nexus-fleet
v2.2.1
Published
Nexus Fleet + SecOps — agent/manager/cli/dashboard + SOC brain (SIEM·XDR·EDR·UEBA·SOAR·Threat-Intel·NDR·Cloud·local-AI). npm membungkus engine Python stdlib-only.
Maintainers
chandafaReadme
Nexus Fleet + SecOps
Lightweight, developer-first security platform for endpoints, servers, and web apps.
Agent · Manager · CLI · Dashboard — a Wazuh-style architecture you can pip install,
now with a full SecOps SOC brain: SIEM · XDR · EDR · UEBA · SOAR · Threat Intel · NDR ·
Cloud CSPM · local AI triage (no external API).
Overview
Nexus Fleet lets a central Manager monitor many endpoints through a lightweight Agent, generating prioritized, MITRE ATT&CK–mapped alerts — while your security data stays inside your own network (offline-first). It pairs the proven Wazuh model (FIM, log monitoring, SCA, vulnerability detection, active response) with developer-first detections for modern web stacks (Laravel, Next.js, Nginx) that traditional SIEMs miss.
The agent is pure-Python (stdlib only) — deploy it on any host with Python 3.8+, no heavy runtime.
Why Nexus Fleet
- Offline-first — telemetry never leaves your LAN; ideal for compliance and on-prem.
- Developer-aware — detects Laravel
APP_DEBUG, exposed.env, weak DB creds, leakedNEXT_PUBLIC_*secrets, source-map exposure, and parses Laravel/Nginx/auth logs. - Lightweight & simple — single-command install; no cluster, indexer, or agent runtime to manage.
- Actionable — every alert carries a severity level (0–15), MITRE technique, and a remediation step.
- Founder-friendly — a 0–100 security posture score for network, server, and website.
Features
| Domain | Capabilities |
| --- | --- |
| Network | Port/exposure detection, host discovery, DNS recon, firewall advisor |
| Server / Endpoint | File Integrity Monitoring (FIM), Security Configuration Assessment (SCA), software & process & network inventory, failed-login & disk monitoring |
| Web / App | Laravel & Next.js config audit, .env exposure, secret leakage, source-map checks |
| Detection | Rule engine (level 0–15 + MITRE ATT&CK), Sigma import, log decoders, Vulnerability Detection (inventory ↔ CVE) |
| Response | Alert engine with deduplication, ack/resolve, Active Response (block IP, dry-run by default), audit log |
| Operations | Multi-agent management, central policy, store-and-forward offline buffering, consistent reports, posture score |
| SecOps — SIEM | NQL query language + aggregations over the event/alert store (nexus_secops.siem) |
| SecOps — XDR | Cross-event, time-windowed correlation → kill-chain incidents (correlate) |
| SecOps — EDR | Real process tree (pid/ppid) + suspicious-lineage detection (edr) |
| SecOps — UEBA | Per-entity behavioral baselines + anomaly scoring + peer analysis (ueba) |
| SecOps — SOAR | Playbooks → real active-response, dry-run-safe, run history (soar) |
| SecOps — Threat Intel | IOC store + match on real telemetry + feed import (threatintel) |
| SecOps — NDR | Beaconing/C2, port-scan & IOC-destination detection from flows (ndr) |
| SecOps — Cloud | CSPM: evaluate cloud config vs CIS + import Prowler (cloud) |
| SecOps — AI | Local Naive-Bayes + heuristic triage, kill-chain NLG, NL→query — no token (ai) |
Architecture
┌──────────────────────┐ ┌──────────────────────┐
│ nexus-dashboard │ │ nexus-cli │
│ (web monitoring UI) │ │ (admin & SOC menu) │
└──────────┬───────────┘ └──────────┬───────────┘
│ REST API (admin token) │
▼ ▼
┌─────────────────────────────────────────────────────────┐
│ nexus-manager │
│ enrollment · rule & alert engine · vuln detection · │
│ policy · licensing · audit · reports → SQLite │
└──────────────────────────┬──────────────────────────────┘
HTTP + HMAC-SHA256 │ (heartbeat · events · policy)
┌──────────────────────────┴──────────────────────────────┐
│ nexus-agent │
│ FIM · Log Monitoring · SCA · Syscollector · Web Audit · │
│ Active Response · offline store-and-forward queue │
└──────────────────────────────────────────────────────────┘
nexus-secops — SOC analytics layer ON TOP of the manager's store (no new agent):
┌──────────────────────────────────────────────────────────────────────────┐
│ siem · correlate(XDR) · edr · ueba · soar · threatintel · ndr · cloud · │
│ ai (local triage) → all read the same event/alert store │
└──────────────────────────────────────────────────────────────────────────┘One platform, one agent, modules inside — the Wazuh/Elastic/Defender/Cortex model. Full hierarchy & data flow:
ARCHITECTURE.md.
