Try for Free

How AI EdgeLabs defends your runtime

A single container, four detection pipelines, one unified ML engine — running entirely on the host. Network, workload, vulnerability, and AI agent runtime protection in one binary. Here's how every component fits together to detect, block, and respond to threats in real time.

Detection Architecture

Most security tools tell you what happened after the fact. EdgeLabs tells you what's happening now — before it becomes an incident.

Four runtime detection pipelines, one unified engine

Network, workload, vulnerability, and AI agent security pipelines run in parallel and feed a shared correlation layer. Each operates independently — any one can run alone or in combination. The AI agent pipeline (powered by the open-source Parallax engine) inspects every LLM tool call and message in microseconds. All detection, correlation, and response happens on the host.

NET

Runtime Network Protection

Captures raw packet data at the kernel level before it reaches any application layer. Flows through feature extraction into parallel detection engines: deep neural network classifiers, behavioral anomaly models, and threat intelligence matching. Anomalies are detected and blocked in the same pipeline with no cloud round-trip.

pcap / DPDKDeep CNNBehavioral ModelsIP Blocklistsiptables/ipset
WRK

Runtime Workload Protection

eBPF probes instrument the kernel directly, capturing syscalls, process lifecycle events, and filesystem changes as they happen. No polling. No sampling. Continuous execution context. Events pass through normalization into signature scanning, hash verification, and behavioral APT detection algorithms.

eBPF probesSyscall tracingYARA rulesHash analysisAPT algorithms
VUL

Runtime Vulnerability Management

Automated discovery scans host filesystems and container images continuously. Pre-processing evaluates exploitability and runtime state — so you see which vulnerabilities are actually reachable in production, not just theoretically present. SBOM generation feeds into centralized risk scoring for prioritized remediation.

Asset DiscoverySBOM GenerationExploitabilityRuntime State
API

Cloud Coordination Layer

Agents self-register via outbound-only connection — no open ports, no firewall rules, no manual configuration. Communication is event-driven: alerts stream in real time, telemetry is batched, model updates are pulled only when available. All detection logic operates fully independently of cloud connectivity.

Self-RegistrationReal-time AlertsBatched TelemetryOTA UpdatesOffline Mode
LLM

Runtime AI Agent Protection — powered by Parallax

An agentic-security extension for LLM workloads. A single Rust binary intercepts every agent lifecycle event — user messages, tool calls before execution, tool results after execution, and model parameters — and evaluates them in microseconds (typically < 0.2 ms). Five evaluator engines (regex, keyword pattern, Sigma, CEL expressions, SQL temporal analysis) run in cost order and short-circuit on the first block. Decisions — block, redact, detect, allow — flow into the same audit, correlation, and SIEM channels as the rest of the agent. Framework-agnostic: works in server mode (HTTP /evaluate) or proxy mode in front of any LLM API — first-class integrations for OpenClaw and Claude Code; LangChain, CrewAI, and OpenAI Agents SDK on the roadmap.

Prompt InjectionTool-Call InterceptionSecret & PII RedactionSigma / CEL / RegexBlock / Redact / DetectOpenClaw + Claude CodeApache 2.0
Agent internal architecture
AI EdgeLabs Runtime Security Platform for Distributed Workloads Secure gateway AI agent container Network pipeline pcaplib tcp/udp DPDK FEATURE AI/ML classifiers Deep CNN Behavioral models Threat intel feeds Workload pipeline eBPF syscalls OS files NORMALIZE Signature rules Hash verification Runtime rules APT algorithms ML / Stats correlation Dedup / adaptation IP blocking iptables, ipset, firewalls Quarantine zip + encrypt + move Playbooks automated response → block → isolate → execute Vulnerability pipeline Asset discoveryhosts + containers Pre-processingexploitability, runtime state SBOM generationsoftware inventory SBOM export→ cloud API LLM / AI agent security pipeline — Parallax Lifecycle hooksmessage + tool stages Evaluator chainregex, Sigma, CEL, SQL Decision engineblock / redact / allow Audit + Webhook→ SIEM, JSONL registration, coordination, alerts alerts ↑ Data sources Network detection Workload detection Vulnerability AI agent security Response actions
Data Flow

Host-local processing — nothing leaves your infrastructure

Every stage from data ingestion to response execution runs on the host. Raw data never leaves your infrastructure.

