What is Nexor?

Nexor is a full-stack network observability platform built for security and operations teams. It consists of three products that work independently or together: a native Desktop App for live packet capture, a headless Capture Agent for server and cloud deployments, and a SaaS Hub that aggregates flows from any number of agents into a searchable, alerting-capable analytics platform.

The entire pipeline — from raw packets to searchable flows — is designed for high throughput with minimal overhead. The capture core is written in Rust; the Hub backend uses Go with ClickHouse for storage, giving you sub-second query times even on hundreds of millions of flows.

Nexor Desktop

A native macOS and Windows application that turns your laptop or workstation into a real-time packet analyser. No tcpdump, no Wireshark filters — just open the app, pick an interface, and see enriched, decoded flows in milliseconds.

Installation

Nexor Desktop ships as a signed .dmg (macOS) and .exe installer (Windows). Download from the download page and run the installer — no additional runtime dependencies required.

Live Capture

Select any available network interface (en0, Wi-Fi, Ethernet, VPN tunnel) from the interface picker at the top of the window. Capture starts immediately. You can switch interfaces without restarting the application.

The flow table refreshes in real time. Each row represents a completed or active TCP/UDP flow with protocol, source/dest IPs and ports, packet/byte counts, duration, and any decoded application data. Scroll back through the session history — flows are retained in memory until the session is cleared or the app restarts.

Protocol Support

Nexor decodes the following application-layer protocols with full field extraction:

Threat Intelligence

Every external IP is checked against bundled threat intelligence feeds on first observation. Matching IPs receive a coloured badge in the flow table:

Feeds are embedded in the application binary and updated with each release. When Hub Connect Mode is active, the Hub's live threat feed is used instead, giving you real-time intelligence updates without waiting for a new app version.

UI Panes

The Desktop UI uses a three-pane layout. Each pane is resizable and can be collapsed to focus on what matters.

Hub Connect Mode

Enable Hub Connect Mode in Settings → Hub Connection. Enter your Hub URL and an API token generated in Hub Settings → Tokens. Once connected, all flows captured on this machine are streamed to the Hub in real time.

# Settings → Hub Connection
Hub URL     :  https://your-hub.example.com
API Token   :  nst_xxxxxxxxxxxxxxxxxxxx
Auto-start  :  ✓ (reconnect on app launch)
Label       :  Alice-MacBook  # appears in Hub Fleet view

The connection is a persistent WebSocket over TLS. If the Hub is temporarily unreachable, the Desktop buffers up to 50,000 flows in memory and replays them on reconnect.

Nexor Capture Agent

A lightweight, headless capture daemon designed for servers, cloud VMs, Kubernetes nodes, and network appliances. Deploy it once and it reports flows to the Hub continuously — no GUI, no manual intervention, zero local storage.

Installation

The quickest path is the Hub-hosted install script. Navigate to Hub → Fleet → Add Agent and copy the generated command:

# Generated by Hub — includes your token automatically
curl -sSL "https://your-hub.example.com/api/v1/agents/install?token=nst_xxx" | sudo bash

This script detects your OS and architecture, downloads the correct binary, installs it to /usr/local/bin/nexor-agent, writes a systemd unit (Linux) or launchd plist (macOS), and starts the service automatically.

Capture Modes

pcap mode (default)

Uses libpcap to capture packets from network interfaces. Works on all platforms. Suitable for moderate traffic volumes. Root or CAP_NET_RAW capability required.

nexor-agent \
  --hub       https://hub.example.com \
  --token     nst_xxxxxxxxxxxxxxxx \
  --iface     eth0 \
  --mode      pcap \
  --filter    "not port 22"  # exclude SSH

eBPF mode (Linux 5.8+)

Attaches an XDP / TC eBPF program directly in the kernel's network stack. Dramatically lower CPU usage at high packet rates. No buffer drops under sustained 10 Gbps. Requires Linux kernel 5.8+ and root.

nexor-agent \
  --hub   https://hub.example.com \
  --token nst_xxxxxxxxxxxxxxxx \
  --iface eth0 \
  --mode  ebpf

Enrollment & Tokens

Each agent authenticates to the Hub using a unique enrollment token. Tokens are generated in the Hub under Fleet → Add Agent or via the API. Tokens can be revoked at any time from the Fleet page without restarting the agent — it will receive a 401 and stop forwarding flows.

Configuration

The agent can be configured via command-line flags, environment variables, or a YAML config file at /etc/nexor/agent.yaml.

hub:     https://hub.example.com
token:   nst_xxxxxxxxxxxxxxxx
mode:    ebpf         # pcap | ebpf
ifaces:
  - eth0
  - eth1
filter:  "not port 22"
labels:
  env:    production
  region: us-east-1
  role:   web
batch_size:   500    # flows per HTTP push
flush_interval: 2s    # max wait before push
log_level:    info   # debug | info | warn | error

Remote Config Push

From Hub → Fleet → [Agent] → Configure, you can remotely update the filter expression, interface list, or labels without restarting the agent. Configuration changes are pushed over the existing WebSocket connection and applied within seconds.

