Zedmos
ENDE
Get Started
Engine v0.0.1 · GAHub v2.4.1SD-WAN · TestSASE · TestWAF · Roadmap

One engine. One pane.
Every network layer.

Zedmos is an inline security engine that fuses routing, encryption, and deep inspection into a single data plane. Installed as an OPNsense plugin, it integrates seamlessly into an existing appliance. Same policies, same data plane, same UI.

Deploy on OPNsense →See SASE architecture
ZEDMOS CONSOLE · SINGLE PANE OF GLASSPoliciesIdentitiesCTI HubSLA / SD-WANEventsNGFW + DPIL7 · TLS · IDS/IPSSD-WANPer-policy routingTESTCTI HubSASETESTIdentityAD · Azure · SCIMONE ENGINE BINARY · INLINE FAST PATHcaptureparseclassifyti-lookupevaluatedecideenforceINOUT
WHAT AN NGFW SHOULD HAVE

Every layer a modern firewall owes you — in one engine

Instead of stitching an IDS, a DPI layer, a TLS proxy, a content scanner, and a separate SASE overlay together, Zedmos ships one binary that runs every layer on the same zero-copy path.

Packet & protocol
  • Stateful packet inspection
    In-engine flow table
    GA
  • Deep packet inspection
    200+ protocols
    GA
  • TLS / SSL inspection
    SNI · TLS fingerprinting · bump
    GA
  • QUIC / DoT / DoH control
    GA
  • IDS / IPS
    Aho-Corasick binary rules
    GA
Access & routing
  • Application control
    GA
  • URL / web filtering
    Suffix trie + TI feeds
    GA
  • Identity-aware policy (ZTNA)
    AD · Azure · SCIM
    GA
  • Encrypted VPN overlay
    Native fast-path integration
    GA
  • SD-WAN per-policy steering
    SLA-aware failover
    Test
  • Centralized SASE hub-spoke
    Test
Content & threat
  • Anti-malware (inline)
    Streaming payload inspection
    GA
  • Threat intelligence feeds
    IP · domain · URL · TLS fingerprint
    GA
  • WAF / reverse proxy
    Design complete, shipping in a later release
    Roadmap
  • File type / MIME filtering
    GA
Operations
  • Centralized mgmt (single pane)
    GA
  • Sub-10 s failover
    In-process daemon
    GA
  • Hot-reload policies & feeds
    Zero packet loss
    GA
  • SIEM / S3 / Kafka export
    unified log plane
    GA
TWO DEPLOYMENTS, ONE ENGINE

Run Zedmos on your hardware, or as a mesh you manage centrally

Same binary. Same policies. The only difference is where the packet path lives — on your own OPNsense box, or at distributed encrypted hubs that your spokes dial into.

Console modeOn-prem OPNsense appliance

Every packet stays on your box. No cloud dependency.

  • Ships as a signed OPNsense module
  • Monitor, bridge, or routed posture on your interfaces
  • Local event store — data stays inside the perimeter
  • Management UI served from the appliance itself
  • Atomic policy and threat-intelligence hot-reload
Open Console architecture
SASE modeTESTHub-spoke encrypted overlay

Enforce the same policies at distributed hubs, centrally.

  • Central orchestrator distributes policy and topology
  • Spokes dial into the nearest hub over an encrypted overlay
  • Zedmos engine enforces in-line at the hub
  • Continuous sub-10-second failover between hub pairs
  • Identity-aware access via Active Directory, Entra, and SCIM
Open SASE architecture
CAPABILITIES

Pick any block. It runs on the same pipeline.

Each capability below is a live feature of the engine, documented and deployable today. Click any card for the deep dive — architecture, config snippets, and benchmarks.

GA
Platform
Zero-Copy Fast Path

Shared-memory packet rings bypass the kernel socket path. ~14 Gbps on a single core.

14 GbpsRead →
GA
Inspection
TLS Inspection + Fingerprinting

SNI extraction, full client and server fingerprinting, forward-proxy bumping with a short-lived CA.

65K fingerprintsRead →
GA
Inspection
L7 App Classification

200+ application protocols, category pairs, encrypted traffic heuristics — all on the fast path.

200+ protoRead →
GA
Security
Multi-Action Policy Engine

allow / drop / reset / shape / redirect / quarantine / tarpit / scan / rewrite / exec / mark / escalate / route / log.

14 actionsRead →
Test
Routing
SD-WAN per-Policy Steering

Route per app / category / SNI / user / geo. Strategy-pattern TX with SNAT and kernel FIB.

multi-WANRead →
GA
Security
Feed-Driven Threat Intelligence

IP, domain, URL, and TLS-fingerprint blocklists. Suffix-trie matching. Atomic hot-swap via control socket.

Read →
GA
Identity
Identity & Device Recognition

AD DC agent, Azure Graph pull, SCIM hook, ARP/DHCP fingerprinting. Per-flow user tags.

AD · Azure · SCIMRead →
Test
Routing
Sub-10s SASE Failover

ICMP / HTTP / DNS probes, composite health score, atomic peer swap. Hysteresis-aware.

< 10 sRead →
GA
Platform
Hot-Reload Control Plane

SIGHUP and UNIX-socket commands swap policies, feeds, and routes with zero packet loss.

Read →
GA
Security
Inline File Scanning

Protocol-aware payload reassembly across web, mail, and file-sharing traffic with content-type inference and per-flow deduplication.

Read →
GA
Security
QUIC / DoT / DoH Control

Block or downgrade encrypted bypass paths per policy. 90% QUIC, 85% DoT effective.

Read →
GA
Routing
Encrypted Overlay on the Fast Path

Kernel driver patched so encrypted overlay peers can join the same fast path. Opt-in on bare-metal deployments; standard SASE still defaults to the kernel socket path.

Read →
GA
Observability
Unified Log Plane

Lock-free shared-memory ring into a dedicated writer daemon. File, syslog, SQLite, and Elasticsearch sinks today — with write-ahead log, circuit breaker, and adaptive sampling under load.

Read →
GA
Platform
Hardware Acceleration

Intel 1/10 GbE multi-queue, NIC preflight, CPU affinity — 10× cache-miss reduction.

Read →