Skip to main content
End-of-week ship, extending the v1.14.x platform. Four new areas round out the security stack — event collection and AI threat analysis, automated email triage, authorized vulnerability scanning, and a rollup posture view.

New features

SIEM

Built-in Security Information and Event Management. A listener auto-detects TLS or plain syslog on port 6514 (plus a per-tenant port), auto-parses FortiGate key=value and RFC 3164 events, and organizes them under sources and time-boxed capture sessions per client. Critical and high-severity events auto-promote to alerts. Upload a PCAP and NEXOS CORE parses it into conversations, DNS, HTTP, and TLS SNI, pre-flagging suspicious signals. Run Nexie AI threat analysis on any capture for a 0–100 risk score, findings (with MITRE ATT&CK IDs), remediation plans, and before/after posture comparison. See SIEM.

Email security

An automated phishing-triage pipeline for Microsoft 365 mailboxes. Every ~5 minutes NEXOS CORE pulls recent mail via Microsoft Graph, parses SPF, DKIM, DMARC, Defender, and Inky signals, and scores each message 0–100 against a per-client trust profile (approved senders, vendors, lookalike-domain detection). Borderline messages get a Claude second opinion, and the pipeline then allows, logs, escalates, or quarantines the message — opening a helpdesk ticket automatically when a human needs to look. See Email security.

Vulnerability scanning & Red Team

Authorized Metasploit-driven scans against a client’s networks. Choose a Basic, Standard, or Comprehensive profile (or a template from a library of ~50), or let the Nexie Red Team wizard recommend one based on industry, compliance frameworks, asset inventory, and prior findings. Scans can run from the Metasploit host directly, or be tunneled through an on-site RMM agent so they originate from inside a segmented or NATed client network. Discovered hosts, services, and vulnerabilities are recorded as findings against the client. See Vulnerability scanning & Red Team.

Security posture dashboard

A single-pane rollup of a client’s security health. One Overall Security Score (0–100) aggregates compliance, vulnerability, endpoint, and identity categories, alongside endpoint stats (total vs. online agents, compliance rate) and a recent-alerts feed with inline status updates. It’s a read-only view — the scores flow from the underlying modules — so it’s the fastest way to spot what’s dragging a client’s posture down before diving into the source tool. See Security posture dashboard.

Known limitations

  • SIEMPCAP analysis requires tshark on the host; without it, captures are marked failed. Encrypted session export needs SIEM_ENCRYPTION_KEY set — otherwise exports fall back to plaintext. The syslog TLS listener is pinned to TLS 1.2 (a FortiOS workaround) with no client-certificate auth. AI analysis requires your tenant’s Claude API key.
  • Email securityquarantine moves the message to Junk, not full Defender quarantine. Ingestion is polling (~5 minutes), not real-time. Company matching is by sender domain, so unrecognized external senders land in the caution band for AI review.
  • Vulnerability scanning — you are responsible for authorization; record the client’s penetration-test scope and sign-off before running a scan. Requires a reachable, enabled msfrpcd — without it, scans fail immediately. Agent-tunneled targets must be IPv4 addresses or CIDR ranges. The Red Team wizard requires your tenant’s Claude API key.
  • Posture dashboardread-only aggregation. Fix a low score at its source (compliance, vuln scanning, or RMM), not here. The overall score is a pooled ratio, so a source with a large maximum weighs more heavily — read it alongside the category breakdown.
Earlier known limitations from v1.14.x, week of June 29, the Quotes, billing & contracts ship, the Projects & field ship, the Construction & bid ship, and the RMM & infrastructure ship remain unchanged.