// OFA Security Architecture · Stack v4 · 2026
CTI Core Perimeter AI & Cloud EASM Remote & Mobile Feedback Loop

Defence-in-Depth,
Instrumented at Every Layer

The OFA platform enforces a six-layer security stack: DNS sinkholing at query time, reverse-proxy WAF matching against OWASP rules enriched with IOC reputation, automated firewall block-rule injection via WCF on 166+ platforms, real-time AI prompt inspection, continuous external attack surface scanning, and E2E-encrypted incident comms — all driven by a single threat feed refreshed in <200ms across 220M+ live IOCs.

Start Free PoV All Products
ofa-core · intelligence pipeline · live LIVE 
# OFA Intelligence Pipeline — real-time enforcement log

[CTI-FEED ] IOCs=220,847,331  last_sync=0.14s  members=291
[FEED-AGG ] new: 185.220.101.xx  CS=847  TTL=86400s
             MITRE=T1071.001  (Application Layer C2 over HTTP)
             sector_profile=finance,healthcare
[WCF-PUSH ] BLOCK 185.220.101.xx166 enforcement nodes
             protocol=OFA-WCF/2  enforced_in=28s
[DNS-SINK ] query=malware-c2.ru  action=NXDOMAIN
             crime_score=982  latency=3.2ms  transport=DoH
[WAF-BLOCK] pattern=UNION SELECT NULL--  rule=OWASP-942100
             src=45.128.xx.xx  CS=761  → HTTP 403  t=0.8ms
[AI-GW   ] prompt_injection: pattern=system_override_attempt
             model=claude-3-sonnet  pii_leak=noneBLOCKED
[AQUILAX ] CVE-2024-3094 in liblzma@5.6.0  severity=CRITICAL
             ofa_enriched: actively exploited in wild  age=2d
12
Products
6
Security Layers
290+
Alliance Members
220M+
Live IOCs
<30s
Detect → Block
<200ms
Feed Sync
166+
FW Platforms
L0 · INTELLIGENCE CTI CTI Core 220M IOCs · <200ms · STIX 2.1 L1 · DNS DNS Secure DNS NXDOMAIN · DoH/DoT · <5ms L2 · WAF WAF WAF OWASP Top 10 · IOC enriched L3 · FIREWALL WCF WCF Agent <30s enforce · 166+ platforms L4 · HARDWARE OneDevice OneDevice 10Gbps · day-1 OTA · 1U L5 · AI AI GW AI Gateway Prompt inj. · PII · <5ms L6 · EASM Vulnix0 Vulnix0 CVE × OFA feed · daily delta L7 · ACCESS ClosedVPN ClosedVPN WireGuard · exit vetting
// The attack path — and where we stop it
⚠️
Internet
Threat
Attacker
Secure DNS
Secure
DNS
Layer 1
WAF
Web App
Firewall
Layer 2
WCF Agent
WCF
Agent
Layer 3
OneDevice
OneDevice
Firewall
Layer 4
AI Gateway
AI
Gateway
AI Layer
🏢
Protected
Network
Internal

Every layer is continuously fed by the OFA Cyber Threat Intelligence core. Threats blocked at Layer 1 never reach Layer 2. Threats stopped at Layer 2 never reach your servers.

// L0 — intelligence core · the shared control plane

CTI Platform — The Shared Control Plane

Every enforcement decision across all six layers reads from the same data source: the OFA CTI feed. This is not a static threat list — it is a continuously updated graph of 220M+ indicators, each carrying a Crime Score (0–1000), MITRE ATT&CK technique tag, sector targeting weight, sighting recency, and contributor confidence rating. When any layer encounters a source IP, domain, URL, or file hash, it issues a synchronous lookup against this graph before permitting or blocking the interaction. The feed sync latency is <200ms — so even an IOC reported by a member in Singapore reaches a firewall in London before the typical TCP handshake completes its second round trip.

01
OFA CTI
Intelligence · Core
Cyber Threat Intelligence (CTI)

The CTI aggregation pipeline ingests raw sightings from 290+ member SOC centres, runs a three-phase deduplication pass (exact-hash dedup → near-duplicate clustering → temporal campaign correlation), and writes normalised IOC records into the graph. Each record carries: IPv4/IPv6, FQDN, URL, or SHA-256/MD5 hash; a Crime Score; MITRE ATT&CK technique(s) with sub-technique; sector targeting profile (finance, healthcare, energy, …); and a confidence weight derived from how many independent members reported the same indicator.