Nexor Hub

The Hub is the central brain of a Nexor deployment. It receives flows from any number of agents and Desktop instances, stores them in ClickHouse, and exposes a rich web UI and REST API for search, alerting, anomaly detection, compliance, and more.

Deployment

The Hub is distributed as a single Go binary plus a ClickHouse database. The quickstart script handles both:

curl -sSL https://nexor.io/hub-quickstart.sh | sudo bash
# → installs ClickHouse, downloads hub binary, creates systemd service
# → hub available at http://localhost:8080 within ~60 seconds

Environment Variables

CH_ADDR=localhost:9000
CH_DB=nexor
APP_URL=https://hub.example.com
FRONTEND_URL=https://hub.example.com
SESSION_SECRET=change-me-64-random-chars
LICENSE_KEY=ENT-xxxx-xxxx-xxxx    # omit for Community tier
ANTHROPIC_API_KEY=sk-ant-…  # required for AI Copilot
PRODUCTION=true               # sets Secure cookies

Flows & Analytics

All flows from all agents land in the Hub's flows ClickHouse table. The Flows page provides a real-time view with powerful search and filter controls.

Searching Flows

Services View

The Services page automatically groups flows by (src_service, dst_service, protocol) and shows a dependency graph. Useful for discovering undocumented service relationships or lateral movement patterns.

Cloud VPC Ingestion

Import VPC Flow Logs from AWS (S3 or CloudWatch Logs), GCP (Cloud Logging), or Azure (Network Watcher) under Cloud Flows. The Hub normalises all formats into the same flow schema for unified analysis.

Security Features

Alerting

Create alert rules under Alerts → Rules. Each rule specifies a condition (e.g. any flow to a HIGH-threat IP in the last 5 minutes), a severity, and one or more notification channels.

Sigma Detection Rules

Nexor Hub implements a Sigma-compatible rule engine (Detection page). Import standard Sigma YAML rules or write custom ones. Rules are evaluated continuously against the incoming flow stream, with matches creating incidents automatically.

title:       Suspicious DNS Tunnelling
id:         nexor-dns-tunnel-001
status:     stable
level:      high
detection:
  selection:
    protocol: DNS
    query_len|gte: 60
    bytes_out|gte: 4096
  condition: selection
falsepositives:
  - AAAA record lookups for long CDN hostnames

Anomaly Detection

The anomaly engine builds a statistical baseline for each (src_ip, dst_ip, protocol) tuple over a rolling 7-day window. Deviations from the baseline — in bytes, flow count, or inter-arrival time — generate anomaly events visible on the Anomalies page. Each anomaly has a severity score and a natural-language description generated by the AI Copilot.

Threats

The Threats page aggregates all flows touching IPs from the threat intelligence feeds, grouped by threat actor and severity. Drill down into any threat entry to see the full timeline of connections, source agents, and associated alert history.

Incidents

Incidents are auto-created from high-severity alert or Sigma rule matches. Each incident gets a unique ID, a severity (P1–P4), and a status (open / in-progress / resolved). Assign incidents to team members, add investigation notes, and close with a resolution summary. Full audit trail is maintained.

Certificates

The Certs page shows every TLS certificate seen in flows, with expiry date, issuer, SANs, and the set of hosts that presented it. Expired or soon-to-expire certificates are highlighted. Certificate changes (e.g. unexpected issuer rotation) can trigger alerts.

Policies

Define network policies — permitted and denied communication paths — under the Policies page. Nexor automatically flags policy violations as they occur in the flow stream.

AI Copilot

The AI Copilot is a natural-language interface to your flow data, powered by Anthropic's Claude. Click AI Copilot in the sidebar to open the chat panel.

The Copilot enforces a row-limit cap on all generated SQL (default 1,000 rows) to prevent accidental full-table scans. Administrators can raise this limit per-user from Settings.

Custom Dashboards

Build any view you need from the My Dashboards page. Each dashboard is a collection of widgets arranged on a 12-column grid.

Available Widgets

Widget Sizes

Each widget can be resized independently to Small (⅓ width), Medium (½ width), or Full Width using the resize controls that appear on hover in edit mode. Use the arrow buttons to reorder widgets within the grid.

