Unified Web Security Platform

NYXR Neutralize Your eXposure Risk

Put NYXR in front of any app or API and it stops attacks, bad bots and abuse before they ever reach you. Nine coordinated layers of defense, an AI that makes the final call, and full control you can explain and undo - all self-hosted.

ModSecurity WAF AI verdict Fail-closed Self-hostable
The engine

Nine layers. One verdict.

Every request flows through the full pipeline in order. A single bypassed control is never enough, and the final AI verdict is authoritative all the way down to the kernel.

Tap any layer to see exactly what it does.

Incoming request
0
Ordered defense layers
0
Verdict decision types
0
Per-request DB calls in the data plane
0 %
Decisions explainable & reversible
The arbiter

When the rules are not enough, the AI decides.

Signatures and scores resolve most traffic. For the ambiguous remainder, an AI verdict engine weighs the full request context and returns a single, accountable decision the rest of the stack obeys.

Explainable

Every verdict carries the signals and the reasoning behind it - never a silent black box.

Authoritative

An AI "allow" lifts a behavioural auto-ban, and a block reaches down to the kernel nftables layer.

Reversible

Any decision can be overridden and rolled back from the console in one click.

console.nyxr.app/dashboard
Dashboard
Console/Overview/ Dashboard

Overview

Real-time security posture, traffic and alerts across every protected service.

Requests (24h)
248,913
+12.4%
Threats blocked
5,172
+8.1%
Active bans
38
+3
p95 latency
41ms
-6ms
Traffic over time requests / last 60 min
Console/Protection/ Bans & Verdicts

Bans & Verdicts

Every behavioural AI verdict, with confidence, category, the action taken and the client.

Bans & Behaviour AI Verdicts
All verdicts All actions Refresh
Time Verdict Client IP Beh.
14:32:07 Ban 96% 203.0.113.7
14:31:52 Challenge 78% 198.51.100.24
14:31:40 Allow 88% 192.0.2.55
14:31:18 Monitor 61% 45.83.0.12
14:30:59 Ban 99% 203.0.113.99
14:30:41 Allow 93% 192.0.2.8
Console/Traffic & Logs/ Logs Explorer

Logs Explorer

Search and stream WAF security events - filter by action, rule and client IP.

Events (1h)
3,418
Blocked
212
Challenged
96
Allowed
3,110
All actions Rule id Live +0 live Refresh
Time Action Severity Request Status Client IP Rule Beh.
Decision taxonomy
allow log monitor throttle rate-limit challenge-js challenge-pow turnstile tarpit block-temp block-perm close
NetBird integration

Self-host anything. Open zero ports.

Publish apps running at home or in a private network without a static IP, a port-forward or a hole in your firewall. NetBird joins them to NYXR over an encrypted WireGuard mesh, and only NYXR faces the internet.

PUBLICNATInternetNYXR edgeNetBird meshYour privatenetwork

Your private network

Your apps stay behind NAT. Each one dials OUT to the mesh, so nothing inbound is ever opened.

No inbound ports. No port-forwarding. No static IP.Tap a node to see its role.

Outbound only

Each app opens an outbound WireGuard tunnel to the mesh. No port-forward, no static IP, no inbound firewall rule.

Encrypted mesh

NetBird links peers over an end-to-end encrypted overlay, so your origin stays private and unreachable directly.

One public edge

NYXR is the sole internet-facing entry: it filters, runs the WAF, and reaches your app across the mesh.

Architecture

Fast at the edge. Safe by design.

The data plane reads compiled snapshots and never runs a per-request database query. The control plane versions, validates and atomically swaps every change, so a bad config can always be rolled back.

Control plane

The Hono API versions every config change, validates it, swaps it atomically and can roll it back. No edit ever ships unchecked.

Data plane

The OpenResty + ModSecurity gateway reads compiled snapshots locally and never runs a per-request database query. Fast and fail-safe.

Workers

Dedicated workers refresh threat feeds, process events, run backups and dispatch notifications, fully decoupled from the request path.

Observability

ClickHouse, Prometheus and Grafana feed a real-time Astro console where every security decision is searchable and explainable.

OpenResty ModSecurity v3 OWASP CRS nftables ClickHouse Prometheus Grafana Astro console

Stop your exposure before it starts.

Self-hostable, fully observable, and reversible by design. Bring NYXR in front of any service and neutralize the risk at the edge.