Architecture
3 components, 1 database, 4-layer discovery.
Designed so a single IT manager can deploy and operate ShamashAi without a SaaS dependency. Air-gap installation supported. New vendor support comes through a connector — core code is never touched.
┌──────────────────────────────────────────────────────────┐
│ CUSTOMER ENVIRONMENT │
│ │
│ Fortinet · Sophos · Cisco · Mikrotik · AD · vCenter · │
│ M365 · SQL · NAS · Web · Mail · SNMP devices │
│ │ │
│ │ syslog/REST/SNMP/WinRM/Graph API │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ ShamashAi Agent (.NET 8 Windows Service)│ │
│ │ • 10 parallel connectors │ │
│ │ • LiteDB store-and-forward queue │ │
│ │ • 8 MB UDP buffer · 10K event channel │ │
│ └──────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────┘
│
│ HTTPS · Bearer agent token
▼
┌──────────────────────────────────────────────────────────┐
│ SHAMASHAI CORE │
│ │
│ Backend (Node.js Fastify · TS · ~150 endpoints) │
│ ├─ Risk engine (deterministic multipliers) │
│ ├─ Correlation (5-min sliding window) │
│ ├─ Threat intel (Tor + FireHOL + Spamhaus) │
│ ├─ Behavioral baselines (24-bit hour bitmap) │
│ ├─ SOAR (Fortigate addrgrp manipulation) │
│ ├─ Compliance (ISO 27001 + KVKK evidence) │
│ ├─ AI advisor (Claude · credentials never sent) │
│ └─ License (Ed25519-signed JWT, local validate) │
│ │
│ Database: SQL Server (~25 tables, 4 indexes on events) │
│ Web (Next.js 16 · React · ~40 pages · PWA-ready) │
└──────────────────────────────────────────────────────────┘Components & responsibilities
- Backend — Node.js 20 + Fastify + TypeScript + Zod. ~150 REST endpoints. SQL Server via mssql driver. Helmet + CORS hardened.
- Web — Next.js 16 + React 18 + Tailwind. ~40 pages, Service Worker for Web Push. Auto-refresh 30s.
- Agent — .NET 8 Windows Service. 10 parallel connectors, LiteDB store-and-forward queue, Serilog rolling log, Bearer token auth.
4-layer discovery
- Survey — wizard inputs (sites, categories, anchor devices).
- Probe — vendor-agnostic fingerprint (port scan, HTTP/HTTPS/SSH/SNMP banners).
- Recognition — cache → pattern → AI fallback → manual.
- Adapter — vendor-specific plugin (.NET interface, hot-load from
Connectors-custom/).
Sizing (100–500 devices)
| Component | 100–500 devices |
|---|---|
| CPU | 4 vCPU |
| RAM | 8 GB |
| Disk (90-day retention) | ~50 GB |
| SQL Server | Standard or Express |
| OS | Windows Server 2019+ |
| EPS target | 500–2000 (vendor mix) |
Deeper detail?
The Turkish architecture page goes into table schema, indexes, store-and-forward internals, and production hardening config.
