Synapse+HorizonEdge Protection Platform

Platform Architecture

End-to-end view of the Horizon edge protection platform. Sensors at the edge, a central hub in the middle, storage and consumers at the back. Every edge decision is local; every signal flows to the hub asynchronously; the hub stays out of the request path.

Sensors Per Fleet
<100ms
Signal Sync
5-tier
Architecture
0
Edge Deps
Layered Architecture
Top to bottom: request origin → edge decision → hub intelligence → persistence → consumers
01Clients
REQUEST ORIGIN
Browser
Human traffic
Mobile App
Native clients
API Client
Machine-to-machine
Crawler
Good bots · verified DNS
Attacker
Bots · scanners · botnets
▼ HTTPS — request + headers + body
02Edge · Synapse Sensors
<1ms LOCAL DECISION
Synapse US-East
Pingora proxy + WAF + DLP + Bot
Synapse EU-West
Pingora proxy + WAF + DLP + Bot
Synapse AP-South
Pingora proxy + WAF + DLP + Bot
237 rules · 500+ bot signatures · 22+ DLP patterns · 8 correlation detectors · JA4/JA4H · Actor cache 100K · Auto-mitigation
▼ signals · ▲ commands
03Control Plane · Horizon Hub
CENTRALIZED INTELLIGENCE
WS Gateway
Signal ingest · fan-in
Aggregator
Dedupe · batch · persist
Correlator
Cross-sensor campaigns
Broadcaster
Real-time push to UI
REST API
80+ endpoints · admin
Fleet manager · Rule distributor · Sigma engine · CyberChef · War room · Hunt API · Remote shell tunnels
▼ persist · ▲ query
04Storage
STATE & ANALYTICS
PostgreSQL
Source of truth · tenants · rules · fleet state
ClickHouse
Time-series · signal history · hunt queries
Redis
Cache · pub/sub · multi-instance sessions
▲ read · realtime push
05Consumers
OPERATORS & INTEGRATIONS
Horizon UI
SOC dashboard · live map
Synapse CLI
Admin · rules · diagnostics
Webhooks
Slack · PagerDuty · SIEM
Apparatus Lib
Embedded SDK · drills
Component Responsibilities
ComponentLayerResponsibility
SynapseEDGERust · PingoraInline WAF, DLP, bot detection, behavioral profiling, interrogation. Makes every allow/block decision locally — no network calls.
WS GatewayHUBNode.jsAccepts persistent WebSocket connections from sensors, authenticates each tenant, streams signals into the aggregator.
AggregatorHUBNode.jsDeduplicates, batches, and writes signals. Dual-write to PostgreSQL (hot) and ClickHouse (cold). Failure of either doesn't block ingest.
CorrelatorHUBNode.jsCross-sensor campaign correlation. Links distributed attacks via JA4 fingerprints, auth tokens, ASN proximity. Emits campaign events.
BroadcasterHUBNode.jsPub/sub fan-out from aggregator and correlator to Horizon UI. Real-time threat map updates, campaign timelines, SOC alerts.
REST APIHUBFastify80+ endpoints for admin, hunt queries, rule management, drill orchestration, and external integrations. Rate-limited per tenant.
PostgreSQLSTOREprimaryTenants, rules, config, fleet state, recent signals. Row-level tenant isolation. The source of truth for everything operational.
ClickHouseSTOREanalyticsFull signal history for time-window queries, hunt jobs, and aggregation. Write-heavy, read-optimized for SOC workflows.
RedisSTOREcacheSession sharing across Horizon instances, rate limit counters, correlation pub/sub, and multi-instance coordination.
Resilience Model
The hub is additive intelligence — not a dependency
Hub Online — Full Fleet Mode
Centralized intelligence & cross-fleet correlation
Campaign correlation across every sensor in the fleet
Real-time rule distribution — ~240μs hot reload per sensor
Shared blocklists and IoC propagation across tenants
Live threat map, hunt queries, and SOC war-room workflows
Anonymized cross-tenant signal sharing via SHA-256 fingerprints
Hub Offline — Independent Edge Mode
Every sensor continues protecting its edge
All WAF, DLP, and bot decisions keep running locally
Per-sensor campaign correlation and actor scoring unaffected
Signals buffer locally and replay when the hub returns
Last-known rules, blocklists, and challenge state remain in effect
No blocked requests, no dropped traffic, no customer impact
End-to-End Timing
OperationLatencyPathTarget
Request → Edge decision<1msClient → Synapse → Origin✓ Met
Signal → Hub ingest<100msSynapse → WS Gateway → Aggregator✓ Met
Campaign correlation window~1sAggregator → Correlator → Broadcaster✓ Met
Rule push → sensor applied~240μsHorizon API → WS command → Synapse reload✓ Met
UI update (live threat map)<500msBroadcaster → UI WebSocket → render✓ Met
Independent at the edge. Intelligent at the hub. Resilient by design.
Every sensor decides locally; every decision flows to the fleet. The hub never gates a request — it amplifies every one that happens.
Synapse · Horizon
Edge Protection Platform · Atlas Crew