Obrenix
A self-hosted Compliance, Risk & Governance (GRC) platform. Obrenix runs as a single set of Docker containers on one Linux host — your data stays in your network, and by default even the AI engine runs on-premise.
Overview
Nothing leaves the host unless you explicitly connect an outbound integration or opt into a cloud AI provider. Here's how it works:
- You connect data sources. Obrenix either pulls from an integration's API (read-only) or you push data in via the Ingest API.
- The platform normalises and stores the signals in PostgreSQL and renders them as controls coverage, dashboards and reports.
- Continuous monitoring re-checks live signals on a schedule and keeps control status and evidence current.
- The AI engine (local by default, optional cloud provider) summarises posture, proposes control mappings, and routes ingested data.
- Auditors get read-ready evidence packs and an immutable change history.
Read-only by default. Standard integrations only read from their source; they never modify your systems.
Architecture
Components
┌──────────────────────── ADMIN BROWSER ───────────────────────┐
│ HTTPS :443 (admin UI · single sign-on optional) │
└───────────────────────────────┬──────────────────────────────┘
│
┌─────────────────────────────────────────▼────────────────────────────────┐
│ Obrenix host (single Linux VM · Docker Compose) │
│ ┌──────────────┐ ┌──────────────┐ ┌───────────────┐ ┌───────────┐ │
│ │ frontend │──▶│ backend │ │ sync-worker │ │ ollama │ │
│ │ nginx · :443│ │ FastAPI :8000│ │ scheduled jobs│ │ local AI │ │
│ └──────────────┘ └──────┬───────┘ └───────┬───────┘ └───────────┘ │
│ ┌──────▼───────┐ │ │
│ │ PostgreSQL 16│◀──────────┘ (internal only) │
│ └──────────────┘ │
└──────────┬───────────────────────────────────────────────┬───────────────┘
│ OUTBOUND :443 (cloud APIs, license, opt. AI) │ OUTBOUND via VPN
▼ ▼
Cloud / SaaS integrations Resources behind your VPN
| Component | Role | Tech |
|---|---|---|
| frontend | Admin UI, TLS termination, /api proxy — the only container that binds host ports | nginx · React + TypeScript |
| backend | API + all business logic | Python 3.12 · FastAPI |
| sync-worker | Scheduled jobs (integration refresh, monitoring, report delivery) | Python |
| postgres | System of record | PostgreSQL 16 |
| ollama | Local AI engine (optional cloud AI instead) | self-hosted models |
Only the web tier publishes ports. The API, database and AI engine stay on the internal Docker network.
Network model & ports
| Direction | Port | Purpose |
|---|---|---|
| Inbound | 443/tcp | Admin UI + API + Ingest API (HTTPS). Lock to your admin network / VPN. |
| Inbound (optional) | 8081, 80 | Alt HTTPS host port · HTTP→HTTPS redirect |
| Internal only | 8000, 5432, 11434 | backend · database · AI — never exposed |
| Outbound | 443/tcp | License heartbeat · each cloud integration you enable · optional cloud AI |
| Outbound | via VPN | One firewall rule per behind-VPN resource |
If a source (IRIS, Wazuh, a SIEM cluster, an internal service…) sits behind a VPN, put the Obrenix host on
a network that can reach it (site-to-site VPN, or a VPN client on the host), then allow a single outbound
rule ALLOW Obrenix-host → <resource-host>:<port> over the tunnel. The resource never
needs inbound access to Obrenix.
Multi-company scoping
Obrenix supports a primary legal entity plus additional entities. Compliance, Security 360 and Policy data are isolated per entity; an entity picker on those pages switches the active company. Cross-cutting maps (framework cross-mappings, catalogs) stay shared.
Data & security posture
- HTTPS-only UI; API, database and AI never leave the internal Docker network.
- Secrets encrypted at rest; the first admin and all passwords are stored only as hashes; mandatory, encrypted 2FA (TOTP) on accounts.