Enterprise Features

The following features require an Enterprise license (LICENSE_KEY environment variable):

API Reference

The Hub exposes a REST API at /api/v1/. All endpoints require a bearer token via the Authorization header.

curl -H "Authorization: Bearer nst_xxx" \
     https://hub.example.com/api/v1/flows?limit=50&protocol=TLS

nexor-sdk

The official Python SDK gives you programmatic access to every Hub capability — query flows, manage alert rules, stream real-time events, build dashboards, triage incidents, run Sigma rules, and chat with the AI Copilot — all from a clean, idiomatic Python API.

Zero runtime dependencies. The SDK uses Python's stdlib urllib exclusively. No requests, no httpx required. Works out of the box on Python 3.9+.

Installation

pip install nexor-sdk

from nexor_sdk import Nexor

ns = Nexor(
    url="https://hub.example.com",
    token="nst_xxxxxxxxxxxxxxxxxxxx",
)

# Verify connection and token
assert ns.ping(), "Cannot reach hub"

# Hub-wide stats
stats = ns.stats()
print(f"{stats.total_flows:,} flows · {stats.active_agents} agents online")

Flows

# Query with filters
flows = ns.flows.list(
    protocol="TLS", country="CN", hours=24, limit=500
)
for f in flows:
    print(f.src_ip, "→", f.dst_ip, f.tls.sni if f.tls else "")

# Auto-paginating iterator — fetches all pages automatically
for flow in ns.flows.iter_all(threat_level="high", hours=72):
    process(flow)

# Real-time SSE stream (blocks until disconnected)
for flow in ns.flows.stream():
    if flow.is_threat:
        alert(flow)

# Top talkers by bytes in the last hour
talkers = ns.flows.top_talkers(window="1h", by="bytes", limit=10)

Alerts & Incidents

# Create an alert rule
rule = ns.alerts.create_rule(
    name="Exfil to known-bad country",
    condition="country_code = 'CN' AND bytes_out > 1000000",
    severity="high",
    integration="webhook",
    webhook_url="https://hooks.slack.com/services/xxx",
)

# Query fired events
events = ns.alerts.list_events(severity="critical", hours=24)

# Full incident lifecycle
inc = ns.incidents.create(
    title="Possible C2 beaconing from 10.0.0.5",
    severity="P2",
)
ns.incidents.acknowledge(inc.id)
ns.incidents.add_note(inc.id, "Confirmed — isolating host")
ns.incidents.resolve(inc.id, "Host isolated, threat remediated")

AI Copilot & Dashboards

# One-shot question (buffered reply)
answer = ns.copilot.ask("Which host had the most outbound bytes today?")
print(answer)

# Streaming — token by token
for token in ns.copilot.stream("Show DNS queries to .ru in the last hour"):
    if token.sql:
        print(f"\n[SQL] {token.sql}")
    else:
        print(token.text, end="", flush=True)

# Multi-turn conversation (remembers context)
chat = ns.copilot.chat()
print(chat.send("What's our top talker today?"))
print(chat.send("What ports does it use?"))

from nexor_sdk.resources.dashboards import DashboardsResource as D

dash = ns.dashboards.create(
    name="Security Overview",
    widgets=[
        D.stat_widget("Alerts (24h)",   metric="alert_count",   size="sm"),
        D.stat_widget("Anomalies (24h)", metric="anomaly_count", size="sm"),
        D.stat_widget("Active Agents",   metric="active_agents", size="sm"),
        D.timeseries_widget("Flow Volume", window="24h", size="lg"),
        D.top_talkers_widget(by="bytes", limit=10, size="md"),
        D.alert_feed_widget(limit=8, size="md"),
    ],
)
print(f"Dashboard URL: {HUB}/dashboards/{dash.id}")

Runnable Examples

Four ready-to-run scripts ship in sdk/python/examples/:

from nexor_sdk import NexorError, AuthError, RateLimitError

try:
    flows = ns.flows.list(protocol="TLS")
except AuthError:
    print("Invalid or expired token")
except RateLimitError:
    print("Rate limited — back off and retry")
except NexorError as e:
    print(f"HTTP {e.status_code}: {e}")

Privacy & PII Masking

Nexor's PII masking engine runs inside the Rust capture agent, redacting sensitive data before any flow is batched or transmitted to the Hub. Authorization tokens, session cookies, payment card numbers, passwords, and identity fields are replaced with the literal string [REDACTED] at parse time — they never touch the network, never reach ClickHouse, and never appear in logs.

This is a source-side guarantee, not a post-hoc filter. The masking runs in the same CPU cycle as the HTTP parser — there is no window during which sensitive data is stored unredacted anywhere on the agent host.

Sensitive header redaction

The following HTTP/1.1 and HTTP/2 header names are redacted automatically. Matching is case-insensitive (Authorization, AUTHORIZATION, and authorization are all caught):

JSON body field redaction

When a request or response body preview is valid JSON, the engine walks the object recursively and redacts the value of any field whose name matches one of the patterns below. Arrays are also walked. Non-JSON bodies (URL-encoded forms, plain text, binary previews) are stored unchanged.