220M+ Active IOCs <200ms Feed Sync Crime Score 0–1000 STIX 2.1 / TAXII 2.1 MITRE ATT&CK mapped IPv4 · IPv6 · FQDN · URL · Hash
  • Crime Score formulaCS = 0.35·F + 0.25·R + 0.20·S + 0.20·M where F=log-normalised sighting frequency, R=recency decay (exp(−λt), λ=0.02/hr), S=sector severity multiplier, M=MITRE technique severity weight.
  • Zero data exfiltration — member agents submit SHA-256 hashes of observed IOCs, never raw packet captures or flow data. Hashes are irreversible; original traffic never leaves the member perimeter.
  • Delivery protocols — STIX 2.1 bundles via TAXII 2.1 server (pull or push), REST API with per-endpoint rate-limit tiers, direct WCF-native binary sync (lowest latency path), and SIEM webhook integrations.
  • IOC lifecycle — each indicator has a configurable TTL (default 86400s). Expired indicators are automatically retracted from all downstream enforcement layers.
Explore CTI Platform
02
WCF Agent
Intelligence · Enforcement
WCF Agent — Watchdog & Control Framework

The WCF Agent is a stateless enforcement daemon (~12 MB binary or Docker image) that opens a persistent TLS 1.3 connection to the OFA Core feed endpoint. On startup it downloads the full IOC block-list snapshot; thereafter it receives incremental delta updates via a long-poll webhook. For each new or retracted IOC, the agent translates the OFA-native record into the vendor-specific CLI/API format for the attached platform and pushes the rule natively — no intermediate script, no manual intervention. End-to-end latency from IOC ingestion at the OFA Core to active block rule on the firewall is consistently under 30 seconds.

<30s IOC→Block rule 166+ firewall platforms 0 bytes raw traffic sent TLS 1.3 feed connection Delta sync · TTL auto-retract
  • Platform translation layer — native API calls for Check Point (SmartConsole API), Fortinet (FortiOS REST API), Palo Alto (PAN-OS XML API), Cisco (ASDM/FMC REST), Forcepoint (SMC API), pfSense (pfSense REST), and 160+ more. No shell-script wrappers.
  • Rule lifecycle — each rule carries the IOC TTL from the feed. Expired rules are auto-retracted via the same native API path. Crime Score drops below threshold also trigger retraction.
  • Audit log — every push, retraction, and error is written to a structured JSON log with IOC ID, Crime Score, platform response code, and timestamp. Exportable for SIEM ingestion or compliance evidence.
  • SecureXL acceleration — on Check Point platforms with SecureXL enabled, OFA block rules are installed directly into the acceleration path for kernel-level packet drop without firewall policy evaluation overhead.
View Integrations
// L1–L4 — perimeter defense · four enforcement layers

Perimeter Defense — Four Stacked Layers

Each layer applies a different enforcement mechanism and operates on a different protocol level, so the failure mode of one layer is not shared by the next. L1 (DNS) operates at the resolver level before TCP is established. L2 (WAF) operates at HTTP/HTTPS after TLS termination. L3 (WCF) operates at the IP/port level via the native firewall engine. L4 (OneDevice) is the hardware-enforcement backstop. All four pull Crime Score data from the same OFA feed update cycle.

L1
OFA Secure DNS
Perimeter · Layer 1
OFA Secure DNS — Stop Threats Before They Resolve

OFA Secure DNS is a recursive resolver cluster that intercepts every DNS query and performs a Crime Score lookup on the queried FQDN before resolving it. If the domain is on the Alliance blocklist (Crime Score ≥ configured threshold, default 500), the resolver returns NXDOMAIN immediately — the TCP connection is never established, malware never receives its C2 IP, and no payload is downloaded. The blocklist is a live in-memory data structure updated via the OFA feed delta stream; propagation from a new sighting to active blocking is typically <3 seconds.

