HookProbe
AI-native intrusion detection system with eBPF/XDP packet filtering and ML threat classification. Processes 8.8M+ security events on a Pi 5.
One Node's Detection → Everyone's Protection
🛡️ A Family of Protectors Building the Future of Collective Defense 🛡️
Enterprise-grade AI security on a $75 Raspberry Pi. No vendor lock-in. No black boxes. No BS.
🎯 Live Demo • 🌐 Website • ⚡ Quick Start • 📜 Our Manifesto • 🤝 Join The Family • 🛠️ Contribute
💡 The Vision
"In a world where attackers share everything, defenders must too."
The security industry is broken. Enterprise protection costs $50,000/year. Small businesses get ransomed. Individuals are left defenseless. Meanwhile, the bad guys collaborate in forums and marketplaces while the good guys fight alone.
We're building the resistance.
HookProbe is a decentralized security mesh where every node protects every other node. When a Guardian in Tokyo blocks a zero-day, a Sentinel in São Paulo is protected in seconds. When a Fortress in Berlin identifies ransomware, the entire mesh learns instantly.
⭐ Star this repo if you believe security should be accessible to everyone. Every star helps others discover protection.
🚀 Why HookProbe?
| The Problem | Our Answer |
|---|---|
| 💰 Security costs $50K+/year | $75 hardware, $0 software |
| 🔒 Black-box algorithms | Every decision is explainable |
| 🏢 Enterprise-only protection | Same AI for everyone |
| 🤐 Vendors own your data | Your data never leaves your edge |
| 😰 Constant manual work | Set it and forget it |
| 😔 Fighting alone | Collective mesh defense |
The HookProbe Promise
Transparency creates trust. Trust enables achievement.
HookProbe is built on a simple belief: security technology should empower people, not create dependency. When you can see exactly how your protection works, audit every line of code, and understand every decision the system makes, you're free to focus on what matters - building, creating, and achieving more.
We reject the security industry's black-box approach. Our code is open. Our algorithms are documented. Our data handling is verifiable. When one HookProbe node anywhere in the world detects a threat, every node learns instantly - without anyone's private data ever leaving their control.
This is security that works for you, not security that works on you.
Why Transparency Matters
| Black-Box Security | HookProbe (Transparent) |
|---|---|
| "Trust us, we're protecting you" | Audit the code yourself |
| Your data sent to vendor clouds | Your data never leaves your edge |
| Opaque threat scoring | See exactly why decisions are made |
| Vendor lock-in | Open standards, your choice |
| Security creates dependency | Security enables independence |
| Complex interfaces hide complexity | Simple interfaces, documented complexity |
The difference: Black boxes ask for trust. Transparency earns it.
How HookProbe Helps You Achieve More
1. Reclaim Your Time
Traditional security demands constant attention - alerts to investigate, logs to review, updates to manage. HookProbe handles this automatically so you can focus on your actual work.
- Automated threat response - No manual investigation needed
- Self-learning baselines - Adapts to your environment
- Collective intelligence - Benefits from global threat detection without effort
2. Protect Without Complexity
Enterprise security typically requires dedicated teams. HookProbe brings the same protection to anyone, regardless of technical background.
# That's it. You're protected.
./install.sh --tier guardian
3. Scale Without Cost
From a single Raspberry Pi to a global mesh of thousands of nodes - same technology, same transparency, scaling to your needs.
| Your Situation | Solution | Investment |
|---|---|---|
| Home network | Guardian | $75 hardware, $0 software |
| Small business | Fortress | $200 hardware, $0 software |
| Growing company | Nexus | $2000 hardware, $0 software |
4. Own Your Security Data
Every security decision, every threat detection, every response action - it's all yours. Export it. Analyze it. Verify it. No vendor has access unless you grant it.
The Collective Defense Mesh
HookProbe's most powerful feature isn't code - it's community.
Node A (Singapore) Detects zero-day attack
│
▼
Mesh Intelligence Validates pattern, creates signature
│
├──────────────────────────────────────┐
▼ ▼
Node B (London) Node C (New York) Node D (Berlin)
Protected in <30s Protected in <30s Protected in <30s
How it works:
- Detection - Any node detects a new threat pattern
- Validation - Mesh consensus confirms it's legitimate
- Distribution - Anonymized signature shared instantly
- Protection - All nodes block the threat
What we never share:
- Your raw traffic data
- Your IP addresses
- Your internal network details
- Any personally identifiable information
What we share:
- Anonymized threat signatures
- Attack patterns (source removed)
- Model weight updates (federated learning)
This is collective defense that respects individual privacy.
The HTP-DSM-NEURO-QSECBIT-NSE Security Stack
HookProbe's core innovation is the integrated security stack that provides end-to-end protection from detection to response to mesh propagation.
