Docs · Reference

Air-gapped Mode & Offline Threat-Intel Bundle

Built for fully disconnected, regulated deployments — government, critical infrastructure, and anywhere outbound traffic is forbidden. Turn air-gapped mode on and the manager refuses to reach the internet for threat-intel feeds. You sync intel through portable offline bundles instead.

Topic: Deployment · Regulated environments
Enforces: No outbound feed pulls
Bundle format: nexus-ti-bundle/1
API: /airgap · /ti/bundle

What it does

All of Nexus' core analytics already run 100% locally — there is no cloud dependency. Air-gapped mode adds the hard guarantee a regulated environment needs: while it is on, the manager blocks internet feed fetches outright. A POST /ti/import for any non-file:// URL is rejected, so nothing reaches out over the wire. To keep your threat intel current, you move it in by hand as a portable bundle.

Hard-enforced — internet feed fetches are blocked; only file:// imports are allowed.
Portable intel — export every IOC to a single JSON bundle and carry it across the gap.
Fully local SOC — pairs with the local AI and the local SecOps engine for a no-internet SOC.

How to use it

Check or set the mode

Run with no flag to read the current status, or toggle it explicitly.

bash

nexus-cli airgap          # show status
nexus-cli airgap --on     # enable air-gapped mode
nexus-cli airgap --off    # disable air-gapped mode

Export a bundle (connected side)

On a side that has intel, export all IOCs to a portable JSON file in the nexus-ti-bundle/1 format.

bash

nexus-cli ti-export --file bundle.json

Import the bundle (air-gapped side)

Carry the file across the gap and import it on the disconnected manager.

bash

nexus-cli ti-import-bundle --file bundle.json

REST API

endpoints

GET  /airgap          # read air-gapped status
POST /airgap          # { on: true }  toggle the mode
GET  /ti/bundle       # export all IOCs as a portable bundle
POST /ti/bundle       # { bundle }    import a bundle

When the mode is on, POST /ti/import is rejected for any URL that is not a file:// path — that is the enforcement point that keeps the manager off the wire.

A no-internet SOC

Air-gapped mode is the deployment posture that ties the local stack together. It pairs with Ask Nexus — the local AI that needs no API key and emits no tokens — and the local SecOps engine, so detection, triage, correlation and response all run entirely inside your perimeter. The bundle workflow is the only thing that ever crosses the boundary, and it does so on portable media, on your terms.

Disconnected by design. Regulated environments can't assume the manager will stay polite about outbound traffic — they need it enforced. Air-gapped mode makes "no internet" a property of the system, not a promise, while offline bundles keep your intel fresh.

Tips

Enable air-gapped mode as part of provisioning so the manager is locked down before it ingests anything.
Re-export and re-import a fresh bundle.json on a schedule to keep IOCs current across the gap.
Even when disconnected, you can still pull file:// feeds from a vetted local path.

PreviousCompliance Mapping (UU PDP & ISO 27001)Next Nexus Hub (content packs)