v0.1.0 — Built by Russian offensive-security engineers

Stop modern attacks.
Before they start.

SaiCore is a sovereign server-defense platform with 11 security layers, active deception, anti-ransomware and behavioral baseline — deployed in one terminal command.

Deploy in 60 seconds → Open live panel
Live demo your server is under attack • SaiCore is on it threats blocked: 0
web-01
47 382
Attacks blocked · 24 h
1 284
Servers defended
183 921
IPs in global blacklist
99.97%
Control-plane uptime
11 defense layers

Every attack vector. Covered.

From SSH brute-force to fileless ransomware. Each layer is independently toggleable with safe-by-default modes.

🔐

SSH Anti-Brute

Detect >10 failed logins in 5 min from an IP → iptables DROP instantly. Exponential re-ban on recidivism.

🍯

Honeypot Ports

Listen on tempting ports (2222, 8088…). Any connection = permanent ban. Zero false positives.

🛡️

EDR-lite

Scan /proc every 60s for xmrig, kinsing, tsunami, cobaltstrike. Detect fileless deleted-exec technique.

📁

File Integrity Monitor

SHA-256 baseline of /etc/*, /usr/bin, /usr/sbin. Any tampering = alert. Catches rootkit hooks.

🌐

Outbound C2 Detector

Catch compromised PHP/script phoning home to C2, mining pools, IRC botnets, Tor. Enterprise-class outbound WAF — in the agent.

🎯

YARA Scanner

Signed Ed25519 rule-packs for webshells, miners, backdoors. Extensible with thousands of community rules.

🔥

WAF Edge-Proxy

OWASP CRS-lite with 130+ rules: SQLi, XSS, LFI/RCE, SSRF, Log4Shell, Spring4Shell, Ivanti, Citrix.

🔒

Zero-Trust SSH

SSH closed by default. On-demand grants via panel for a specific IP + TTL. Auto-revoke on expiry.

🎭

MIRAGE UNIQUE

4-layer active deception: decoy users, bait SSH keys, canary files, fake Redis/MySQL listeners. Touch = 100% attack.

🔥

PHOENIX UNIQUE

Anti-ransomware with multi-layer defense. Honey-files, entropy spike detection, kill-STOP + network quarantine.

🧠

SENTINEL UNIQUE

Self-learning per-process baseline. 24h training → catch anomalies without signatures. Without ML models.

🌍

Threat Intel Cache

Live blacklist from all SaiCore-defended servers. An IP banned elsewhere is already blocked on yours.

Flagship technology

The three features nobody else has.

Commercial EDRs cost $99/server/month. Falco needs YAML. Wazuh does file integrity. We do all of this — and three things that exist nowhere else in our segment.

01

🎭 MIRAGE

Active deception · 4 layers

Turn your server into a minefield. Attackers trip invisible wires long before they reach anything real.

  • L1 — decoy users (backup, jenkins, ansible) in /etc/passwd
  • L2 — bait SSH keys with canary markers
  • L3 — fake AWS credentials, wallet.dat files
  • L4 — Redis/MongoDB/MySQL port listeners
02

🔥 PHOENIX

Anti-ransomware · multi-layer

Equivalent to $99/server/month commercial EDR — delivered on-prem. Process whitelist protects tar, mysql, rsync, borg and 30+ other backup tools out of the box.

  • L1 — honey-files "!MUST_READ.docx" in every /home
  • L2 — inotify-based file-change watcher
  • L3 — Shannon-entropy spike detection
  • L4 — SIGSTOP + network quarantine + forensic snapshot
03

🧠 SENTINEL

Behavioral baseline · self-learning

For 24 hours we learn every process's normal — memory, FDs, directories it touches, peers it calls, capabilities it uses. Then we catch anything new.

  • nginx suddenly execve() /bin/sh → 99 % webshell
  • mysql reads /etc/shadow → 99 % exploit
  • php-fpm dials :6667 → IRC botnet via RCE
  • No signatures. No ML. Just deviation.
Supply-chain security

One command. Cryptographically verified.

Every release is signed with a pinned Ed25519 key that ships inside the installer. No registry, no downgrade attacks, no surprise binaries.

