DOCUMENTATION

Obrenix

A self-hosted Compliance, Risk & Governance (GRC) platform. Obrenix runs as a single set of Docker containers on one Linux host — your data stays in your network, and by default even the AI engine runs on-premise.

GRC & COMPLIANCE SELF-HOSTED AI ON-PREM MULTI-COMPANY

Overview

Nothing leaves the host unless you explicitly connect an outbound integration or opt into a cloud AI provider. Here's how it works:

  1. You connect data sources. Obrenix either pulls from an integration's API (read-only) or you push data in via the Ingest API.
  2. The platform normalises and stores the signals in PostgreSQL and renders them as controls coverage, dashboards and reports.
  3. Continuous monitoring re-checks live signals on a schedule and keeps control status and evidence current.
  4. The AI engine (local by default, optional cloud provider) summarises posture, proposes control mappings, and routes ingested data.
  5. Auditors get read-ready evidence packs and an immutable change history.

Read-only by default. Standard integrations only read from their source; they never modify your systems.

Architecture

Components

            ┌──────────────────────── ADMIN BROWSER ───────────────────────┐
            │   HTTPS :443  (admin UI · single sign-on optional)           │
            └───────────────────────────────┬──────────────────────────────┘
                                            │
   ┌─────────────────────────────────────────▼────────────────────────────────┐
   │  Obrenix host (single Linux VM · Docker Compose)                          │
   │   ┌──────────────┐   ┌──────────────┐   ┌───────────────┐  ┌───────────┐  │
   │   │  frontend    │──▶│   backend    │   │  sync-worker  │  │  ollama   │  │
   │   │  nginx · :443│   │ FastAPI :8000│   │ scheduled jobs│  │ local AI  │  │
   │   └──────────────┘   └──────┬───────┘   └───────┬───────┘  └───────────┘  │
   │                      ┌──────▼───────┐           │                         │
   │                      │ PostgreSQL 16│◀──────────┘   (internal only)       │
   │                      └──────────────┘                                     │
   └──────────┬───────────────────────────────────────────────┬───────────────┘
              │ OUTBOUND :443 (cloud APIs, license, opt. AI)   │ OUTBOUND via VPN
              ▼                                                ▼
       Cloud / SaaS integrations                  Resources behind your VPN
ComponentRoleTech
frontendAdmin UI, TLS termination, /api proxy — the only container that binds host portsnginx · React + TypeScript
backendAPI + all business logicPython 3.12 · FastAPI
sync-workerScheduled jobs (integration refresh, monitoring, report delivery)Python
postgresSystem of recordPostgreSQL 16
ollamaLocal AI engine (optional cloud AI instead)self-hosted models

Only the web tier publishes ports. The API, database and AI engine stay on the internal Docker network.

Network model & ports

DirectionPortPurpose
Inbound443/tcpAdmin UI + API + Ingest API (HTTPS). Lock to your admin network / VPN.
Inbound (optional)8081, 80Alt HTTPS host port · HTTP→HTTPS redirect
Internal only8000, 5432, 11434backend · database · AI — never exposed
Outbound443/tcpLicense heartbeat · each cloud integration you enable · optional cloud AI
Outboundvia VPNOne firewall rule per behind-VPN resource

If a source (IRIS, Wazuh, a SIEM cluster, an internal service…) sits behind a VPN, put the Obrenix host on a network that can reach it (site-to-site VPN, or a VPN client on the host), then allow a single outbound rule ALLOW Obrenix-host → <resource-host>:<port> over the tunnel. The resource never needs inbound access to Obrenix.

Multi-company scoping

Obrenix supports a primary legal entity plus additional entities. Compliance, Security 360 and Policy data are isolated per entity; an entity picker on those pages switches the active company. Cross-cutting maps (framework cross-mappings, catalogs) stay shared.

