Guard.

Kernel-speed action, only when authority has been earned.

Get the source →Read the paper

fig · guard · liveEnforce

fig.2 · authority pipelinedetect → judge → authorise → act

evidence accrues in shadow · authority is scoped & revocable · enforcement is kernel-speed

Tap

XDP / eBPF

Latency

4.0µs median

Mode

fail-open

License

Apache-2.0

[01] · WHAT GUARD DOES

Acts on instructions from Mesh, at kernel speed.

Guard performs XDP/eBPF kernel-level packet blocking on operator infrastructure. It acts only on instructions issued by Mesh, scoped to abuse classes the operator has explicitly authorised. Microsecond decision-to-action. Fail-open by architecture: if Guard or the Mesh platform goes down, traffic flows. Security software does not cause downtime.

[02] · WHY IT MATTERS

What you get.

Machine-speed enforcement.

XDP/eBPF in the kernel. Microseconds, not milliseconds. Decision-to-action faster than the attack can pivot.

Authority is bounded.

Guard only acts on judgments Mesh has earned the authority to make. Scoped per abuse class, revocable, audited.

Drop-in compatible.

Run alongside your existing firewall, or replace it. Open source - inspect, fork, deploy. No vendor lock-in.

[03] · DEPLOY

Three steps.

Install

Drop Guard onto the validator host. XDP attaches to the NIC. No reboot, no kernel patching beyond what your distribution already supports.

Authorise

Connect Guard to your Mesh tenant. Authority is granted per abuse class - start narrow, expand as evidence supports.

Run

Mesh issues enforcement instructions. Guard executes in the kernel. Every action is logged with full context. Revocable at any time.

guard · demopreview

$ curl -fsSL nullrabbit.ai/guard | sh
$ guard attach --nic eth0
  ▸ xdp · attached · 0 reboot
$ guard connect --mesh cohort.v1
  ▸ authority · recon.* · scoped
$ guard status
  ▸ acting · 4.0µs · fail-open

Demo · GUARD is not yet in production. The commands above illustrate the intended workflow.

Run Guard on your network.

Get the source →Talk to us