New features
SIEM
Built-in Security Information and Event Management. A listener auto-detects TLS or plain syslog on port 6514 (plus a per-tenant port), auto-parses FortiGate key=value and RFC 3164 events, and organizes them under sources and time-boxed capture sessions per client. Critical and high-severity events auto-promote to alerts. Upload a PCAP and NEXOS CORE parses it into conversations, DNS, HTTP, and TLS SNI, pre-flagging suspicious signals. Run Nexie AI threat analysis on any capture for a 0–100 risk score, findings (with MITRE ATT&CK IDs), remediation plans, and before/after posture comparison. See SIEM.Email security
An automated phishing-triage pipeline for Microsoft 365 mailboxes. Every ~5 minutes NEXOS CORE pulls recent mail via Microsoft Graph, parses SPF, DKIM, DMARC, Defender, and Inky signals, and scores each message 0–100 against a per-client trust profile (approved senders, vendors, lookalike-domain detection). Borderline messages get a Claude second opinion, and the pipeline then allows, logs, escalates, or quarantines the message — opening a helpdesk ticket automatically when a human needs to look. See Email security.Vulnerability scanning & Red Team
Authorized Metasploit-driven scans against a client’s networks. Choose a Basic, Standard, or Comprehensive profile (or a template from a library of ~50), or let the Nexie Red Team wizard recommend one based on industry, compliance frameworks, asset inventory, and prior findings. Scans can run from the Metasploit host directly, or be tunneled through an on-site RMM agent so they originate from inside a segmented or NATed client network. Discovered hosts, services, and vulnerabilities are recorded as findings against the client. See Vulnerability scanning & Red Team.Security posture dashboard
A single-pane rollup of a client’s security health. One Overall Security Score (0–100) aggregates compliance, vulnerability, endpoint, and identity categories, alongside endpoint stats (total vs. online agents, compliance rate) and a recent-alerts feed with inline status updates. It’s a read-only view — the scores flow from the underlying modules — so it’s the fastest way to spot what’s dragging a client’s posture down before diving into the source tool. See Security posture dashboard.Known limitations
- SIEM — PCAP analysis requires
tsharkon the host; without it, captures are marked failed. Encrypted session export needsSIEM_ENCRYPTION_KEYset — otherwise exports fall back to plaintext. The syslog TLS listener is pinned to TLS 1.2 (a FortiOS workaround) with no client-certificate auth. AI analysis requires your tenant’s Claude API key. - Email security — quarantine moves the message to Junk, not full Defender quarantine. Ingestion is polling (~5 minutes), not real-time. Company matching is by sender domain, so unrecognized external senders land in the caution band for AI review.
- Vulnerability scanning — you are responsible for authorization;
record the client’s penetration-test scope and sign-off before running a
scan. Requires a reachable, enabled
msfrpcd— without it, scans fail immediately. Agent-tunneled targets must be IPv4 addresses or CIDR ranges. The Red Team wizard requires your tenant’s Claude API key. - Posture dashboard — read-only aggregation. Fix a low score at its source (compliance, vuln scanning, or RMM), not here. The overall score is a pooled ratio, so a source with a large maximum weighs more heavily — read it alongside the category breakdown.