- Self-hosted AI by default — no data egress for analysis unless you opt into a cloud provider (Anthropic / OpenAI), with a local Ollama fallback.
- Audit-ready — immutable change history, control evidence, and one-click auditor evidence packs.
Features & capabilities
The left sidebar has two groups: Workspace (every signed-in user) and Admin (admins only). At a glance:
| Area | What you get |
|---|---|
| Controls register | ISO 27001:2022, DORA, SOC 2, NIST CSF 2.0 / 800-53 rev5, NIS2, GDPR, OWASP ASVS, CIS Controls — plus custom control packs. Per-control status, owner, target date, notes, evidence and cross-framework mapping. |
| Continuous monitoring | Automated checks that pull a live signal from a connected integration and evaluate it against a threshold (pass / fail), on demand or on a schedule, with alerts. A passing check can auto-mark its mapped controls. |
| Evidence management | Attach files, links, JIRA tickets or approved policies to any control. One-click auditor evidence pack (ZIP) per framework. |
| Risk management | Risk register with scoring, treatment, residual risk and risk → control coverage. |
| Policy governance | Upload policies with nested procedures; read them in a Word-like view; export to PDF/Word; AI-map and approve to auto-close the controls they satisfy. |
| Reporting & dashboards | Risk Register, Access Matrix, SOC, Vulnerability, Training and Compliance reports in Excel / Word / PDF, plus live dashboards. |
| AI analysis | Built-in AI (local by default) for posture summaries, control mapping, policy review and data routing. |
| Ingest API | Push your own data with an API key; the AI classifies what it is and where it belongs. |
Workspace — available to every signed-in user
| Section | What it does |
|---|---|
| Dashboard | Landing launcher. Tiles open the per-area analytics and section editors; shows active data sources and live counters. |
| Risk Register | Track and edit organizational risks — scoring (likelihood × severity), level, owner, treatment status, and a likelihood/severity heatmap. Risks link to controls for coverage. |
| Access Matrix | Employee-to-system access review, fed by your identity integrations (Entra / Okta). Surfaces SoD violations, over-privileged accounts, and a roles × assets grid. |
| SOC | The SOC workbench. Tabs: All Metrics (live Sentinel / IRIS / Cloudflare / Hexnode / IRU / Whitespots metrics), Incident Inventory (Sentinel alert/incident names with AI descriptions), Log Sources (the register of where your logs come from). |
| Detections | Row-level detection signals. Source tabs appear when connected — Defender (AV · CVE · Web Protection · Non-EDR · Non-Defender · Employee Activity) and Hexnode (non-compliance · OS versions). |
| Reports | Generated report list; open any report to view it. Create AI briefings and download Excel / Word / PDF. |
| Vulnerability | Vulnerability findings and metrics from your AppSec scanners (e.g. Whitespots) — by severity, status, product, scanner, SLA. |
| Vendor Management | Third-party / vendor register and risk tracking. |
| Employees | Employee directory / records (HR roster from connected sources). |
| Inventory | Asset inventory; pull devices from your MDMs (Intune / Hexnode / IRU) and classify by kind and status. |
| Compliance | The inline-editable controls register, scoped per legal entity. Framework tabs (ISO 27001:2022, DORA, and registry frameworks like NIS2 / GDPR / OWASP ASVS); set per-control status, attach evidence, take snapshots, AI auto-map across frameworks, build auditor evidence packs. |
| Policy | Company policy documents, scoped by legal entity. View inline (Word-like), download as PDF/Word, attach nested procedures, AI-map to controls, and approve a policy to auto-close the controls it satisfies. (Upload/manage is admin; list/download is open.) |
| Security 360 | The security-engineering readiness matrix — readiness % by domain / direction / metric type, critical elements, ISO/DORA mappings, snapshots, and custom control packs. |
| Monitoring | Continuous control monitoring — automated checks against your live signals with pass/fail, thresholds, scheduling and alerts. |
Admin — admins only
| Section | What it does |
|---|---|
| Snapshots | Browse saved compliance / Security 360 framework snapshots. |
| Integrations | Configure every integration (connect your sources). Categories: SOC & Telemetry, AI Assistants, Notifications, Awareness & Training, Workspace, Identity & Access, Data Branch, MDM, AppSec & Vulnerabilities. |
| Auto-Validator | Automated evidence / control validation engine. |
| Settings | Workspace administration hub: Users, SSO (OIDC via Okta / Google / Entra), Branding, Backup (encrypted + scheduled, local + OneDrive / SharePoint / Google Drive), Automation, Licenses, and Legal entities. |
Access control. All signed-in users see the entire Workspace group; Snapshots, Integrations, Auto-Validator and Settings are admin-only. A few capabilities are license-gated (tier + additional-company count) — this affects availability, not the core menu.
