22 Services · All Operational

Bastion SSE
AI-Native Security
Service Edge

The first SSE platform where AI isn't bolted on — it's the foundation. Deep learning URL classification, AI-powered insider threat detection, and LLM-powered security operations go beyond the static rules that traditional SSE approaches still depend on.

ZTNASWGCASBDLPFWaaSUEBAAI SOC
22
Microservices
7
Network Zones
5
AI/ML Models
3
Cloud Zones
Architecture

End-to-End System Architecture

Every request flows through a unified policy + AI pipeline. No request touches the internet without authentication, authorization, content inspection, and behavioral scoring.

Internet Users
Remote / VPN
Office Users
Branch / HQ
Server Traffic
Datacenter
Bastion SSE Gateway
Forward Proxy
L7 Data Plane
Policy Engine
Rego-Based
Identity Engine
OIDC / OAuth2
DLP
PII Scanner
inspect
AI / ML Intelligence Layer
URL Classifier
AI Classifier
UEBA
Behavioral Analytics
Anomaly Detector
Behavioral Z-Score
Investigation Agent
Claude Agentic
Security Assistant
LLM Tool-Use
Control & Observability
Control Plane
FastAPI
Prometheus
Metrics
Grafana
Dashboards
Loki
Log Aggregation
OTEL Collector
Telemetry Pipeline
AWS VPC
Trading API
Payments
GCP VPC
ML Platform
Data Lake
Azure VNet
Compliance DB
HR Portal
Request Flow

How Every Request Is Processed

Six enforcement points. Sub-second latency. Zero trust at every hop.

01

TLS Inspection

The forward proxy terminates and inspects TLS. The TLS Inspector filter extracts SNI for policy decisions before decryption, enabling both encrypted and plaintext inspection modes.

02

Identity Verification

JWT Bearer token extracted and validated. Identity provider-issued tokens carry user identity, group memberships (engineering, finance, executives, contractors), and realm roles (sse-user, sse-admin, unrestricted-web).

03

Policy Evaluation

The policy engine ext_authz evaluates three Rego policy bundles: URL category filtering (gambling, adult, malware), contractor restrictions (LinkedIn, job boards), and time-based access controls (social media during business hours).

04

Content Inspection

DLP ext_proc scans request bodies with Microsoft Presidio + custom financial recognizers. Detects SSNs, credit cards, SWIFT codes, ABA routing numbers. Blocks exfiltration to personal cloud storage.

05

AI Classification

The AI classifier evaluates destination URLs into 5 categories (benign, phishing, malware, C2, suspicious) with 99%+ accuracy. The UEBA behavioral analytics model scores the user's behavioral vector for insider threat signals.

06

Observe & Respond

JSON access logs flow through OTEL Collector to Loki. Prometheus scrapes all services. Anomaly detector ingests events in real-time. If anomalous, the Investigation Agent auto-triages with Claude API tool-use.

Components

Every Service, Explained

22 microservices across 7 isolated network zones. Each purpose-built for a specific security function.

Data Plane

Forward Proxy

High-performance L7 forward proxy. Handles HTTP CONNECT tunneling for HTTPS, dynamic forward proxy for DNS resolution, and chains two external processors: the policy engine for authorization and DLP for content inspection. Produces JSON structured access logs with 15+ fields including policy decision metadata and upstream timing.

Policy Engine

Rego-based policy engine with gRPC ext_authz integration. Evaluates three policy bundles on every request: URL filter (5 blocked categories, 66 domains), access control (group-based unrestricted access, contractor restrictions, time-based social media blocks), and CASB shadow IT detection (sanctioned vs unsanctioned SaaS, tenant restriction headers for Google/Microsoft).

Identity Engine

Enterprise identity provider with OIDC/OAuth2. Manages 5 demo personas across 5 groups with 3 custom realm roles. JWT tokens carry group memberships and role claims consumed by policy engine rules. Three OIDC clients: bastion-proxy (confidential, for the proxy), bastion-portal (public, for SPA), and bastion-control-plane (service account with realm-admin).

