policy and threat-intelligence hot-reload
Open Console architecture
SASE modeTESTHub-spoke encrypted overlay

Enforce the same policies at distributed hubs, centrally.

  • Central orchestrator distributes policy and topology
  • Spokes dial into the nearest hub over an encrypted overlay
  • Zedmos engine enforces in-line at the hub
  • Continuous sub-10-second failover between hub pairs
  • Identity-aware access via Active Directory, Entra, and SCIM
Open SASE architecture
CAPABILITIES

Pick any block. It runs on the same pipeline.

Each capability below is a live feature of the engine, documented and deployable today. Click any card for the deep dive — architecture, config snippets, and benchmarks.

GA
Platform
Zero-Copy Fast Path

Shared-memory packet rings bypass the kernel socket path. ~14 Gbps on a single core.

14 GbpsRead →
GA
Inspection
TLS Inspection + Fingerprinting

SNI extraction, full client and server fingerprinting, forward-proxy bumping with a short-lived CA.

65K fingerprintsRead →
GA
Inspection
L7 App Classification

200+ application protocols, category pairs, encrypted traffic heuristics — all on the fast path.

200+ protoRead →
GA
Security
Multi-Action Policy Engine

allow / drop / reset / shape / redirect / quarantine / tarpit / scan / rewrite / exec / mark / escalate / route / log.

14 actionsRead →
Test
Routing
SD-WAN per-Policy Steering

Route per app / category / SNI / user / geo. Strategy-pattern TX with SNAT and kernel FIB.

multi-WANRead →
GA
Security
Feed-Driven Threat Intelligence

IP, domain, URL, and TLS-fingerprint blocklists. Suffix-trie matching. Atomic hot-swap via control socket.

Read →
GA
Identity
Identity & Device Recognition

AD DC agent, Azure Graph pull, SCIM hook, ARP/DHCP fingerprinting. Per-flow user tags.

AD · Azure · SCIMRead →
Test
Routing
Sub-10s SASE Failover

ICMP / HTTP / DNS probes, composite health score, atomic peer swap. Hysteresis-aware.

< 10 sRead →
GA
Platform
Hot-Reload Control Plane

SIGHUP and UNIX-socket commands swap policies, feeds, and routes with zero packet loss.

Read →
GA
Security
Inline File Scanning

Protocol-aware payload reassembly across web, mail, and file-sharing traffic with content-type inference and per-flow deduplication.

Read →
GA
Security
QUIC / DoT / DoH Control

Block or downgrade encrypted bypass paths per policy. 90% QUIC, 85% DoT effective.

Read →
GA
Routing
Encrypted Overlay on the Fast Path

Kernel driver patched so encrypted overlay peers can join the same fast path. Opt-in on bare-metal deployments; standard SASE still defaults to the kernel socket path.

Read →
GA
Observability
Unified Log Plane

Lock-free shared-memory ring into a dedicated writer daemon. File, syslog, SQLite, and Elasticsearch sinks today — with write-ahead log, circuit breaker, and adaptive sampling under load.

Read →
GA
Platform
Hardware Acceleration

Intel 1/10 GbE multi-queue, NIC preflight, CPU affinity — 10× cache-miss reduction.

Read →