Data & security posture

Features & capabilities

The left sidebar has two groups: Workspace (every signed-in user) and Admin (admins only). At a glance:

AreaWhat you get
Controls registerISO 27001:2022, DORA, SOC 2, NIST CSF 2.0 / 800-53 rev5, NIS2, GDPR, OWASP ASVS, CIS Controls — plus custom control packs. Per-control status, owner, target date, notes, evidence and cross-framework mapping.
Continuous monitoringAutomated checks that pull a live signal from a connected integration and evaluate it against a threshold (pass / fail), on demand or on a schedule, with alerts. A passing check can auto-mark its mapped controls.
Evidence managementAttach files, links, JIRA tickets or approved policies to any control. One-click auditor evidence pack (ZIP) per framework.
Risk managementRisk register with scoring, treatment, residual risk and risk → control coverage.
Policy governanceUpload policies with nested procedures; read them in a Word-like view; export to PDF/Word; AI-map and approve to auto-close the controls they satisfy.
Reporting & dashboardsRisk Register, Access Matrix, SOC, Vulnerability, Training and Compliance reports in Excel / Word / PDF, plus live dashboards.
AI analysisBuilt-in AI (local by default) for posture summaries, control mapping, policy review and data routing.
Ingest APIPush your own data with an API key; the AI classifies what it is and where it belongs.

Workspace — available to every signed-in user

SectionWhat it does
DashboardLanding launcher. Tiles open the per-area analytics and section editors; shows active data sources and live counters.
Risk RegisterTrack and edit organizational risks — scoring (likelihood × severity), level, owner, treatment status, and a likelihood/severity heatmap. Risks link to controls for coverage.
Access MatrixEmployee-to-system access review, fed by your identity integrations (Entra / Okta). Surfaces SoD violations, over-privileged accounts, and a roles × assets grid.
SOCThe SOC workbench. Tabs: All Metrics (live Sentinel / IRIS / Cloudflare / Hexnode / IRU / Whitespots metrics), Incident Inventory (Sentinel alert/incident names with AI descriptions), Log Sources (the register of where your logs come from).
DetectionsRow-level detection signals. Source tabs appear when connected — Defender (AV · CVE · Web Protection · Non-EDR · Non-Defender · Employee Activity) and Hexnode (non-compliance · OS versions).
ReportsGenerated report list; open any report to view it. Create AI briefings and download Excel / Word / PDF.
VulnerabilityVulnerability findings and metrics from your AppSec scanners (e.g. Whitespots) — by severity, status, product, scanner, SLA.
Vendor ManagementThird-party / vendor register and risk tracking.
EmployeesEmployee directory / records (HR roster from connected sources).
InventoryAsset inventory; pull devices from your MDMs (Intune / Hexnode / IRU) and classify by kind and status.
ComplianceThe inline-editable controls register, scoped per legal entity. Framework tabs (ISO 27001:2022, DORA, and registry frameworks like NIS2 / GDPR / OWASP ASVS); set per-control status, attach evidence, take snapshots, AI auto-map across frameworks, build auditor evidence packs.
PolicyCompany policy documents, scoped by legal entity. View inline (Word-like), download as PDF/Word, attach nested procedures, AI-map to controls, and approve a policy to auto-close the controls it satisfies. (Upload/manage is admin; list/download is open.)
Security 360The security-engineering readiness matrix — readiness % by domain / direction / metric type, critical elements, ISO/DORA mappings, snapshots, and custom control packs.
MonitoringContinuous control monitoring — automated checks against your live signals with pass/fail, thresholds, scheduling and alerts.

Admin — admins only

SectionWhat it does
SnapshotsBrowse saved compliance / Security 360 framework snapshots.
IntegrationsConfigure every integration (connect your sources). Categories: SOC & Telemetry, AI Assistants, Notifications, Awareness & Training, Workspace, Identity & Access, Data Branch, MDM, AppSec & Vulnerabilities.
Auto-ValidatorAutomated evidence / control validation engine.
SettingsWorkspace administration hub: Users, SSO (OIDC via Okta / Google / Entra), Branding, Backup (encrypted + scheduled, local + OneDrive / SharePoint / Google Drive), Automation, Licenses, and Legal entities.