┌─────────────────────────────────────────────────────────────────────────────────┐
│ HTP-DSM-NEURO-QSECBIT-NSE SECURITY STACK │
│ "One node's detection → Everyone's protection" │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ HTP │───▶│ DSM │───▶│ NEURO │───▶│ QSECBIT │ │
│ │ Transport │ │ Consensus │ │ Resonance │ │ Scoring │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │ │
│ └──────────────────┴──────────────────┴──────────────────┘ │
│ │ │
│ ┌──────▼──────┐ │
│ │ NSE │ │
│ │ Encryption │ │
│ │ (Neural AI) │ │
│ └─────────────┘ │
│ │
│ "Nobody knows the key - the AI communicates via neural synapses" │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
Stack Components
| Component | Purpose | Innovation |
|---|---|---|
| HTP | HookProbe Transport Protocol | Post-quantum Kyber KEM, keyless authentication |
| DSM | Decentralized Security Mesh | Byzantine fault-tolerant consensus, 2/3 quorum |
| NEURO | Neural Resonance Protocol | Device fingerprinting via weight evolution |
| QSECBIT | Quantified Security Metric | Real-time RAG scoring (GREEN/AMBER/RED) |
| NSE | Neural Synaptic Encryption | Keys emerge from neural state - nobody knows the password |
| NAPSE | Neural Adaptive Packet Synthesis Engine | AI-native IDS/NSM/IPS with L2-L7 deep packet analysis |
| AEGIS | Autonomous AI Orchestrator | 8 specialized agents, principle-guided autonomous defense |
The NSE Innovation
Traditional encryption requires sharing secrets. NSE eliminates this:
Traditional: "Do you know the password?"
NSE: "Can your neural state produce the matching key?"
Keys are DERIVED from:
├── Neural weight state (unique per device)
├── Resonance Drift Vector (temporal)
├── Qsecbit score (security context)
└── Collective entropy (mesh participation)
Result: Encryption where nobody knows the key
E2E Security Flow
When an attack is detected, the entire stack activates:
1. DETECTION → NAPSE identifies threat (AI-native, L2-L7)
2. SCORING → Qsecbit RAG status (GREEN/AMBER/RED)
3. RESPONSE → AEGIS orchestrates defense (8 AI agents)
4. PROPAGATION → Mesh consciousness spreads intelligence
5. CONSENSUS → DSM validates across validator network
6. PROTECTION → All nodes protected in <30 seconds
Adversarial Security Testing
HookProbe includes AI vs AI testing - our Red Team AI attacks the stack while our Blue Team AI defends:
- 9 Attack Vectors: TER replay, timing, entropy poisoning, weight prediction, etc.
- CVSS Scoring: Vulnerability severity from 0.0-10.0
- Automated Mitigations: AI-suggested code-level fixes
- Designer Alerts: Multi-channel notifications for critical findings
"Know your vulnerabilities before someone else does"
Technical Foundation (Fully Documented)
Every component is documented. Every algorithm is explained. Nothing is hidden.
Qsecbit Engine - Transparent Threat Scoring
Traditional security: "This is bad" (trust us) HookProbe: "This scores 0.72 because drift=0.25, attack_probability=0.85, decay=0.12"
# The actual formula - no secrets
Qsecbit = α·drift + β·p_attack + γ·decay + δ·q_drift + ε·energy_anomaly
# You can verify every calculation
# See: core/qsecbit/qsecbit.py
| Protection | Status | What It Means |
|---|---|---|
| > 55% | 🟢 GREEN | All clear · Protected |
| 30-55% | 🟡 AMBER | Monitoring · Stay alert |
| < 30% | 🔴 RED | Under attack · Defending |
dnsXai - Explainable DNS Protection
Not just "blocked" - but why it was blocked:
Domain: suspicious-tracker.com
Decision: BLOCKED
Confidence: 92%
Reason: High entropy (4.2), matches tracking pattern, CNAME resolves to known tracker
Category: ADVERTISING_TRACKER
Every block is explainable. Every decision is auditable.