Supported: Linux (x86_64, ARM64 incl. Baikal-M/S), Windows Server 2019+, macOS 12+.

Ed25519 manifest signature + SHA-256 per binary
systemd sandbox (strict, NoNewPrivileges, capability bound)
HMAC-SHA256 request signing with timestamp anti-replay
Air-gapped mode — zero contact with the outside world
Self-update with signature verification + rollback
version.json.sig — Ed25519 verification
# pinned public key embedded in install.sh $ saicore-agent -show-pubkey PUBKEY=330a7df2290579255d1f99f23cb1 50547ae70f85b4ba3fd2aed53e9c 94b8415f # all 5 platforms signed in one manifest $ saicore-agent -verify-update manifest sig verified linux-amd64 sha256 match linux-arm64 sha256 match darwin-arm64 sha256 match windows-amd64 sha256 match
Side-by-side

Why teams pick SaiCore.

CapabilitySaiCoreCrowdStrikeWazuhFalcoFail2ban
SSH anti-brute-forceYesYesPartialNoYes
EDR / process scanningYesYesPartialYesNo
File integrity monitoringYesYesYesNoNo
Built-in Web-App-FirewallYesNoNoNoNo
Active deception (canary)YesPartialNoNoNo
Anti-ransomware behavioralYesYesNoPartialNo
Self-learning baselineYesYesNoNoNo
Signed supply-chain (Ed25519)YesPartialNoNoNo
Air-gapped installYesNoYesYesYes
Russian Software RegistryYesNoNoNoNo
Zero YAML configYesYesNoNoPartial
Starting priceFree$99/srv/moFreeFreeFree
Pricing

Start free. Scale when you need.

Every tier includes all 11 defense modules. Paid tiers add SLA, priority support, professional services.

Community
₽0/forever
Self-hosted, permissive license. Ideal for homelabs, hobby projects, non-commercial use.
  • All 11 defense modules
  • Unlimited agents
  • Global threat-intel feed
  • Signed releases + YARA rules
  • Community support (GitHub/Telegram)
  • No SLA
Deploy now →
Pro
₽500/server/mo
Everything in Community plus guaranteed response times and priority updates.
  • Everything in Community
  • SLA 99.9% on control-plane
  • 4h response for critical tickets
  • Priority feature requests
  • E-mail + phone support
  • Staging-channel early access
Start trial →
Enterprise
Custom
For regulated industries, large fleets and custom integrations.
  • Everything in Pro
  • On-site deployment assistance
  • Custom YARA rules + Sigma
  • Compliance packages (PCI-DSS, 152-FZ)
  • Dedicated security engineer
  • SOC/SIEM integration (Syslog, CEF)
Contact sales →
FAQ

Sharp questions, sharp answers.

How is SaiCore different from Fail2ban + ClamAV?
Fail2ban is a log parser. ClamAV is a signature scanner. Neither catches fileless attacks, zero-days, or lateral movement. SaiCore ships 11 layers including behavioral baseline and active deception — technologies that only enterprise-grade commercial EDRs deliver.
Will it break my production?
By default PHOENIX runs in monitor mode (alerts only, no kill). The process whitelist protects tar, gzip, mysqldump, pg_dump, rsync, borg, restic, git, systemd and 30+ others. You explicitly flip to enforce when ready.
Does it need internet?
Not after install. Air-gapped mode is first-class: copy the signed bundle to your internal HTTP, point install.sh at it, disable auto-update. All intel is optional.
What does the Ed25519-pinned supply chain actually buy me?
Even if our repo is compromised and every binary replaced, your agent refuses to install or self-update — the manifest signature won't verify against the public key baked into your existing agent. That's the supply-chain property SolarWinds didn't have.
Do you collect user data?
Only anonymous attack telemetry, and only if you opt in to the global threat-intel feed. No file contents, no credentials, no user data — ever. Self-hosted deployments send nothing.
Is SaiCore in the Russian Software Registry?
Application submitted April 2026. Same legal entity already has other products in the registry. Federal-law 44-FZ and 223-FZ procurement compatibility incoming.

Outsmart attackers
before they outsmart you.

60-second deployment. 11 defense layers online. Free forever for self-hosted.

Deploy SaiCore → Read the docs