Outbound only
Each app opens an outbound WireGuard tunnel to the mesh. No port-forward, no static IP, no inbound firewall rule.
Put NYXR in front of any app or API and it stops attacks, bad bots and abuse before they ever reach you. Nine coordinated layers of defense, an AI that makes the final call, and full control you can explain and undo - all self-hosted.
Every request flows through the full pipeline in order. A single bypassed control is never enough, and the final AI verdict is authoritative all the way down to the kernel.
Tap any layer to see exactly what it does.
Signatures and scores resolve most traffic. For the ambiguous remainder, an AI verdict engine weighs the full request context and returns a single, accountable decision the rest of the stack obeys.
Every verdict carries the signals and the reasoning behind it - never a silent black box.
An AI "allow" lifts a behavioural auto-ban, and a block reaches down to the kernel nftables layer.
Any decision can be overridden and rolled back from the console in one click.
Real-time security posture, traffic and alerts across every protected service.
Every behavioural AI verdict, with confidence, category, the action taken and the client.
Search and stream WAF security events - filter by action, rule and client IP.
Publish apps running at home or in a private network without a static IP, a port-forward or a hole in your firewall. NetBird joins them to NYXR over an encrypted WireGuard mesh, and only NYXR faces the internet.
Your private network
Your apps stay behind NAT. Each one dials OUT to the mesh, so nothing inbound is ever opened.
Each app opens an outbound WireGuard tunnel to the mesh. No port-forward, no static IP, no inbound firewall rule.
NetBird links peers over an end-to-end encrypted overlay, so your origin stays private and unreachable directly.
NYXR is the sole internet-facing entry: it filters, runs the WAF, and reaches your app across the mesh.
The data plane reads compiled snapshots and never runs a per-request database query. The control plane versions, validates and atomically swaps every change, so a bad config can always be rolled back.
The Hono API versions every config change, validates it, swaps it atomically and can roll it back. No edit ever ships unchecked.
The OpenResty + ModSecurity gateway reads compiled snapshots locally and never runs a per-request database query. Fast and fail-safe.
Dedicated workers refresh threat feeds, process events, run backups and dispatch notifications, fully decoupled from the request path.
ClickHouse, Prometheus and Grafana feed a real-time Astro console where every security decision is searchable and explainable.
Self-hostable, fully observable, and reversible by design. Bring NYXR in front of any service and neutralize the risk at the edge.