HTP Protocol - Verifiable Security
Post-quantum cryptography you can inspect:
- Kyber KEM - NIST-approved, implementation viewable
- ChaCha20-Poly1305 - Standard authenticated encryption
- Entropy-based authentication - Novel but documented
XDP/eBPF - Kernel-Level, User-Auditable
DDoS mitigation at the kernel level, but you can see exactly what rules are applied:
# View active XDP rules
./hookprobe-ctl xdp show
# Understand every decision
./hookprobe-ctl xdp explain --ip 192.168.1.100
Who Benefits from HookProbe
Home Users & Prosumers
Achieve: Secure home network without becoming a security expert Transparency benefit: Know exactly what's being blocked and why Time saved: Set and forget - system learns your patterns
Small & Medium Businesses
Achieve: Enterprise-grade protection without enterprise costs Transparency benefit: Audit-ready logs, explainable decisions Time saved: No dedicated security team needed
Developers & Technical Users
Achieve: Security that integrates with your workflow Transparency benefit: Full API access, source code available Time saved: Automated responses, scriptable interfaces
Managed Service Providers
Achieve: Offer premium security services at scale Transparency benefit: Show clients exactly how they're protected Time saved: Centralized management, automated operations
Explore the MSSP platform for multi-tenant management, or try the demo instantly.
HookProbe Cortex - See Your Mesh
Transparency isn't just about code - it's about visibility.
Cortex is a real-time 3D visualization of your entire defense network. Watch threats arrive from across the world and see them blocked in real-time.
┌─────────────────────────────────────────────────────────────────┐
│ HOOKPROBE CORTEX │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ ││
│ │ ⬡ Nexus (ML/AI) Attack Arc → ││
│ │ ↓ ↓ ││
│ │ ⬡ Guardian ←───── Mesh ─────→ ⬡ Fortress ││
│ │ ↓ ↓ ││
│ │ ⬡ Sentinel (IoT) ← Repelled Arc ││
│ │ ││
│ │ [NODES: 1,247] [ATTACKS: 89] [REPELLED: 89] [QSECBIT] ││
│ └─────────────────────────────────────────────────────────────┘│
│ Real-time 3D globe with attack trajectories │
└─────────────────────────────────────────────────────────────────┘
Not a dashboard about your security. A window into your security.
Cortex Documentation | See the live dashboard demo
⚡ Quick Start
# First-time setup (fresh Raspberry Pi)
sudo apt update && sudo apt install -y git
# Clone and install
git clone https://github.com/hookprobe/hookprobe.git
cd hookprobe
sudo ./install.sh --tier guardian # 🏠 Home/Prosumer ($75 RPi, 1.5GB RAM)
# Other tiers available:
# sudo ./install.sh --tier fortress # 🏢 Business ($200 Mini PC, 4GB RAM)
# sudo ./install.sh --tier fortress --enable-aiochi # With AI Eyes cognitive layer
# sudo ./install.sh --tier nexus # 🏗️ Enterprise ($2000 Server, 16GB+ RAM)
That's it! The install script handles everything else automatically:
- System packages (hostapd, dnsmasq, etc.)
- Python dependencies
- Locale and WiFi country configuration
- Network interface setup
- Service configuration
⏱️ Time to protection: ~5 minutes 🔄 Ongoing maintenance: Automatic 💰 Software cost: $0
🎯 See It Live
Not ready to install? Explore HookProbe's capabilities instantly — no account required.
Try the Interactive Demo →
The demo dashboard gives you hands-on access to:
- Real-time Qsecbit scoring — Watch the resilience gauge respond to simulated threats
- Node management — See how Guardian, Fortress, and Nexus nodes are monitored
- Threat intelligence feed — Global attack patterns with 1-minute delay
- Alert management — Severity-based triage with investigation workflows
- Combat Mode — Emergency isolation controls for active incidents
Platform Links
| Platform | What You'll See | Access |
|---|---|---|
| hookprobe.com | Architecture, product tiers, pricing, FAQ | Public |
| Live Demo Dashboard | Interactive MSSP dashboard with simulated data | Public (no login) |
| MSSP Platform | Multi-tenant management for service providers | Create account |
Currently showing QSECBIT: 94% 🟢 across active mesh nodes — see it live
Our Commitment to Transparency
Open Source Foundation
The majority of HookProbe is open source under AGPL v3.0:
- Deployment scripts and configuration
- Guardian product tier
- Mesh communication layer
- Threat response modules
- All documentation
- Cortex visualization
Documented Innovations
Our proprietary components (Qsecbit algorithm, Neural Resonance protocol, dnsXai classifier, AIOCHI cognitive layer, SLA AI business continuity) are clearly documented. You can understand what they do and why - the implementation is protected, but the purpose is transparent.
