Skip to main content

Capabilities You Can Verify. Claims You Can Test.

Every capability on this page runs in the live demo. No buzzwords.

Common Deployment Challenges

Problems SYNTEX was built to solve

Migration Complexity

Switching security platforms typically means months of migration, professional services costs, and downtime risk during cutover.

SYNTEX: Install, validate, then transition. No hard cutover required.

Log Exposure

Clear-text logs reveal detection patterns. Sophisticated attackers study them to understand exactly how you defend, then adapt.

SYNTEX: Three obfuscation levels prevent attackers from studying your defenses.

Environment Flexibility

Connected offices need different controls than locked-down production systems. Air-gapped networks need total isolation. Different requirements, typically different tools.

SYNTEX: Three security postures, one platform. Switch modes without reinstalling.

Deployment Restrictions

Compliance policies or IT restrictions block admin-level installations. Endpoints that can't run security software stay unprotected.

SYNTEX: Default runs privilege-separated with a root-level sensor for kernel visibility. If root access isn't available, the agent falls back to user-space-only mode for partial protection rather than refusing to deploy.

What SYNTEX Does Differently

Capabilities built into the platform, not claimed in marketing

Sits on Top of Your Current Firewall

No rip and replace. SYNTEX adds intelligent network suppression layer above your existing iptables, pfctl, or netsh firewall.

  • Keep your current firewall rules
  • Deploy in hours, not months
  • Emergency rollback scripts auto-generated
  • User-space DNS blocking as fallback (no root needed)
# Your existing iptables rules stay
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# SYNTEX adds intelligent layer on top
Guardian AI detects lateral movement
→ Blocks 192.168.1.45 via iptables
→ Your rules still intact
# Standard logging (attackers read this)
BLOCKED: 192.168.1.100 port 22 SSH brute force
PATTERN: 5 failed logins in 30 seconds
THRESHOLD: 5 attempts triggers block
# SYNTEX obfuscation mode
[SÆ] Network entity suppressed
[SÆ] Application filter active: 3 entities
Attackers can't study your patterns

Obfuscation Against Sophisticated Attackers

Advanced attackers study your logs to understand detection patterns. SYNTEX has 3 obfuscation levels to prevent this.

  • Minimal: Clear logs for debugging
  • Standard: Opaque operational logs
  • Maximum: Total stealth mode
  • Entropy delays prevent timing analysis

Per-Endpoint Behavioral Profiling

Not generic threat signatures. SYNTEX learns normal behavior for EACH endpoint and detects specific anomalies.

3am Connection Anomaly
Endpoint normally operates 9-5, suddenly active at 3am → Flagged
Lateral Movement
Connecting to 192.168.5.100 for first time ever → Suspicious
Port Scanning
Rapid multi-port connection attempts → Attack pattern
Credential Stuffing
5+ authentication failures → Brute force attempt
# Endpoint 192.168.1.100 Profile
First seen: 30 days ago
Typical hours: 9, 10, 11, 12, 13, 14, 15, 16, 17
Typical ports: 80, 443, 22
Typical destinations: 3 IPs
# ANOMALY DETECTED
Time: 03:14 (unusual)
Port: 3389 RDP (new)
Destination: 192.168.5.100 (new)
Anomaly score: 0.9/1.0
Guardian AI: BLOCK
Standard
Connected enterprise environment, full monitoring
Ports: HTTP, HTTPS, DNS, SSH, SMTP
Production Hardened
Essential services only, comprehensive blocking
Ports: HTTPS, DNS, NTP only
Production Air-Gap
Maximum isolation for classified systems
Ports: Localhost only
Voting Infrastructure
Air-gap + tamper detection + audit logging
Ports: Localhost only · Full audit trail
Switch modes without reinstall

Multiple Security Postures

One platform. Four security modes. Switch between them without reinstalling or reconfiguring.

  • Standard: Full monitoring on connected enterprise networks
  • Production Hardened: Essential services only
  • Air-Gap: Total network isolation for classified systems
  • Voting Infrastructure: Air-gap + tamper detection + audit trail
  • Mode switching in seconds via config file

Thermal Protection for Enterprise Hardware

Security software shouldn't damage your hardware. SYNTEX monitors CPU temperature and throttles operations to prevent overheating.

  • Real-time temperature monitoring
  • Throttles at 65°C, emergency shutdown at 75°C
  • Adaptive thermal protection for servers
  • Prevents hardware damage from aggressive scanning
CPU Temperature: 58°C
Status: Normal operations
CPU Temperature: 67°C
Thermal protection: 0.6s sleep
Throttling to prevent damage
CPU Temperature: 76°C
THERMAL EMERGENCY
Initiating emergency shutdown
# Default mode: privilege-separated
Sensor starts as root (fanotify, proc connector, audit netlink)
Guardian AI starts in user space, no kernel authority
IPC between them is encrypted and HMAC-verified
# If root isn't granted (compliance lock, IT policy):
Fallback mode: user-space only
Creating: ~/.syntex/blocked_hosts.txt
DNS blocking via user hosts file
Application-layer connection filtering
Partial visibility. Still running.

Privilege-Separated. Graceful Fallback.

Default deployment runs with a root-level sensor for kernel visibility and a user-space AI for decision authority. A compromised sensor can see, but it cannot act. If the environment doesn't permit root, the agent falls back to user-space-only mode with degraded visibility instead of refusing to deploy.

  • AI decision engine never runs with kernel authority
  • Sensor observes, user-space decides, HMAC binds the two
  • Fallback keeps Guardian running when root is blocked
  • Partial protection beats no protection

Side-by-Side Comparison

Capabilities, not claims

Capability SYNTEX CrowdStrike SentinelOne Cortex XDR
Deploys alongside existing stack
Runs entirely on-premise ✓ Default Cloud console Cloud console On-prem option
Air-gap capable (zero internet) ✓ Full operation Limited offline Limited offline Partial
No loadable kernel module / kernel driver ✓ Privilege-separated Kernel driver Kernel driver Kernel driver
Zero third-party dependencies ✓ Python stdlib only Vendor libraries Vendor libraries Vendor libraries
Per-endpoint behavioral baseline ✓ Individual learning Cloud-aggregated models Cloud-aggregated models Cloud-aggregated models
Security data leaves your network Never Telemetry to cloud Telemetry to cloud Telemetry to cloud
Log obfuscation 3 configurable levels
Configurable security postures Dev / Hardened / Air-gap / Voting Policy-based Policy-based Policy-based

Where These Capabilities Matter

Government & Elections

  • • Dedicated voting infrastructure mode
  • • Tamper detection + full audit trail
  • • Air-gap isolation, no cloud dependency
  • • On-premise under your jurisdiction

European Customers

  • • GDPR data sovereignty (on-prem in EU)
  • • No US CLOUD Act exposure
  • • Air-gap capability for critical infrastructure
  • • Thermal protection for dense server rooms

MSPs/Multi-Environment

  • • Sits on top of customer firewalls (no rip/replace)
  • • Dev/hardened/air-gap modes per customer need
  • • Graceful fallback to user-space-only when root access denied
  • • Emergency rollback for failed deployments

See These Capabilities Live

Every capability on this page runs in the live demo. Ask us anything.

Schedule Demo Email Us

Or return to homepage