01 / 10
IT EN ES
Fenrir SOC · a P3 Consulting product

The SOC that never sleeps. An on-prem, sovereign AI security agent. For European SMBs that, under NIS2 and GDPR, cannot afford a false negative.

Nine real-time monitors, autonomous Tier-1 AI analyst, revertible autonomous response, integrated compliance. All running on a single Linux host — no data ever leaves your perimeter.

The problem

European SMBs are in the crosshairs.
NIS2 and GDPR don't forgive.

Three numbers that explain why a SOC is no longer optional for organizations under NIS2 (Directive (EU) 2022/2555) or GDPR.

€10M
Maximum NIS2 fine
NIS2 Directive — up to 2% of global annual turnover
€20M
Maximum GDPR fine
GDPR Art. 83 — up to 4% of global annual turnover
72h
Window to notify a data breach
GDPR Art. 33 — to the supervisory authority, from detection

The average SMB has no SOC. It relies on logs no one reads — until the day damage is done. Fenrir changes that equation without requiring a dedicated security team.

What Fenrir does

An agent that watches, investigates, acts
— and reverts itself.

Architecture

One Linux process.
Everything else is glue.

From log line to verdict in less than a second. From verdict to (revertible) action in one second more.

01

9 Monitors

real-time tail + periodic snapshotters

02

Rule Engine

deterministic classification, no LLM

03

AI Analyst

playbook + tool loop + structured verdict

04

Responder

5 revertible autonomous actions

05

Audit + Alert

DB, dashboard, Telegram

PostgreSQL or SQLite. OpenRouter (cloud) or Ollama (local). Cloudflare Tunnel for exposure. No inbound ports required.

The modules

Nine integrated modules.
One intelligent agent.

tail real-time

Auth monitor

SSH login, sudo, brute-force, user anomalies.

tail real-time

Honeypot monitor

Hits on fake admin paths, scanners, exploit kits.

tail real-time

Fail2ban monitor

Bans, unbans, repeat offenders tracked cross-jail.

tail real-time

Nginx monitor

Suspicious patterns in production traffic.

tail real-time

UFW monitor

Firewall drops, port scans, egress anomalies.

tail real-time

Kernel monitor

USB, OOM, segfault, AppArmor denials.

periodic 10min

Baseline drift

Ports, services, users, setuid: new entries alerted.

tail real-time

Package monitor

Install/upgrade/remove tracked for audit.

periodic 6h

CVE feed

Pending security updates, prioritized by criticality.

Autonomous response · Sprint 2

Five revertible actions.
The analyst acts, you stay in control.

When the verdict is confirmed_threat with confidence ≥85%, the agent runs the suggested action. Every action is persisted with the metadata needed to undo it.

Kill process

SIGTERM 3s + SIGKILL fallback

File quarantine

mv + chmod 000 in isolated dir

Service stop

systemctl stop with whitelist

Network isolation

iptables egress block per IP

Package rollback

apt remove + reinstall on revert

Confidence gate
≥85% LLM
Whitelist
12 processes never targeted
Default
OFF + mandatory dry-run first week
Revert
Telegram inline + web UI + API
Investigation + Compliance

Every alert investigated.
Every control audited.

AI Investigation

When an event is HIGH or CRITICAL, an investigation kicks off. The analyst loads the playbook for that category, runs tools (shell, geoip, threat intel, log search) in a max-5-round loop, and produces a structured verdict.

Output: verdict, confidence, summary, IOC list, recommended actions, full transcript for audit.

Latency: 10-60s per investigation. API cost: €0.01-0.05 per investigation.

Integrated compliance

Daily automated audit against GDPR, NIS2, ISO 27001. Each control passes or fails with attached evidence (log, command, output).

GDPR Art. 33 workflow built in: 72h timer, escalation, DPO notification, PDF report generation for the supervisory authority.

NIS2 mapping: incident handling, notification, technical and organizational measures.

Sovereign by design

Your data stays inside your perimeter.
Always.

On-prem or sovereign cloud

Fenrir runs on your server (or your EU cloud). No centralized SaaS, no shared data lake, no vendor lock-in.

Source open: git clone, read every line, fix without calling the vendor.

Storage: your own PostgreSQL, configurable retention (default 90 days — GDPR Art. 5).

Privacy-preserving AI

When an alert is routed to a cloud LLM (OpenRouter), the PII anonymizer replaces every personal identifier with an opaque token before the prompt leaves your server.

The cloud model reasons about <PRIVATE_PERSON_1>. Real values are restored in the final report on your side.

Alternative: local Ollama (Qwen, Llama). Zero cloud traffic.

Pricing

Three tiers. Transparent.
No hidden upsells.

Per server, per month, VAT excluded. LLM API costs at your charge (or use Ollama: zero cloud cost).

Standard

€49 /server/mo
For SMBs that want to be NIS2-ready without an enterprise budget.
  • 9 monitors + Qwen 3.5 AI analyst
  • Up to 10 servers
  • Live dashboard + Telegram alerts
  • GDPR / NIS2 / ISO 27001 compliance
  • Email support within 48h
Most chosen

Premium

€99 /server/mo
Stronger reasoning via Claude Haiku — fewer false positives, sharper investigations.
  • Everything in Standard, plus:
  • Claude Haiku 4.7 AI analyst
  • Autonomous response (5 revertible actions)
  • Up to 30 servers
  • Multi-tenant dashboard
  • Hardening review at onboarding
  • Email support within 24h

Sovereign+

€199 /server/mo
For teams with NIS2 personal liability that cannot afford a false negative.
  • Everything in Premium, plus:
  • Claude Opus 4.7 AI analyst (audit-grade)
  • Unlimited servers
  • DPIA + audit pack drafted by P3 DPO
  • Direct phone within 4h

One-off setup fee: €1,500 Standard · €3,000 Premium · €5,000 Sovereign+. Covers installation, baseline, and playbook tuning.

Now

Ready to sleep at night? A demo takes 30 minutes. We show you the live dashboard of a real server, real attacks intercepted in the last 24h, the AI analyst investigating in real time.

Email [email protected] Website fenrirsoc.com

Fenrir is a P3 Consulting product. HQ in Italy. Source on GitHub.