DLP Content Inspector

Microsoft Presidio-powered PII scanner with custom financial recognizers for SSN (XXX-XX-XXXX), credit card (Luhn-validated), SWIFT/BIC codes, ABA routing numbers, and account numbers. Uses spaCy en_core_web_lg NER model for person/organization detection. Scans request bodies and returns CONTINUE or IMMEDIATE_RESPONSE (403) with redacted snippets for audit.

URL Intelligence

Domain categorization service with a 66-domain trie across 15 categories (financial services, malware, phishing, social media, streaming, gaming, etc.). Provides risk scoring, WHOIS-based domain age analysis, and real-time threat feed integration points. Feeds classification data to policy engine decisions.

AI / ML Intelligence Layer

URL Classifier

Character-level AI classifier with deep learning architecture. Dual-input design: character embeddings (128-dim vocab, 32-dim embed) through convolutional layers (64→128 channels) with global max pooling, concatenated with 12 hand-crafted URL features (Shannon entropy, TLD risk, digit ratio, suspicious keywords). Classifies into 5 categories with 99%+ accuracy on phishing, malware, and C2. Trains on 10,000 synthetic URLs in ~45 seconds.

UEBA Behavioral Analytics

Behavioral analytics model for User Entity Behavior Analytics. Learns a compressed representation of normal user behavior across 10 features: hourly request volume, unique domains, upload/download bytes, request intervals, off-hours ratio, blocked request ratio, new domain ratio, geo diversity, and protocol distribution. High reconstruction error = anomalous behavior. Alice (normal): score 0.14, risk=low. Dave (insider threat): score 1.0, risk=critical.

Anomaly Detector

Real-time behavioral analysis engine. Ingests access log events, maintains per-user rolling baselines, and detects four anomaly categories: domain entropy spikes (many unseen domains), volume spikes (>3 std deviations), off-hours traffic, and data exfiltration patterns. Feeds anomalies to the Investigation Agent for automated triage.

Investigation Agent

Autonomous incident triage powered by Claude API with tool-use. When anomalies trigger, the agent correlates data from anomaly detector, DLP findings, UEBA scores, URL classifier results, and policy violations. Generates structured incident reports with severity, timeline, affected data, compliance impact (PCI-DSS, SOX, GLBA), and prioritized remediation actions. Max 10-iteration agentic loop.

Security Assistant

LLM-powered chat interface for security operations. Natural language queries like “What anomalies were detected in the last hour?” or “Block all uploads to personal cloud storage” trigger tool-use calls to monitoring APIs and policy generators. System prompt includes SSE architecture context, active policies, current alert state, and financial services compliance requirements.

Control Plane & Observability

Control Plane (FastAPI)

Central management API. CRUD for URL-filter policies with push-to-policy-engine sync. User management via identity provider Admin API. Dashboard aggregation from proxy stats, policy engine metrics, anomaly detector, and DLP. AI chat endpoint routes to the LLM service. Policy generator converts natural language to Rego rules. Prometheus metrics on all API endpoints.

Admin Portal (React)

Single-page application built with React 18, Vite, and Tailwind CSS. Nginx reverse proxy with API routing to control plane (/api/) and anomaly detector (/anomalies/). Pages: Dashboard, URL Unblock Requests, Browsing History, Certificate Management, PAC File Configuration, AI Security Assistant, Compliance Monitor, and Network Topology Map.

Observability Stack

Prometheus scrapes 4 targets (proxy, policy engine, control plane, URL intelligence) at 15s intervals. Grafana (v11.3) provides dashboards with Prometheus + Loki datasources. Loki aggregates structured JSON logs with 31-day retention and TSDB indexing. OTEL Collector receives OTLP gRPC/HTTP, processes with batching and memory limiting, exports metrics to Prometheus and logs to Loki.

Live Demo

Five Personas, Five Stories

Each persona drives a specific SSE capability through realistic enterprise scenarios.

