Concepts

Tenant

An isolated workspace. Each database table with customer data has a tenant_id column; PostgreSQL Row Level Security ensures that queries only see rows from their own tenant.

Agent

Static linked Rust-binary (~12 MB) running on each monitored host. Collects metrics, tails logs, runs three anomaly models locally and sends aggregated features upstream.

Hub

The Go control plane (api.monsys.ai). Stores metrics, manages agents, sends emergency tokens, and serves the dashboard API.

Emergency Action Token

Short-lived, Ed25519-signed capability that the hub issues to an agent to perform a specific action (network isolation, process killing, etc.). TTL ≤ 15 minutes, one-time use via nonce.

Honeypot Canary

Local file filled with fake credentials. Inotify watch on the agent. One read event = immediate Critical alert + Level 1 emergency response.

Process DNA

SHA256 of each process binary. Compared to a baseline; deviations trigger alerts.