Hadron Firehose · v1.0 · live

Every packet.
Every network.
One WebSocket.

Signal Fabric is the real-time intelligence layer of Streaming Defense. Build security, observability, and response apps against a single enriched flow firehose — no collectors per network, no queues to operate, no log lag.

Connect to sandbox Read the schema →

fields per record: 154
median enrich: <2 ms
transport: WSS

live · sample frame

record_unique_id

{
  "event_time": "2026-05-08T18:42:11Z",
  "organization": "acme-prod",
  "probe_name": "edge-fra-01",
  "source_ip": "185.220.101.45",
  "destination_ip": "10.4.7.221",
  "source_ip_country": "DE",
  "destination_port": 443,
  "application_protocol": "TLS",
  "tls_ja4_fingerprint": "t13d1516h2_8daa…",
  "tip_hit": 1,
  "tip_best_type": "c2",
  "tip_best_value": "malware-c2.xyz",
  "tip_hit_max_severity_bp": 9200,
  "risk_severity": "critical",
  "record_unique_id": "01HZK…F7Q"
}

fig.00 — single framefull schema · 17 groups

FLOW104.21.34.18→10.4.7.221TLS/443DE→USrisk 012TIPmalware-c2.xyz→10.4.7.221DNS/53RU→USrisk 092FLOW10.0.0.14→172.217.16.46QUIC/443US→USrisk 004JA4t13d1516h2_8daaf6152771_b186095e22b6→—TLS—risk 071FLOW192.168.1.10→151.101.1.69TCP/443US→USrisk 008DETexfil.heuristic→10.4.7.221—USrisk 088FLOW10.0.0.22→20.81.111.85TLS/443US→IErisk 021TIPphish-kit.top→10.4.7.99HTTPSBG→USrisk 084FLOW104.21.34.18→10.4.7.221TLS/443DE→USrisk 012TIPmalware-c2.xyz→10.4.7.221DNS/53RU→USrisk 092FLOW10.0.0.14→172.217.16.46QUIC/443US→USrisk 004JA4t13d1516h2_8daaf6152771_b186095e22b6→—TLS—risk 071FLOW192.168.1.10→151.101.1.69TCP/443US→USrisk 008DETexfil.heuristic→10.4.7.221—USrisk 088FLOW10.0.0.22→20.81.111.85TLS/443US→IErisk 021TIPphish-kit.top→10.4.7.99HTTPSBG→USrisk 084

01 — Why Signal Fabric

Stop building plumbing.
Start building products.

Three things teams stop running the day they connect to the fabric. One thing they finally get.

No collectors per network

Streaming Defense probes capture flow at the network. You connect once, downstream — over a single WebSocket — to consume signal from all of them.

No message queue to operate

Skip Kafka, Kinesis, NATS, RabbitMQ. The fabric is the queue. Reconnect, replay, and back-pressure are handled at the edge.

No waiting on log files

Firewall logs arrive minutes late, parsed by a vendor. Hadron emits enriched flow records in real time, before damage compounds.

Enriched at source

Each record carries geo, ASN, nDPI category, TLS/JA4 fingerprints, and TIP matches across IPs, domains, and JA4s — already normalized.

02 — Architecture

Probes ingest. Hadron enriches. Your app consumes.

One persistent WebSocket carries control frames, threat detections, allowlist acknowledgements, and the full Hadron flow record.

INGEST

Probes capture flow at the network edge.

ENRICH

Geo, ASN, nDPI, JA3/JA4, TIP matches.

ROUTE

Frames distinguished by type and action.

NORMALIZE

Stable fields, stable IDs, stable contracts.

03 — Quickstart

Connect in nine lines. Route in five.

A WebSocket. A frame router. The full enriched record. That is the contract.

ts · firehose client

wss://

import WebSocket from "ws";

const ws = new WebSocket("wss://sdaot.globalthreatintel.com/ws/aot/", {
  headers: { Authorization: `Bearer ${process.env.SIGNAL_FABRIC_TOKEN}` },
});

ws.on("message", (raw) => {
  const frame = JSON.parse(raw.toString());

  // 1. Control plane
  if (frame.type === "performanceMetrics") return;
  if (frame.action === "threatStream" && frame.type === "detection") {
    return onDetection(frame.detection, frame.summary);
  }
  if (frame.action === "allowlist.result") return onAllowlistAck(frame);

  // 2. Flow records — full Hadron schema
  if (frame.tip_hit && frame.tip_hit_max_severity_bp > 7000) {
    console.log("[high]", frame.source_ip, "→", frame.destination_ip,
                frame.tip_best_type, frame.tip_best_value);
  }
});

Endpoint

wss://sdaot.globalthreatintel.com/ws/aot/

Heartbeat

2,000 ms check · 5,000 ms reconnect

Frame router

type · action · default flow record

Uniqueness

record_unique_id

Get sandbox token →

The intelligence layer security stacks depend on

Build your first app this afternoon.

Sandbox keys are free for developers. Connect, route, render. Most teams have a live map, a TIP feed, or a JA4 anomaly board running in under an hour.