Installation
With pip (recommended):
pip install nexus-fleetWith npm (Node wrapper around the Python engine):
npm install -g nexus-fleetBoth install the umbrella command nexus plus five standalone commands: nexus-manager,
nexus-agent, nexus-cli, nexus-dashboard, nexus-license. Requires Python 3.8+ on the host.
nexus --version # prints: nexus 2.2.1 (verify the install on any terminal)
nexus --help # list sub-commandsQuick Start
# 1. Central server (also serves the dashboard at http://<host>:8765/)
nexus manager run --host 0.0.0.0 --port 8765
nexus manager info # prints enrollment key + admin token
# 2. On each endpoint
nexus agent enroll --host <manager> --port 8765 --key <ENROLL_KEY> --labels prod,web
nexus agent start # runs as a daemon (see deploy/ for service files)
# 3. Administration
nexus cli # interactive SOC console (network & web menus)
nexus cli --token <ADMIN_TOKEN> alerts # list alerts (rule engine + MITRE)
nexus cli --token <ADMIN_TOKEN> report # consistent report (schema nexus.report/v1)Each
nexus <sub>form maps to the matching standalone command (nexus manager run≡nexus-manager run). Use whichever you prefer.
Run as a boot-time service using the units in deploy/ (systemd / Windows Task Scheduler).
Editions
| | Free | Pro | Enterprise | | --- | --- | --- | --- | | Agents (seats) | 2 | seat-based (default 50) | Unlimited | | Detection rules | Core | Full (FIM, web audit, SCA, vuln) | Full | | Sigma import · Active Response | — | ✓ | ✓ | | Web/app audit · Reports · Posture score | Limited | ✓ | ✓ |
Licensing is enforced by Ed25519-signed tokens (nexus-license). Without a license, the Manager
runs in Free mode (2 agents). A Pro token is seat-based — it allows up to its seat count
(default 50) of agents to enroll; Enterprise is unlimited. One token unlocks the desktop GUI, the
CLI, and Fleet on the same device (~/.nexus/desktop_license.txt). Apply a token to the Manager
with NEXUS_LICENSE=<token-or-file> or nexus cli apply-license. Contact the vendor for licensing.
Security Model
| Area | Protection | | --- | --- | | Transport | HMAC-SHA256 per-agent message signing; optional TLS / mTLS for the Manager API | | Authentication | Enrollment key for agents; admin token with RBAC roles (admin / analyst / read-only) | | At rest | Sensitive event fields encrypted at rest (Fernet); SQLite in WAL mode | | Integrity | Replay/clock-skew protection on signed messages; tamper-evident audit log | | Privacy | Offline-first — telemetry is stored locally; nothing is sent to the internet | | Scope | For ethical, authorized security testing on systems you own or may assess |
Documentation
- Architecture & hierarchy —
ARCHITECTURE.md - Product brief & pricing —
docs/PRODUCT-BRIEF.md - IP & licensing —
docs/IP-PROTECTION.md - Validation (Fleet + all 9 SecOps pillars):
python tests/test_fleet.py·test_secops.py·test_soar.py·test_threatintel.py·test_ueba.py·test_ai.py·test_edr.py·test_cloud.py·test_ndr.py
Support
Licensing, sales, and security reports: [email protected]
License
© 2026 chandafa (Nexus Security). Proprietary — see LICENSE.
Not open source; redistribution and resale are prohibited without written permission.