  • Protocol support — DNS-over-HTTPS (DoH, RFC 8484), DNS-over-TLS (DoT, RFC 7858), plain UDP/53 (for legacy infrastructure). DNSSEC validation (RFC 4035) on all paths.
  • Blocklist coverage — C2 domains, DGA families, malware distribution hosts, phishing kit domains, typosquats flagged by the Alliance. Updated continuously from the OFA IOC graph, not on a batch schedule.
  • Sinkhole logging — every NXDOMAIN response is logged with FQDN, Crime Score, MITRE technique, and client subnet (anonymised) for SIEM forwarding. Allows detection of infected hosts still trying to call home.
  • Query latency — <5ms p99 at resolver. Zero query logging by default (privacy-by-design); logging can be enabled per-deployment for threat hunting.
  • Threshold tuning — Crime Score threshold for NXDOMAIN is configurable per deployment. High-security environments can lower to CS≥300; standard mode uses CS≥500.
  • Deployment modes — primary resolver, secondary resolver alongside existing DNS, or transparent DNS proxy (intercept port 53). No client agent required.
L2
WAF
Perimeter · Layer 2
Web Application Firewall — Protect Every Public Surface

The OFA WAF is a reverse-proxy deployed in front of HTTP/HTTPS origins. Every inbound request is processed through two sequential inspection phases before being forwarded: Phase 1 is a Crime Score reputation check on the source IP against the OFA graph — if CS ≥ 700 (configurable), the connection is rejected with HTTP 403 before any application rule evaluation. Phase 2 runs the full ModSecurity Core Rule Set (CRS v4) with OFA-specific rule extensions: virtual-patch rules generated from CVEs flagged as actively-exploited in the feed, and custom SSRF/request-smuggling rules. Added inspection latency is consistently <1ms at the p99 under production load.

  • Rule engine — ModSecurity CRS v4 with OFA extensions. Covers OWASP Top 10: SQLi (CRS-942xxx), XSS (CRS-941xxx), SSRF (CRS-934xxx), path traversal (CRS-930xxx), RCE (CRS-932xxx), protocol enforcement (CRS-920xxx).
  • IOC pre-filter — Phase 1 reputation block drops high-CS sources before CRS evaluation. Reduces rule engine load by 15–40% in typical attack scenarios (measured).
  • Virtual patching — OFA generates targeted WAF rules for CVEs marked actively-exploited in the feed. Rule pushes to running WAF instances typically within 4 hours of CVE publication.
  • TLS & mTLS — TLS 1.2 minimum (1.3 preferred), certificate management automated, mutual TLS for zero-trust back-end connections to origin.
  • Rate limiting — per-IP, per-session, and per-endpoint rate limits. Configurable burst windows. Credential-stuffing detection via failed-auth count thresholds.
  • Per-request audit log — structured JSON: source IP, CS, matched rule ID, response code, upstream latency. Forward to any SIEM via syslog/Kafka/webhook.
View WAF Documentation
L3
WCF Agent
Perimeter · Layer 3
WCF Agent on Your Firewall

Your existing firewall is instantly upgraded. The WCF Agent sits alongside it, pushing live OFA block rules into native enforcement — no manual playbook, no ticket queue. Detection to enforcement in under 30 seconds on 166+ platform types.

  • Supports Check Point, Fortinet, Palo Alto, Cisco, Forcepoint, pfSense and 160+ more
  • Automated rule lifecycle: block, age-out, re-evaluate
  • Full REST API for SOAR orchestration
  • SecureXL hardware-accelerated blocking supported
Platform Integrations
L4
OneDevice Firewall
Perimeter · Layer 4
OneDevice Firewall

For organisations that want Alliance-grade protection without managing a software agent, OneDevice is a purpose-built hardware firewall pre-loaded with the full OFA intelligence stack. Unbox it, connect it to the Alliance, and start blocking on day one — zero configuration required.

  • Pre-loaded WCF Agent — zero configuration on day one
  • 10 Gbps throughput | HA pair support | 1U rack-mount
  • OTA intelligence updates direct from OFA Core
  • 12-month Alliance membership included on purchase
OneDevice Details
// L5 — AI & cloud security · runtime and build-time

AI & Cloud Security — Runtime and Build-Time

LLM adoption introduces two distinct attack surfaces that traditional perimeter tools cannot address. At runtime, malicious prompts attempt to override model instructions, exfiltrate context, or cause the model to emit harmful content. At build-time, code, containers, cloud configurations, and API schemas contain vulnerabilities that are often exploited before they are patched. OFA addresses both layers: AI Gateway handles the runtime path; AquilaX handles the build-time scan.