Integrations
Every integration lives under Settings → Integrations (admin), grouped by category. Most are read-only — Obrenix makes an outbound connection and pulls data, never modifying the source. A few push (notifications / publishing) or forward events to your SIEM.
Credentials. These docs list which fields each integration needs and where to obtain them — never any secret values. You paste your own credentials into the tile; Obrenix stores secrets encrypted at rest.
Type legend — pull = read-only ·
push = outbound notify / publish · forward = sends events to your SIEM
(Microsoft Sentinel / Log Analytics) · engine = AI / credential.
SOC & Telemetry
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Azure Monitor azure_monitor | Runs KQL against Log Analytics / Sentinel → SOC dashboards & metrics | pull | client_secret | Entra App registration; grant Log Analytics API → Data.Read + Log Analytics Reader on the workspace. |
| IRIS | The IRIS SecOps platform → live SOC snapshots & metrics | pull | password / api_token | IRIS endpoint + a workspace-scoped API token (preferred). |
Cloudflare cloudflare | Pulls account audit + firewall events → Cloudflare SOC metrics; can forward audit logs to your SIEM | pull · forward | api_token | Token with Account Settings: Read + Account Audit Logs: Read. |
AI Assistants
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Claude (Anthropic) anthropic | Powers the AI file-ingest / analysis engine (preferred over local Ollama when present) | engine | api_key | console.anthropic.com → API Keys. |
ChatGPT chatgpt | Pulls OpenAI workspace usage (members, messages, tokens, idle accounts) → ChatGPT dashboard | pull | api_key | OpenAI workspace API key. |
No cloud AI key? The bundled local AI (Ollama) runs on-host by default — no data leaves your network.
Notifications
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Slack slack | Push reports / SOC alerts / risk changes to channels | push | webhook | Slack incoming-webhook URL. |
SMTP / Email smtp | Outbound mail — reports, Auto-Validator, password resets | push | password* | Your mail relay (blank user/password = unauthenticated relay). |
Awareness & Training
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
NINJIO ninjio | Pulls employees / trainings / quiz results → Training snapshot | pull | api_key | Ninjio Customer Portal → API Keys. |
HiBOB hibob | Pulls the employee roster (dept / manager / branch / active) → Employees | pull | service_user_id, service_user_token | HiBOB → Integrations → Service Users. |
Spark Work spark | Pulls the active employee roster → Employees | pull | client_id, client_secret | Spark Work → Settings → API (OAuth2 client-credentials). |
Workspace
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Jira jira | One Jira issue per risk / finding; ticket-status refresh | push | token | id.atlassian.com → Manage API tokens. |
Confluence confluence | Auto-publish executive risk reports as pages | push | token | Atlassian API token. |
Identity & Access
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Okta okta | Pulls users × app assignments, groups, admin roles → Access Matrix + CSV | pull | token | Okta → Security → API → Tokens (Read-Only Admin is enough). |
MS Entra ID entra | Pulls users × SSO apps, access groups, directory/admin roles, device compliance → Access Matrix | pull | client_secret | App registration → Certificates & secrets; Graph Directory.Read.All (admin-consented). |
Data Branch
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Hirdman PRO hirdman | Scrapes Prometheus metrics → Hirdman dashboard (security score, breached / stealer creds, MFA, sessions); can forward to your SIEM | pull · forward | api_key | Hirdman UI → Admin → API Keys (Read-Only, Metrics + Analytics). |
