NEXUS
Documentation menu

Docs · Concepts

Ecosystem & Architecture

Nexus is one platform with one agent and modules inside — the same model Wazuh, Elastic, Microsoft Defender and Palo Alto Cortex use. This page maps every part and shows how the data flows.

The parts of Nexus

Everything in Nexus belongs to one of three places. There is one brand (Nexus), one endpoint agent, and capabilities are modules inside the platform — never a separate product or a second agent per feature.

  • Nexus Desktop — a cross-platform GUI (Tauri + React) that drives 20+ hands-on security tools from one workstation. See /docs/desktop and /docs/tools.
  • Nexus Fleet — the always-on server platform you pip install nexus-fleet: the agent, the central manager (event/alert store + API), the web dashboard, and the CLI. See /docs/fleet.
  • Nexus SecOps— the SOC brain: 9 analytics modules (SIEM, XDR, EDR, UEBA, SOAR, Threat Intel, NDR, Cloud, AI) that read the manager's real data and feed each other. See /docs/secops.

Official hierarchy

One install (nexus-fleet) ships the data plane and the analytics plane together — no second package, no extra agent. This keeps the hierarchy clean and matches the global industry standard.

Nexus hierarchy
Nexus  (brand / ecosystem)
│
├── Nexus Desktop ........... GUI workstation (Tauri) — one analyst, one host
│
└── Nexus Server ........... pip install nexus-fleet   (the central platform)
    ├── nexus_agent ......... ONE endpoint agent (telemetry → manager)
    ├── nexus_manager ....... central server + event/alert store + REST API
    ├── nexus_secops ........ SOC brain (reads the same store, no new agent):
    │     siem · correlate(XDR) · edr · ueba · soar
    │     threatintel · ndr · cloud(CSPM) · ai (local triage)
    ├── nexus_dashboard ..... web UI (Fleet + SecOps views, one dashboard)
    ├── nexus_cli ........... the umbrella 'nexus' command
    └── nexus_license ....... seats & Ed25519 license tokens

How data flows

Telemetry travels in one direction — from endpoints into the manager — and the SecOps modules layer their analysis on top of the same store. Nothing leaves your network.

data flow (collect → detect → respond)
  Endpoints                Central server                 Analysts
 ┌──────────┐   HMAC/HTTP   ┌────────────────────┐   REST    ┌────────────┐
 │nexus_agent│ ───────────▶ │   nexus_manager    │ ◀───────▶ │ dashboard  │
 │ FIM·logs  │  heartbeat   │  events · alerts   │   token   │   + CLI    │
 │ SCA·procs │  events      │  rules (MITRE)     │           └────────────┘
 │ network   │              │  SQLite (WAL,enc)  │
 └──────────┘              └─────────┬──────────┘
                                     │ reads the SAME store
                          ┌──────────▼───────────────────────────────────┐
                          │                nexus_secops                   │
                          │  SIEM ── XDR ── UEBA ── Threat Intel ── NDR    │
                          │   │      │       │          │          │      │
                          │   └──────┴───────┴────┬─────┴──────────┘      │
                          │                  AI triage                    │
                          │                       │                       │
                          │                     SOAR ──▶ active-response  │
                          │                              (back to agent)  │
                          └───────────────────────────────────────────────┘

Each SecOps module produces signals that the others consume: detections become alerts, alerts correlate into XDR incidents, UEBA and Threat Intel and NDR add more signals, the local AI triages the incident, and SOAR can respond — sending an action back down to the agent.

How the SecOps pillars connect

signal graph
  events ─▶ rules ─▶ ALERTS ─┬─▶ XDR correlate ─▶ INCIDENT ─▶ AI triage
                            │                         ▲            │
   Threat Intel (IOC match)─┤                         │            ▼
   UEBA (behavior anomaly) ─┤                         │          SOAR
   EDR (process lineage)   ─┤                         │       (playbook)
   NDR (beaconing / C2)    ─┤                         │            │
   Cloud CSPM (misconfig)  ─┘                         └────────────┘
                                                   action → agent
One store, no duplication. Every pillar reads and writes the same event/alert store the manager already keeps. SecOps adds the brain, not a second copy of your data — which is exactly why it is one install and not twenty.

One license, one device

A single Pro/Enterprise token unlocks the Desktop GUI, the CLI, and the Fleet on the same machine. Redeem the code once in the GUI and the CLI/Fleet reuse the same device-bound license — no second code needed.

  • Free — 2 agents, core detection rules.
  • Pro — seat-based agents (default 50), full rules, SecOps premium (Threat-Intel match, CSPM, advanced rules), Sigma, Active Response.
  • Enterprise — unlimited agents, mTLS, at-rest encryption, RBAC, priority support.

Verify it all works

The whole platform ships with test suites — the Fleet plus all 9 SecOps pillars — so you can confirm a healthy install.

bash
nexus --version                       # nexus 2.2.1

# from the source tree, validate Fleet + every SecOps pillar:
python python/tests/test_fleet.py
python python/tests/test_secops.py    # SIEM + XDR
python python/tests/test_soar.py      # SOAR
python python/tests/test_threatintel.py
python python/tests/test_ueba.py
python python/tests/test_ai.py        # local AI
python python/tests/test_edr.py
python python/tests/test_cloud.py
python python/tests/test_ndr.py
PreviousInstallationNext SecOps Overview