Access control. All signed-in users see the entire Workspace group; Snapshots, Integrations, Auto-Validator and Settings are admin-only. A few capabilities are license-gated (tier + additional-company count) — this affects availability, not the core menu.

Integrations

Every integration lives under Settings → Integrations (admin), grouped by category. Most are read-only — Obrenix makes an outbound connection and pulls data, never modifying the source. A few push (notifications / publishing) or forward events to your SIEM.

Credentials. These docs list which fields each integration needs and where to obtain them — never any secret values. You paste your own credentials into the tile; Obrenix stores secrets encrypted at rest.

Type legendpull = read-only · push = outbound notify / publish · forward = sends events to your SIEM (Microsoft Sentinel / Log Analytics) · engine = AI / credential.

SOC & Telemetry

IntegrationWhat it doesTypeSecretWhere to get it
Azure Monitor azure_monitorRuns KQL against Log Analytics / Sentinel → SOC dashboards & metricspullclient_secretEntra App registration; grant Log Analytics API → Data.Read + Log Analytics Reader on the workspace.
IRISThe IRIS SecOps platform → live SOC snapshots & metricspullpassword / api_tokenIRIS endpoint + a workspace-scoped API token (preferred).
Cloudflare cloudflarePulls account audit + firewall events → Cloudflare SOC metrics; can forward audit logs to your SIEMpull · forwardapi_tokenToken with Account Settings: Read + Account Audit Logs: Read.

AI Assistants

IntegrationWhat it doesTypeSecretWhere to get it
Claude (Anthropic) anthropicPowers the AI file-ingest / analysis engine (preferred over local Ollama when present)engineapi_keyconsole.anthropic.com → API Keys.
ChatGPT chatgptPulls OpenAI workspace usage (members, messages, tokens, idle accounts) → ChatGPT dashboardpullapi_keyOpenAI workspace API key.

No cloud AI key? The bundled local AI (Ollama) runs on-host by default — no data leaves your network.

Notifications

IntegrationWhat it doesTypeSecretWhere to get it
Slack slackPush reports / SOC alerts / risk changes to channelspushwebhookSlack incoming-webhook URL.
SMTP / Email smtpOutbound mail — reports, Auto-Validator, password resetspushpassword*Your mail relay (blank user/password = unauthenticated relay).

Awareness & Training

IntegrationWhat it doesTypeSecretWhere to get it
NINJIO ninjioPulls employees / trainings / quiz results → Training snapshotpullapi_keyNinjio Customer Portal → API Keys.
HiBOB hibobPulls the employee roster (dept / manager / branch / active) → Employeespullservice_user_id, service_user_tokenHiBOB → Integrations → Service Users.
Spark Work sparkPulls the active employee roster → Employeespullclient_id, client_secretSpark Work → Settings → API (OAuth2 client-credentials).

Workspace

IntegrationWhat it doesTypeSecretWhere to get it
Jira jiraOne Jira issue per risk / finding; ticket-status refreshpushtokenid.atlassian.com → Manage API tokens.
Confluence confluenceAuto-publish executive risk reports as pagespushtokenAtlassian API token.

Identity & Access

IntegrationWhat it doesTypeSecretWhere to get it
Okta oktaPulls users × app assignments, groups, admin roles → Access Matrix + CSVpulltokenOkta → Security → API → Tokens (Read-Only Admin is enough).
MS Entra ID entraPulls users × SSO apps, access groups, directory/admin roles, device compliance → Access Matrixpullclient_secretApp registration → Certificates & secrets; Graph Directory.Read.All (admin-consented).

Data Branch

IntegrationWhat it doesTypeSecretWhere to get it
Hirdman PRO hirdmanScrapes Prometheus metrics → Hirdman dashboard (security score, breached / stealer creds, MFA, sessions); can forward to your SIEMpull · forwardapi_keyHirdman UI → Admin → API Keys (Read-Only, Metrics + Analytics).
GitLab gitlabTails a GitLab project's activity feed (Atom) and forwards new entries to your SIEMforward— (token in URL)GitLab → Profile → Access tokens → Feed token.

