Architecture

3 components, 1 database, 4-layer discovery.

Designed so a single IT manager can deploy and operate ShamashAi without a SaaS dependency. Air-gap installation supported. New vendor support comes through a connector — core code is never touched.

┌──────────────────────────────────────────────────────────┐
│                  CUSTOMER ENVIRONMENT                     │
│                                                           │
│  Fortinet · Sophos · Cisco · Mikrotik · AD · vCenter ·    │
│  M365 · SQL · NAS · Web · Mail · SNMP devices             │
│           │                                               │
│           │ syslog/REST/SNMP/WinRM/Graph API              │
│           ▼                                               │
│  ┌──────────────────────────────────────────┐             │
│  │  ShamashAi Agent (.NET 8 Windows Service)│             │
│  │  • 10 parallel connectors                │             │
│  │  • LiteDB store-and-forward queue        │             │
│  │  • 8 MB UDP buffer · 10K event channel   │             │
│  └──────────────────────────────────────────┘             │
└──────────────────────────────────────────────────────────┘
                       │
                       │ HTTPS · Bearer agent token
                       ▼
┌──────────────────────────────────────────────────────────┐
│                   SHAMASHAI CORE                          │
│                                                           │
│  Backend (Node.js Fastify · TS · ~150 endpoints)          │
│   ├─ Risk engine (deterministic multipliers)              │
│   ├─ Correlation (5-min sliding window)                   │
│   ├─ Threat intel (Tor + FireHOL + Spamhaus)              │
│   ├─ Behavioral baselines (24-bit hour bitmap)            │
│   ├─ SOAR (Fortigate addrgrp manipulation)                │
│   ├─ Compliance (ISO 27001 + KVKK evidence)               │
│   ├─ AI advisor (Claude · credentials never sent)         │
│   └─ License (Ed25519-signed JWT, local validate)         │
│                                                           │
│  Database: SQL Server (~25 tables, 4 indexes on events)   │
│  Web (Next.js 16 · React · ~40 pages · PWA-ready)         │
└──────────────────────────────────────────────────────────┘

Components & responsibilities

  • Backend — Node.js 20 + Fastify + TypeScript + Zod. ~150 REST endpoints. SQL Server via mssql driver. Helmet + CORS hardened.
  • Web — Next.js 16 + React 18 + Tailwind. ~40 pages, Service Worker for Web Push. Auto-refresh 30s.
  • Agent — .NET 8 Windows Service. 10 parallel connectors, LiteDB store-and-forward queue, Serilog rolling log, Bearer token auth.

4-layer discovery

  1. Survey — wizard inputs (sites, categories, anchor devices).
  2. Probe — vendor-agnostic fingerprint (port scan, HTTP/HTTPS/SSH/SNMP banners).
  3. Recognition — cache → pattern → AI fallback → manual.
  4. Adapter — vendor-specific plugin (.NET interface, hot-load from Connectors-custom/).

Sizing (100–500 devices)

Component100–500 devices
CPU4 vCPU
RAM8 GB
Disk (90-day retention)~50 GB
SQL ServerStandard or Express
OSWindows Server 2019+
EPS target500–2000 (vendor mix)

Deeper detail?

The Turkish architecture page goes into table schema, indexes, store-and-forward internals, and production hardening config.