NEXUS
All articles
ReleaseJun 21, 2026· 7 min read

Nexus 2.0 — the SecOps release: SIEM, XDR, EDR, UEBA, SOAR & local AI

Nexus grows from a Wazuh-style fleet into a full SOC platform: nine security capabilities, consolidated from twenty enterprise tools, shipping inside the same nexus-fleet package.

Version 2.0 is the largest release in the history of the project. Nexus is no longer just an agent and a manager — it is a complete Security Operations platform. We took the de-duplicated capabilities of twenty enterprise tools (Splunk, Elastic, QRadar, Graylog, CrowdStrike, SentinelOne, Microsoft Defender XDR, Palo Alto Cortex, Securonix, Security Onion, Wazuh and more) and rebuilt them as nine focused modules. Crucially, they all live inside the same nexus-fleet package: one install, one agent, modules inside — the Wazuh/Elastic model, not twenty separate products.

bash
pip install --upgrade nexus-fleet   # now v2.0.0
nexus --version                      # nexus 2.0.0

SIEM — search everything with NQL

A query language over the real event and alert store, with aggregations and timelines. No new data lake to run — it reads the manager's store you already have.

text
severity>=high last:24h            # high+ in the last day
event_type:failed_login agent_id:web-01
-origin:demo target.path:*.env     # real .env changes only

XDR — many alerts become one incident

Cross-event, time-windowed correlation fuses brute-force, suspicious processes and IOC hits on the same host into a single kill-chain incident — so you investigate one story instead of fifty alerts.

EDR & NDR — endpoint and network detection

  • EDR builds a real process tree from pid/ppid and flags suspicious lineage like a web server spawning a shell.
  • NDR analyses connection telemetry to catch C2 beaconing, port scans and connections to known-bad destinations.

UEBA, SOAR & Threat Intelligence

UEBA baselines each entity's behaviour and scores anomalies; SOAR runs playbooks that drive real active-response (block, isolate, kill) with a dry-run-safe default; Threat Intel stores IOCs and matches them against live telemetry, with feed import from sources like abuse.ch, MISP and OTX.

bash
# import a real threat-intel feed (manager API)
curl -XPOST $MANAGER/api/v1/ti/import -H "X-Admin-Token: $TOK" \
  -d '{"url":"https://feodotracker.abuse.ch/downloads/ipblocklist.txt","threat":"feodo"}'

Cloud CSPM & a local AI that costs nothing to run

The Cloud module evaluates your cloud configuration against CIS-style checks (and imports Prowler output). And every incident is triaged by a local AI engine — priority, a plain-language kill-chain summary and a recommended response — with zero external API and zero token cost.

Twenty tools, one platform. Real detections on real data, and your security data never leaves your network.

Everything operates on real data only — never demo — and stays offline-first. Upgrade in one command; your agents reconnect automatically.

bash
pip install --upgrade nexus-fleet
pip install nexus-fleet

Keep reading

Insights

One platform, not twenty: how Nexus consolidates your security stack

Running a SOC shouldn't mean running twenty overlapping products. Here's how Nexus de-duplicates the market into nine capabilities behind one agent.

Product

Local AI triage with zero token cost

Cloud security copilots meter every question. Nexus ships a local AI that triages incidents, summarizes kill-chains and translates plain language to queries — for free.