MDM

IntegrationWhat it doesTypeSecretWhere to get it
Hexnode MDM hexnodeDevice inventory, compliance / encryption posture, admin actions → SOC tile; can forward to your SIEMpull · forwardapi_keyHexnode portal → Admin → API → Generate.
IRU MDM iruApple endpoint inventory + (plan-dependent) threats / CVEs → live SOC metricspullapi_tokenIRU → Settings → Access → API Token (Bearer).

AppSec & Vulnerabilities

IntegrationWhat it doesTypeSecretWhere to get it
Whitespots whitespotsPulls AppSec findings → Vulnerability metrics (by severity / status / product / scanner, open & SLA-violated, top findings)pullapi_keyAppSec Portal → Profile → API tokens.

Custom sources & the Ingest API

Build your own read-only HTTP / REST source when there's no dedicated tile — call any JSON endpoint (url, method, auth_header, headers) on an optional 15 min–1 day schedule. For air-gapped scanners or bespoke tooling Obrenix can't pull from, generate an API key (Integrations → Custom → API keys) and POST JSON to /api/ingest — the AI classifies what it is and where it belongs.

Deployment

Obrenix ships as Docker Compose — one Linux host, one command to install.

Credentials. The installer auto-generates the database password and the master secret — you never type them. No admin password is stored on disk: the first administrator is created in the browser on first run.

1. Prerequisites

2. Get the code

The Obrenix repository is private, so cloning needs authentication. Use the repository URL you were given (https://github.com/hexarion-boop/obrenix.git).

HTTPS + Personal Access Token (simplest):

cd /opt   # or your preferred deploy parent dir
git clone https://github.com/hexarion-boop/obrenix.git
#   Username: your GitHub login
#   Password: a GitHub Personal Access Token — NOT your account password

Create the token at GitHub → Settings → Developer settings → Personal access tokens (fine-grained with read access to the repo, or classic with the repo scope). Cache it so later git pull / ./update.sh run unattended:

git config --global credential.helper store   # saved to ~/.git-credentials (chmod 600)

SSH (if your key is on GitHub):

cd /opt
git clone [email protected]:hexarion-boop/obrenix.git

If you embed the token in the URL (https://<PAT>@github.com/…), scrub it afterwards — it's written to .git/config.

3. Install

cd /opt/obrenix
./install.sh

The interactive flow asks only a couple of questions — the public binding (domain / IP + HTTPS port, default 443) and the database (bundled PostgreSQL by default, or your external DB_URL). It then writes a chmod 600 .env, auto-generates OBRENIX_SECRET and a unique 6-digit BUILD_NUMBER, and brings the stack up with docker compose up -d --build.

FlagEffect
-y, --yesNon-interactive — accept all defaults.
--tls-cert <path> --tls-key <path>Bring up with your org TLS cert (both required together; validated before build).
--resetBack up & wipe .env + secrets/, then re-run install. Keeps the Postgres data volume — but creds encrypted under the old secret must be re-entered.

4. TLS

By default nginx mints a self-signed certificate on first boot. To install or rotate your own cert:

./tls.sh --cert fullchain.pem --key privkey.pem --restart

It validates that cert and key match, refuses an expired / not-yet-valid cert, warns if it expires within 14 days, and (with --restart) reloads nginx. ./tls.sh --show prints the active cert; ./tls.sh --reset wipes it so a fresh self-signed one is minted. The cert/key live only in the Docker volume — never on the host filesystem.

