SynapseEdge Defense

Threat Intel Feedback Loop

How signals observed at one IP turn into blocks at every related IP. A closed loop from detection to correlation to re-armed enforcement, running in-process at the edge — O(1) fingerprint lookups, no backend round-trip.

8
Correlation Detectors
4
Signal Categories
O(1)
Fingerprint Lookup
+30
Campaign Risk Add
The Closed Loop — Observe · Correlate · Re-Arm · Enforce
CAMPAIGN MANAGER O(1) DASHMAP 1 · OBSERVE WAF hits · DLP · schema JA4/JA4H · IP · ASN register_ja4(ip, fingerprint) 2 · CORRELATE FingerprintIndex lookup Detectors fire on threshold shared · rotation · timing · graph 3 · RE-ARM CampaignStore updated All members tagged live risk +30 applied to each 4 · ENFORCE Risk ≥ 70 · block on sight Risk ≥ 40 · interrogate canonical 403 · tarpit NEW BLOCK EVENTS → NEW SIGNALS is_in_campaign?
Signal Categories — What Feeds the Loop
Attack
WAF blocks, injection attempts, known-exploit matches
Anomaly
Schema drift, unusual headers, TLS/UA mismatches
Behavior
Rate violations, session anomalies, auth patterns
Intelligence
Threat feeds, Tor exits, datacenter ranges, bad-IP lists
Correlation Detectors — 8 Running In-Process
shared_fingerprint
JA4+JA4H COLLISION
3+ IPs sharing the same combined fingerprint → campaign. Default threshold: 3.
ja4_rotation
ACTOR FLIP PATTERN
One IP cycling through 3+ JA4s fast → evasion attempt.
timing_correlation
SIMULTANEOUS ACTIONS
Requests arriving within tight windows across IPs suggest scripted coordination.
network_proximity
ASN / SUBNET
Actors clustered in the same /24 or ASN get linked even without fingerprint overlap.
behavioral_similarity
REQUEST SHAPE
Matching path sequences, body shapes, and header orderings across IPs.
attack_sequence
KILL-CHAIN PATTERN
Same ordered attack progression seen across multiple actors.
auth_token
SHARED CREDENTIALS
Multiple IPs presenting the same session/JWT → stuffing or account takeover.
graph
RELATIONSHIP MESH
Transitive links — if A↔B and B↔C, all three enter the same campaign.
Before the Loop vs After
WITHOUT FEEDBACK
198.51.100.12 blocked
Original attacker IP gets a 403. The other 17 IPs sharing its JA4 + JA4H fingerprint continue unblocked until they individually trip a WAF rule or the per-IP risk score climbs — potentially minutes of exposure per actor.
WITH FEEDBACK
17 IPs blocked on sight
Campaign detection fires on the 3rd IP to share the fingerprint. Every member of the set — past, present, and any future IP that joins — gets the campaign membership tag. Their next request sees risk 70+ without any per-IP learning period. The loop closes at edge speed, no backend consultation required.
Detect once. Block everywhere. At edge speed.
Eight detectors, four signal categories, one in-process fingerprint index. No round-trip to a backend — the loop closes before the next request arrives.
Synapse · Horizon
Detect. Decide. Fire.
atlascrew.dev/synapse
Edge Protection Platform · Atlas Crew