05
AI Gateway
AI & Cloud · Runtime
AI Gateway

AI Gateway acts as an HTTP reverse proxy with two inspection passes per request-response cycle. The inbound pass (prompt → model) runs a classifier for prompt injection patterns (direct override, indirect injection, jailbreak templates, system-prompt extraction attempts) and an OFA IOC scan on any URLs embedded in the prompt. The outbound pass (model → client) runs a PII scanner (names, emails, card numbers, API keys via regex + NER), a secrets detector (RSA/EC private key patterns, bearer tokens, AWS credential formats), and a second IOC scan on URLs in the response body. Both passes complete in <5ms added latency at p99.

<5ms p99 latency Inbound + outbound inspection Prompt injection classifier PII + secrets scan on responses OFA IOC scan on URLs
  • Prompt injection patterns — direct instruction override ("Ignore previous instructions…"), indirect injection via tool outputs, jailbreak templates (DAN, base64 encoding, role-play frames), system-prompt extraction probes.
  • Response scanning — PII entities (GDPR categories), API key formats (OpenAI, AWS, GCP, GitHub), private key PEM blocks, bearer token patterns, internal hostname/IP leakage.
  • Per-request risk score — every transaction receives an aggregate risk score. Configurable actions: allow / warn / redact / block. Full audit log with model name, token count, matched pattern, action taken.
  • Model support — OpenAI (GPT-4/4o), Anthropic (Claude 3/4), Mistral, Google Gemini, Meta Llama (self-hosted), any OpenAI-compatible API endpoint. No SDK changes required.
Visit AI Gateway
06
AquilaX
AI & Cloud · Build-Time
AquilaX Security

AquilaX is an AI-powered security scanning platform that analyses source code, containers, APIs, and cloud configurations for vulnerabilities. OFA threat intelligence enriches every finding — so you always know which vulnerabilities are actively being exploited in the wild right now, and which can wait.

Code + Cloud + API SARIF Output CI/CD Pipeline Ready OFA Threat-Enriched
  • SAST across 20+ languages — static analysis catches vulnerabilities before code ships.
  • Container image scanning with CVE correlation against the OFA actively-exploited feed.
  • Cloud misconfiguration detection across AWS, GCP, and Azure — IAM, storage, network, and more.
  • AI-generated remediation advice with code examples. No security expertise required to act on findings.
Visit AquilaX
// L6 — EASM · continuous external attack surface management

Vulnix0 — External Attack Surface Management

Vulnix0 answers the question attackers already know the answer to: what services are you exposing to the internet right now, and which of those have known-exploitable CVEs? It runs a continuous discovery and scanning loop — not a once-a-quarter pen test, but daily automated reconnaissance on your full external footprint. Every CVE finding is cross-referenced against the OFA feed to determine whether that vulnerability is being actively weaponised in the wild at this moment.

07
Vulnix0
Tools · EASM
Vulnix0 — Continuous External Attack Surface Management
  • Asset discovery pipeline — passive DNS enumeration, certificate transparency log (CT) monitoring (crt.sh, Google CT), subdomain brute-force via curated wordlists, WHOIS/RDAP pivot, ASN-range sweep. Finds assets not in any CMDB.
  • Service fingerprinting — TCP SYN scan + banner grab on all 65535 ports (configurable). HTTP/HTTPS service detection, TLS cert inspection (expiry, CN, SANs), software version extraction via banner matching and HTTP headers.
  • CVE correlation — detected software versions mapped to NVD CVE database. Each CVE is then cross-referenced against the OFA actively-exploited IOC feed to derive an exploitability score: CVSS severity × OFA sighting rate × days-since-publication.
  • OFA enrichment — assets whose IP or domain appears in the OFA feed (e.g., as a C2 destination) are flagged immediately regardless of CVE status. Indicates active attacker interest in that specific address.
  • Delta reporting — each daily scan produces a JSON diff against the previous baseline: new_assets, new_vulns, remediated, drift (version changed). Machine-readable for SIEM ingestion; human-readable PDF for compliance evidence.
  • Scan cadence — full discovery sweep daily; high-priority asset targeted scans every 6 hours. No agent required on target systems.
Visit Vulnix0
// Mobile & remote access — securing people, not just perimeters

Extending Protection Beyond the Office

People work everywhere now. Remote workers, field teams, and SOC analysts on call all need access to protected resources and real-time threat visibility. Three products extend the Alliance perimeter to wherever your people are — without compromising security for convenience.

08
ClosedVPN
Access · VPN
ClosedVPN

A zero-trust encrypted VPN built for security-conscious teams. All tunnel exit destinations are cross-checked against the OFA intelligence feed before connection — so even the VPN itself won't route traffic toward known-malicious infrastructure.