5. Configuration (.env)

The installer writes sensible values; the ones worth knowing (full list in .env.example):

VariablePurposeDefault
OBRENIX_SECRETMaster secret — signs JWTs and encrypts stored integration creds (≥32 chars). Rotating it invalidates stored creds + sessions.auto-generated
POSTGRES_USER / POSTGRES_DB / POSTGRES_PASSWORDBundled Postgres credentials.obrenix / obrenix / auto
OBRENIX_DB_URLExternal SQLAlchemy URL (external-DB mode).computed from Postgres in compose
OBRENIX_ENVprod hides API docs + tightens CORS; dev opens them.prod
OBRENIX_HTTPS_PORT / OBRENIX_HTTPS_ALT_PORT / OBRENIX_HTTP_PORTPublished host ports (primary HTTPS · alt HTTPS · HTTP→HTTPS redirect).443 / 8081 / 80
OBRENIX_ALLOWED_ORIGINSCORS origins (empty = same-origin single host).derived
OBRENIX_TOKEN_TTLAccess-token lifetime, seconds.43200 (12h)
OBRENIX_REQUIRE_2FAForce TOTP enrolment for every account.true
OBRENIX_MAX_UPLOAD_MBUpload size cap.64
OBRENIX_RUN_SCHEDULERSWhich scheduler set the backend runs (core / all / none).core
OBRENIX_AI_INGEST / OLLAMA_URL / OLLAMA_MODELLocal AI ingest engine + endpoint + model.1 · ollama:11434 · llama3.1:8b
OBRENIX_SMTP_HOST/PORT/USER/PASSWORD/FROM/TLSSMTP for password-reset + report email (can also be set in the UI).port 587, TLS on
HEXLIC_ENABLEDTurn the Hexarion license check on.false
BUILD_NUMBERUnique 6-digit deploy id (regenerated each install/update).random

The local AI model isn't pulled automatically. Fetch it once: docker compose exec ollama ollama pull llama3.1:8b.

6. Services & data

ServiceContainerExposed?
frontend (nginx + SPA)obrenix-frontendYes — the only service that publishes host ports (443 / 8081 / 80).
backend (FastAPI)obrenix-backendInternal only.
sync-worker (schedulers)obrenix-sync-workerInternal only. Pause scheduled jobs with docker compose stop sync-worker.
postgres 16obrenix-postgresInternal only.
ollama (local AI)obrenix-ollamaInternal only.

Named volumes persist your data across rebuilds — uploads + generated reports, the PostgreSQL database, the TLS cert/key, and the local-AI models. backup.sh and Settings → Backup handle them for you.

External database: answer “no” to the bundled-DB prompt, or apply the overlay:

docker compose -f docker-compose.yml -f docker-compose.external-db.yml up -d

7. Updating

The canonical update is the script — it pulls, refreshes the BUILD_NUMBER, rebuilds and restarts:

cd /opt/obrenix
./update.sh           # or: ./update.sh --no-cache

update.sh is non-interactive and cron-safe: it runs git pull --ff-only, regenerates BUILD_NUMBER, then docker compose build --pull + docker compose up -d --remove-orphans. If the browser still shows the old version after updating, hard-refresh (Ctrl+Shift+R) and purge any CDN cache.

8. Backup, air-gapped & uninstall

Licensing & first run

  1. Create the administrator. Browse to https://<your-host>/. While no users exist, the sign-in page shows a "Create administrator" wizard (email + password) instead of a login form — this is the first admin.
  2. Enrol 2FA. Two-factor auth is mandatory by default (OBRENIX_REQUIRE_2FA=true): on first login you scan a TOTP QR code and confirm a code.
  3. Activate (optional). The built-in license check (hexlic) is off by default (HEXLIC_ENABLED=false), so the product runs unrestricted. When enabled, an activation window lets you drop in a license file to activate PRO, or start a 14-day trial.
  4. Connect sources. Sign in as the admin and start wiring up sources under Settings → Integrations.

Licensing is scoped to your legal entities — a primary company plus up to two additional entities that scope the Policy / Compliance pickers. A PRO license unlocks features by tier and additional- company count; license changes are applied at the install's next heartbeat.

Support

Questions, an enterprise rollout, an air-gapped install or a tailored compliance scope — the Hexarion team is one message away.

Talk to us →