👩‍💻
Alice
Engineer · /engineering

Normal browsing. GitHub, Stack Overflow, docs. Everything allowed. Establishes the behavioral baseline.

📊
Bob
Finance Analyst · /finance

Uploads spreadsheet with SSNs to Dropbox. DLP catches PII, blocks the exfiltration, generates compliance alert.

👔
Charlie
Executive · /executives

Unrestricted access. Visits bet365, social media during work hours. Proves role-based policy bypass works.

🔧
Dave
Contractor · /contractors

Restricted access. Blocked from LinkedIn/job boards. High-volume off-hours requests trigger UEBA anomaly (score 1.0, critical).

🛡️
Admin
SecOps · /security-ops

Full admin access. Uses AI Security Assistant to investigate incidents and generate new policies from natural language.

Why AI Changes Everything

Bastion vs. Legacy SSE

Legacy SSE platforms use static signature databases. We use neural networks that learn.

CapabilityLegacy SSEBastion SSE
URL ClassificationStatic database, manual category updatesAI classifier learns URL patterns. Detects zero-day phishing by structure, not signatures.
Insider ThreatRule-based thresholdsBehavioral analytics model learns normal behavior. Reconstruction error detects novel threats without predefined rules.
Incident ResponseAlert queue for human analystsAgentic LLM auto-triages: correlates anomaly + DLP + UEBA + policy data, generates incident report with remediation.
Policy ManagementClick-through GUINatural language: "Block all uploads to personal cloud storage" → Rego policy → pushed to the policy engine in seconds.
DLPRegex patternsPresidio NER + custom financial recognizers + LLM context analysis for ambiguous findings.
SOC AssistantNoneClaude-powered security assistant with tool-use. Queries live metrics, explains policy decisions, recommends actions.
Enterprise Deployment

Deploying at Scale: JPMC Reference Architecture

Three deployment models for a Tier-1 financial institution with 300,000+ employees across 60 countries.

1On-Premises Deployment

For regulated workloads that cannot leave the corporate perimeter. Trading floors, core banking, PCI Zone 1.

Data Centers

  • Primary DC (Jersey City) + DR (Dallas) with active-active proxy clusters
  • Kubernetes (OpenShift) with dedicated node pools per service tier
  • Hardware HSM integration for TLS certificate management
  • Air-gapped policy bundle distribution via internal artifact registry

Network Integration

  • PAC file distribution via Group Policy for 300K+ desktops
  • Explicit proxy (port 10000) or transparent intercept via WCCP on Cisco routers
  • SAML/OIDC federation with JPMC's existing Active Directory via the identity engine
  • Splunk forwarding from OTEL Collector for SIEM integration

AI/ML Considerations

  • GPU nodes (NVIDIA A100) for URL classifier and UEBA training
  • Model registry (MLflow) for versioned model deployment
  • Claude API via AWS Bedrock PrivateLink (no public internet)
  • Federated learning across DCs without centralizing training data

2Multi-Cloud Deployment

For cloud-native workloads across AWS, GCP, and Azure. JPMC runs 12,000+ apps across three clouds.

AWS (Primary Cloud)

  • EKS clusters in us-east-1 (Virginia) + eu-west-1 (Ireland)
  • Data plane proxy on AWS App Mesh or standalone NLB fronting
  • RDS PostgreSQL Multi-AZ for the identity engine
  • Bedrock for Claude API (PrivateLink, no egress)
  • S3 for policy bundle distribution + model artifacts

GCP (ML/Data)

  • GKE Autopilot in us-central1
  • Vertex AI for model training pipelines
  • BigQuery for log analytics at petabyte scale
  • Cloud Interconnect to on-prem DCs
  • Traffic Director for global load balancing

Azure (Compliance)

  • AKS in East US + UK South for EU data residency
  • Azure AD B2C federation with the identity engine
  • Azure Sentinel integration via OTEL Collector
  • ExpressRoute to JPMC MPLS backbone
  • Key Vault for secrets + cert management

Cross-Cloud Mesh

The data plane service mesh spans all three clouds via mTLS. Policies are centrally managed and distributed as signed bundles. The control plane runs in the primary cloud (AWS) with read replicas in GCP and Azure. Anomaly detector aggregates telemetry from all regions. Global Anycast DNS routes users to the nearest SSE PoP.

