Thalamus

Match known attacks, in microseconds.

Thalamus is the intrusion detection engine inside every Gen0Sec sensor and Synapse agent. It inspects traffic at wire speed, matches against a rule corpus you control, and emits structured alerts straight to Cerebellum or your SIEM.

What Thalamus is for

• Bring your own rule feeds. Thalamus accepts Suricata-compatible signatures — community feeds, ET Open, ET Pro, your own custom rules.
• Real-time alerts. Matches surface as structured events with full context, ready for correlation.
• No sampling. Every packet is inspected — not a percentage, not a flow sample.
• Protocol coverage. TCP, UDP, ICMP, plus application-layer inspection.

How it fits

Thalamus is the known-bad detector in the platform. Where Cortex catches new threats by behaviour, Thalamus catches the ones the security community has already signature-matched.

Use cases

• Detect known C2 communication patterns across every site.
• Subscribe to threat intel feeds and apply them everywhere instantly.
• Flag protocol anomalies in real time, without per-host tuning.
• Feed Cerebellum the signature hits so it can correlate with ML output and behavioural anomalies.

See also

• Synapse documentation — the agent that ships Thalamus
• Cortex — the ML side of detection