// Input (captured by agent)
{
  "username": "alice",
  "password": "hunter2",          ← REDACTED
  "card_number": "4111111111...", ← REDACTED
  "cvv": "123",                   ← REDACTED
  "amount": 9900                  ← preserved
}

// Stored in ClickHouse Hub
{
  "username": "alice",
  "password": "[REDACTED]",
  "card_number": "[REDACTED]",
  "cvv": "[REDACTED]",
  "amount": 9900
}

Redacted field categories:

Extending the pattern list

Add patterns to agent/crates/parser/src/masking.rs — the lowercase name goes into either SENSITIVE_HEADERS or SENSITIVE_FIELDS. No other changes are required; the masking is applied automatically wherever HTTP flows are assembled.

// Add your own field name here (lowercase):
const SENSITIVE_FIELDS: &[&str] = &[
    "password",
    "token",
    "my_custom_secret",  // ← add here
    // ...
];

Run cargo test -p parser after any change — 31 unit tests cover every built-in pattern and verify the recursive walk, case-insensitivity, and non-JSON passthrough behaviour.

Performance Telemetry

Every Nexor agent (v0.7+) reports CPU usage, resident memory (RSS), and a cumulative packet-drop counter on each heartbeat (every 30 seconds). The Hub stores the samples in ClickHouse with a 30-day TTL and exposes them via a REST endpoint. The Fleet dashboard renders a live sparkline per agent card so you can verify agent overhead at a glance.

Agents running in pcap or eBPF mode both report identical telemetry. Older agents that predate v0.7 simply omit the telemetry fields — the Hub treats missing fields as zero and never writes a agent_perf row for them.

Perf history API

Retrieve historical performance samples for a specific agent:

GET /api/v1/agents/{agent_id}/perf?limit=60

# Response
{
  "agent_id": "4f8a2c1e-...",
  "samples": [
    {
      "ts":              "2026-05-04T12:00:00Z",
      "cpu_pct":         0.42,
      "mem_mb":          124,
      "packets_dropped": 0
    },
    ...
  ]
}

ClickHouse storage

Performance samples are stored in the agent_perf table, which uses a standard MergeTree engine ordered by (agent_id, ts) for efficient per-agent range scans. A TTL clause automatically drops rows older than 30 days.

CREATE TABLE IF NOT EXISTS agent_perf (
    agent_id        String,
    ts              DateTime64(3, 'UTC') DEFAULT now64(),
    cpu_pct         Float32  DEFAULT 0,
    mem_mb          UInt64   DEFAULT 0,
    packets_dropped UInt64   DEFAULT 0
) ENGINE = MergeTree()
ORDER BY (agent_id, ts)
TTL ts + INTERVAL 30 DAY;

To query the rolling average CPU across your whole fleet over the last hour:

SELECT
    agent_id,
    avg(cpu_pct)         AS avg_cpu,
    max(mem_mb)          AS peak_mem_mb,
    max(packets_dropped) AS total_drops
FROM agent_perf
WHERE ts >= now() - INTERVAL 1 HOUR
GROUP BY agent_id
ORDER BY avg_cpu DESC;

The Fleet UI fetches the last 10 samples per agent and renders a CPU sparkline inside each agent card. The sparkline colour shifts from indigo (healthy) to amber (>50%) to red (>80%) to surface high-load agents at a glance. A non-zero packets_dropped count surfaces as a warning badge on the card.

Adaptive Sampling

Nexor agents default to metadata-only mode — they capture every connection's headers, timing, DNS queries, TLS handshakes, and protocol attribution, but discard HTTP request/response body content before it is batched or transmitted. This keeps CPU and memory overhead near zero even at multi-gigabit traffic volumes.

Two mechanisms upgrade a session to full capture automatically or on demand:

Metadata vs Full mode

Sampling API

Read or update the sampling mode for a specific agent via the REST API. Changes are picked up by the agent on its next config poll (within 30 seconds).

GET /api/v1/agents/{agent_id}/sampling

# Response
{"agent_id": "4f8a2c1e-...", "mode": "metadata"}

POST /api/v1/agents/{agent_id}/sampling
Content-Type: application/json
X-Api-Key: <admin-key>

{"mode": "full"}

# Response
{
  "ok": true,
  "agent_id": "4f8a2c1e-...",
  "mode": "full",
  "pushed_at": "2026-05-05T12:00:00Z"
}

Valid values for mode are metadata and full. Any other value returns HTTP 400. The config is delivered via the existing agent_configs ClickHouse table and acknowledged by the agent using the same poll/ack mechanism as other remote config pushes.