  • WireGuard protocol — maximum speed, minimal attack surface
  • OFA exit node vetting before tunnel open
  • Kill switch | Split tunnelling | No-log policy
  • iOS & Android | MDM deployment support
Get ClosedVPN
09
OFA Mobile
Access · Mobile
OFA Mobile

The Alliance in your pocket. Live threat feed, Crime Score lookups, push alerts for critical IOC events, and an at-a-glance view of perimeter enforcement activity — all from iOS or Android. Built for the SOC analyst who is never far from a screen.

  • Live IOC feed with Crime Score filter
  • Instant lookup — any IP, domain, or hash
  • Push alerts for high-severity events
  • Biometric auth | Dark SOC mode
Get OFA Mobile
10
Secure Channel
Access · Comms
Secure Channel

A dedicated encrypted communication channel for incident response teams and Alliance members. When a critical threat is active, your team needs to coordinate securely — no third-party servers, no metadata retention, purpose-built for the sensitive coordination that happens during live incidents.

  • End-to-end encrypted — no plaintext in transit
  • No central server stores content or metadata
  • Group channels for multi-team IR coordination
  • Self-destructing messages for sensitive intel
Learn More
// Community tools — open access, powered by live OFA data

Free Security Tools

Not every security check requires a full deployment. OFA provides a growing library of free, no-sign-up tools that give any security professional instant access to Alliance intelligence for ad-hoc lookups, IOC validation, and exposure checks.

11
🛠️
Tools · Community
Free Security Tools

A growing library of free community tools powered by the live OFA feed. No sign-up required for basic access. Useful for one-off investigations, incident triage, or simply checking whether an IP you've seen in your logs is on the Alliance watchlist.

  • IP & domain Crime Score checker — instant OFA reputation lookup
  • IOC history viewer — all Alliance sightings and timestamps
  • STIX feed sampler — download a live snapshot of current IOCs
  • Bulk IOC validator — paste a list, get Crime Scores back
  • CVE impact checker — is this CVE being actively exploited right now?
Open Free Tools

Why free tools matter

Security intelligence should not be locked behind paywalls. The OFA community tools exist to lower the barrier for security teams who need quick answers — whether that is a SOC analyst triaging an alert, a developer checking a dependency, or a small organisation without a dedicated threat intel subscription.

Every free lookup also strengthens the Alliance: anonymised query patterns help refine Crime Score weightings and surface new threat clusters that individual members would not detect alone.

// The feedback loop — how the architecture improves itself

A Self-Reinforcing Intelligence Cycle

The real power of the OFA architecture is not any single product — it is the feedback loop between them. Every block, every sighting, and every discovery feeds back into the intelligence core, making the entire system more accurate with every passing hour.

Step 01 — Contribute

Alliance Member Reports a Threat

A security centre in one of 290+ member organisations detects a new malicious IP, domain, or file hash. Their WCF Agent or SIEM submits the anonymised IOC to the OFA platform. Zero raw traffic data leaves the perimeter.

Step 02 — Score

Crime Score Engine Evaluates

The CTI platform receives the new IOC, deduplicates it against 220M+ existing indicators, and calculates a Crime Score by weighting sighting frequency, recency, sector targeting, and MITRE ATT&CK context.

Step 03 — Distribute

Feed Updates in <200ms

The new enriched IOC is pushed to every connected product simultaneously: DNS resolvers add it to the blocklist, WAF rules update, WCF Agents push block rules, AI Gateway adds it to its IOC database.

Step 04 — Block

All Members Protected in <30s

Every member organisation's WCF Agent receives the new block rule and pushes it to their firewall within 30 seconds of the initial sighting. A threat detected by one member is blocked everywhere, instantly.

Step 05 — Monitor

SOC Teams Stay Informed

Security teams receive push alerts via OFA Mobile, track enforcement status on the live dashboard, and coordinate incident response through Secure Channel — all without leaving the OFA ecosystem.

Step 06 — Validate

DevSecOps Closes the Loop

AquilaX scans code and infrastructure against the updated threat context. Vulnix0 checks whether any newly-disclosed CVEs are being actively exploited against your attack surface. Findings feed back into the next remediation cycle.

// See it working in your environment

Start with a Free
Proof of Value

Connect to the live Alliance feed inside your own environment. Get a Crime Score report and a full list of unblocked threats — at zero cost, with zero data leaving your perimeter.

Start Free PoV Explore All Products Talk to the Team