Privacy by Architecture
We didn't add privacy as an afterthought. The architecture ensures:
- Raw data never leaves your edge
- Only anonymized signatures are shared
- You control what participates in the mesh
- Compliance (GDPR, NIS2) is built-in
Community-Driven Development
- Public roadmap
- Open issue tracking
- Community contributions welcome
- Regular security audits
Licensing Details | Contributing Guide
Architecture Overview
hookprobe/
├── core/ # Core Intelligence (documented)
│ ├── aegis/ # AEGIS - Autonomous AI Orchestrator (proprietary)
│ ├── napse/ # NAPSE - Neural Adaptive Packet Synthesis (proprietary)
│ ├── htp/ # Transport Protocol (open source)
│ ├── qsecbit/ # AI Threat Scoring (documented, proprietary)
│ └── neuro/ # Neural Authentication (documented, proprietary)
│
├── shared/ # Shared Modules
│ ├── dnsXai/ # AI DNS Protection (documented, proprietary)
│ ├── mesh/ # Collective Defense (open source)
│ ├── dsm/ # Decentralized Security (documented, proprietary)
│ ├── aiochi/ # AIOCHI - AI Eyes Cognitive Layer (proprietary)
│ ├── slaai/ # SLA AI Business Continuity (proprietary)
│ ├── response/ # Automated Response (open source)
│ └── cortex/ # 3D Visualization (open source)
│
├── products/ # Deployment Tiers (mostly open source)
│ ├── guardian/ # Home/Prosumer
│ ├── fortress/ # Business
│ └── nexus/ # Enterprise
│
└── deploy/ # Deployment Scripts (open source)
Every directory has documentation. Every module has a README.
Resources
| Resource | Description |
|---|---|
| Live Demo | Try the dashboard instantly — no login required |
| hookprobe.com | Product overview, pricing, and FAQ |
| MSSP Platform | Multi-tenant management for service providers |
| Installation Guide | Get started in 5 minutes |
| Architecture Overview | Understand the system |
| Qsecbit Documentation | How threat scoring works |
| Mesh Architecture | Collective defense explained |
| Cortex Visualization | See your security |
| API Reference | Integrate and extend |
| GDPR Compliance | Privacy documentation |
| Security Policy | Report vulnerabilities |
The HookProbe Difference
We don't ask you to trust us. We give you the tools to verify.
- Every threat decision is explainable
- Every line of defense code is auditable
- Every piece of your data stays under your control
- Every node in the mesh strengthens everyone
This is what security looks like when transparency comes first.
🤝 Join The Family
HookProbe isn't a product. It's a movement. A family of people who believe that security is a right, not a privilege.
How You Can Help
| Action | Impact |
|---|---|
| ⭐ Star this repo | Help others discover protection |
| 🔧 Deploy HookProbe | Strengthen the mesh for everyone |
| 🐛 Find vulnerabilities | Make the stack stronger |
| 📝 Contribute code/docs | Build the future together |
| 📢 Share on Reddit / HN / X | Spread the word |
| 💖 Sponsor development | Fund open-source security for everyone |
Growth vs. the Incumbents
We're the new kid, but we're growing. Here's how HookProbe stacks up in the open-source IDS space:
Every open-source IDS started with 0 stars. CrowdSec had 22 stars once too. The difference is what happens next.
What "Family" Means
- 🔓 We share knowledge freely - No paywalls on protection
- 🤝 We help each other - Stuck? Ask. Know something? Teach.
- 🛠️ We build together - Your contribution makes everyone stronger
- 🛡️ We protect each other - One node's detection → Everyone's protection
Read our Manifesto to understand what we're building and why.
📖 From the Blog
Deep-dives, benchmarks, and real-world threat detection results:
- Zeek + Suricata on Raspberry Pi: Edge IDS Setup Guide — Our most popular guide
- NAPSE vs Zeek vs Suricata vs Snort: IDS Comparison — Head-to-head benchmarks
- Building an Autonomous SOC on Raspberry Pi 5 — Full walkthrough
- How HookProbe Detects CVE-2025-32432 — Real CVE detection analysis
- Threat Landscape Report — March 2026 — Monthly threat intelligence
Browse all 86+ articles → | Subscribe via RSS → | Documentation →
🎯 The Mission
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ We're not building a product. │
│ We're building a MOVEMENT. │
│ │
│ A world where: │
│ • A grandmother in rural India has the same protection as a bank in NYC │
│ • A small business in Nigeria can't be ransomed │
│ • A journalist in a dangerous country has unbreakable encryption │
│ • A hospital never has to choose between ransom and saving lives │
│ │
│ This is possible. │
│ This is what we're building. │
│ This is HookProbe. │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
HookProbe v5.1 "Neural"
One Node's Detection → Everyone's Protection
The HTP-DSM-NEURO-QSECBIT-NSE Security Stack
🛡️ Join the family. Protect each other. Achieve more. 🛡️
🎯 Live Demo · 🌐 Website · ⚡ Get Started · 📝 Blog · 📡 RSS · 💖 Sponsor · 💬 Community
"In a world where attackers share everything, defenders must too."
Built with love in Romania. Protecting networks worldwide.