Skip to main content

Amygdala

Detection becomes action, automatically.

When something gets flagged — a bot, a credential-stuffer, a known-bad fingerprint, a fresh threat-intel hit — Amygdala turns it into a block. Across every Linux host, Windows host, and sensor in your fleet. You write the rule once. Amygdala deploys it everywhere.

What Amygdala is for

  • Auto-respond to detections. A rule that says "if Cortex flags this fingerprint as a bot, block it for 24 hours" runs on every Synapse agent the moment you save it.
  • Fleet-wide policy. Push allow- and block-rules across thousands of hosts in milliseconds. Rollback in one click.
  • Layered scope. Block by IP, by IP + port, by ASN, by country, or by behavioural fingerprint (JA4+). Combine them.
  • Predictable precedence. Allow always wins over block. No mystery overrides, no environment-specific surprises.

How it fits with the rest of Gen0Sec

   ┌─────────────────┐         ┌──────────────┐
   │   Cerebellum    │ ──────▶ │   Amygdala   │ ─── push block ───▶ every Synapse
   │   (detection)   │  rule   │  (decision)  │ ─── push allow ───▶ every Cerebrum
   └─────────────────┘         └──────────────┘

Amygdala is the enforcement layer of the Gen0Sec platform. Cerebellum decides what is malicious. Amygdala decides what to do about it — and makes sure it happens, everywhere, at the same time.

Use cases

  • Auto-block bot ASNs the moment they show up.
  • Approve a high-risk block in Slack before it ships, then push to the fleet.
  • Block by JA4+ fingerprint to stop a credential-stuffing tool, even when its IPs rotate.
  • Geo-restrict a region for a tenant without touching their infra.
  • Maintain a per-tenant allow-list that always wins over global blocks.

Next steps

  • Synapse — every Synapse agent ships Amygdala configured and ready
  • Hillock — the kernel-level enforcement layer Amygdala drives
  • Cerebellum — the detection brain that decides what Amygdala should block