Runtime Pipeline — Active
Ingest
Kernel-level packet capture (pcap/DPDK), eBPF syscall hooks, file system watchers, syslog streams
Extract
Throttling, normalization, statistical feature computation, protocol-aware parsing
Infer
On-device ONNX-optimized models — CNNs, behavioral classifiers, anomaly detectors running in parallel
Correlate
Cross-pipeline deduplication, severity scoring, adaptive thresholds, alert enrichment
Respond
IP blocking, process kill, file quarantine (zip + encrypt + move), automated playbook execution
Core Capabilities

Runs independently. Protects continuously.

Every capability runs at the edge without cloud dependency. The agent operates as a self-contained security appliance — the cloud provides coordination, not computation.

01 — INFERENCE

On-Device AI/ML

ONNX-optimized models execute locally. No external API calls. Models are pre-loaded and versioned independently of the agent binary.

02 — DEPLOYMENT

Zero-Touch Registration

Agent self-registers via outbound-only connection. No open ports, no firewall rules, no manual configuration. Per-agent cryptographic attestation secures the registration flow.

03 — PREVENTION

Automated Blocking

High-severity threats trigger automatic IP blocking via native OS firewall. Configurable playbooks define custom response chains per threat category.

04 — RESILIENCE

Offline Operation

Full detection and prevention stack operates without cloud connectivity. Events buffer locally and sync on reconnect. No degradation in security posture during network outages.

05 — OBSERVABILITY

Kernel Instrumentation

eBPF probes provide low-overhead visibility into syscalls, process creation, network connections, and file operations. Kernel module support for broader Linux version compatibility.

06 — UPDATES

OTA Model Refresh

ML models update independently via cloud-coordinated delivery. Supports generic models (all tenants) and personalized models pre-trained on environment-specific traffic patterns.

07 — NETWORK

Multi-Interface Capture

Simultaneous sniffing across multiple NICs per host. Standard pcap for general use, DPDK for multi-Gbps environments requiring line-rate inspection with direct NIC mapping.

08 — DISCOVERY

Network Asset Mapping

Protocol-level discovery via ARP, DNS, DHCP builds a continuously updated inventory of connected devices, services, and network topology without active scanning overhead.

Deployment Models

Three deployment profiles

Select the profile that matches your infrastructure constraints, security requirements, and performance targets.

Recommended

Full Runtime Protection

Maximum visibility. Combined network and workload detection with automated prevention. Requires NET_ADMIN and privileged mode.

  • Multi-interface network analysis
  • eBPF kernel monitoring
  • Automated blocking + playbooks
  • Malware scanning + quarantine
  • Full vulnerability discovery
High Throughput

Inline Accelerated

A DPDK-based agent built for high-bandwidth deployments. Optimized for multi-Gbps environments, it maps directly to NICs via a userspace driver and acts as an L2/L3 inline inspection point with prevention capabilities.

  • Line-rate inspection at multi-Gbps
  • Direct NIC-to-agent data path
  • Inline blocking and traffic filtering
  • Scalable core allocation (2n CPU cores)
  • Privileged mode + NIC binding required
Minimal Footprint

Passive Mirrored

Least-intrusive option. Agent receives a copy of traffic via mirrored port on a separate host. Detection-only — no inline prevention, no host instrumentation required.

  • Zero modification to production hosts
  • Hardware-isolated on dedicated machine
  • Receives mirrored pcap stream via UDP
  • Network anomaly detection only
  • No special permissions required
Platform Compatibility

Runs Everywhere Containers Run

Native container image supports all major orchestration platforms and Linux-based runtimes. Single image, any architecture.

Docker
Kubernetes (Helm)
Kubernetes (YAML)
Red Hat OpenShift
OpenShift Operator
Podman
Edge Orchestrators
x86-64
ARM-64 / aarch64
Linux ≥ 4.14