3SaaS Application Protection

For securing access to third-party SaaS: Microsoft 365, Salesforce, Workday, ServiceNow, Bloomberg Terminal.

Inline CASB (Forward Proxy)

  • All SaaS traffic routes through the Bastion forward proxy
  • Tenant restriction headers injected for Microsoft 365 and Google Workspace
  • Shadow IT detection: flag unsanctioned SaaS (Notion, Airtable, Trello) vs sanctioned (Slack, GitHub, Jira)
  • Upload blocking to personal storage (Dropbox, Box, WeTransfer)
  • DLP scanning on all POST/PUT to SaaS endpoints

API-Based CASB (Out-of-Band)

  • API connectors to Microsoft Graph, Salesforce REST, ServiceNow APIs
  • Retroactive DLP scan of files already in cloud storage
  • Sharing policy enforcement (revoke public links, external sharing)
  • OAuth token management and app consent monitoring
  • UEBA scores feed into SaaS access decisions (step-up auth for anomalous users)

Bloomberg Terminal & Trading Platforms

Financial-specific SaaS requires special handling. Bastion supports protocol-aware inspection for Bloomberg B-PIPE, Reuters Eikon, and FIX protocol trading connections. DLP policies are tuned for financial data types: CUSIP, ISIN, SEDOL identifiers, trade blotters, and material non-public information (MNPI) patterns. The Investigation Agent auto-escalates potential MNPI leaks to compliance.

JPMC Global Deployment Topology

Trading Floor
Jersey City
London Office
Canary Wharf
Remote Users
Global VPN
Asia-Pacific
Singapore/Tokyo
Mobile Users
BYOD
SSE PoP — US East
Proxy
Policy
DLP
AI Stack
SSE PoP — EU West
Proxy
Policy
DLP
AI Stack
SSE PoP — APAC
Proxy
Policy
DLP
AI Stack
Control Plane
AWS us-east-1
Model Registry
GCP Vertex AI
Compliance Logs
Azure UK South
SIEM (Splunk)
On-Prem DC
Technology

Built on Proven Technology

No vendor lock-in. Every component is replaceable. Standards-based protocols throughout.

Forward Proxy
L7
Data Plane
Policy Engine
Rego
Policy
Identity Engine
OIDC
Identity
AI Engine
Deep Learning
AI/ML
FastAPI
v0.115
APIs
DLP Engine
NER
DLP
Prometheus
v2.54
Metrics
Grafana
v11.3
Dashboards
Loki
v3.0
Logs
OpenTelemetry
v0.96
Telemetry
React
v18.3
Portal
PostgreSQL
v16
Database
Live Demo

Try It Now

All 22 services are running. Connect to any endpoint below.

Admin Portal

React SPA with dashboard, AI assistant, compliance monitoring

http://localhost:13001

Grafana Dashboards

Metrics and logs visualization (admin / admin)

http://localhost:3002

Identity Admin

Identity management console (admin / admin)

http://localhost:18080/admin

Control Plane API

FastAPI interactive documentation (Swagger UI)

http://localhost:8088/docs

Forward Proxy

Forward proxy endpoint (requires JWT Bearer token)

http://localhost:10000

Prometheus

Metrics queries and target health status

http://localhost:19090

Ready to See It Live?

Every claim on this page is backed by running code. 22 services, 7 network zones, 5 AI models, 5 user personas. Ask me to demo any scenario.

Network Demo →About netcausal.ai

Built by Raghu Mudumbai, CCIE #4251 · 25 years in network security · netcausal.ai