GitLab gitlab | Tails a GitLab project's activity feed (Atom) and forwards new entries to your SIEM | forward | — (token in URL) | GitLab → Profile → Access tokens → Feed token. |
MDM
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Hexnode MDM hexnode | Device inventory, compliance / encryption posture, admin actions → SOC tile; can forward to your SIEM | pull · forward | api_key | Hexnode portal → Admin → API → Generate. |
IRU MDM iru | Apple endpoint inventory + (plan-dependent) threats / CVEs → live SOC metrics | pull | api_token | IRU → Settings → Access → API Token (Bearer). |
AppSec & Vulnerabilities
| Integration | What it does | Type | Secret | Where to get it |
|---|---|---|---|---|
Whitespots whitespots | Pulls AppSec findings → Vulnerability metrics (by severity / status / product / scanner, open & SLA-violated, top findings) | pull | api_key | AppSec Portal → Profile → API tokens. |
Custom sources & the Ingest API
Build your own read-only HTTP / REST source when there's no dedicated tile — call any JSON
endpoint (url, method, auth_header, headers) on an
optional 15 min–1 day schedule. For air-gapped scanners or bespoke tooling Obrenix can't pull
from, generate an API key (Integrations → Custom → API keys) and
POST JSON to /api/ingest — the AI classifies what it is and where it belongs.
Deployment
Obrenix ships as Docker Compose — one Linux host, one command to install.
Credentials. The installer auto-generates the database password and the master secret — you never type them. No admin password is stored on disk: the first administrator is created in the browser on first run.
1. Prerequisites
- Docker Engine ≥ 20.10 and Docker Compose v2 (
docker compose, not legacydocker-compose). openssl,git,bash,curl.- A Linux VM (add RAM if you run the bundled local AI). Open inbound 443/tcp to your admin network / VPN.
2. Get the code
The Obrenix repository is private, so cloning needs authentication. Use the repository
URL you were given (https://github.com/hexarion-boop/obrenix.git).
HTTPS + Personal Access Token (simplest):
cd /opt # or your preferred deploy parent dir
git clone https://github.com/hexarion-boop/obrenix.git
# Username: your GitHub login
# Password: a GitHub Personal Access Token — NOT your account password
Create the token at GitHub → Settings → Developer settings → Personal access tokens
(fine-grained with read access to the repo, or classic with the repo scope). Cache it so later
git pull / ./update.sh run unattended:
git config --global credential.helper store # saved to ~/.git-credentials (chmod 600)
SSH (if your key is on GitHub):
cd /opt
git clone [email protected]:hexarion-boop/obrenix.git
If you embed the token in the URL (https://<PAT>@github.com/…),
scrub it afterwards — it's written to .git/config.
3. Install
cd /opt/obrenix
./install.sh
The interactive flow asks only a couple of questions — the public binding (domain / IP +
HTTPS port, default 443) and the database (bundled PostgreSQL by default, or
your external DB_URL). It then writes a chmod 600 .env, auto-generates
OBRENIX_SECRET and a unique 6-digit BUILD_NUMBER, and brings the stack up with
docker compose up -d --build.
| Flag | Effect |
|---|---|
-y, --yes | Non-interactive — accept all defaults. |
--tls-cert <path> --tls-key <path> | Bring up with your org TLS cert (both required together; validated before build). |
--reset | Back up & wipe .env + secrets/, then re-run install. Keeps the Postgres data volume — but creds encrypted under the old secret must be re-entered. |
4. TLS
By default nginx mints a self-signed certificate on first boot. To install or rotate your own cert:
./tls.sh --cert fullchain.pem --key privkey.pem --restart
It validates that cert and key match, refuses an expired / not-yet-valid cert, warns if it expires within
14 days, and (with --restart) reloads nginx. ./tls.sh --show prints the active
cert; ./tls.sh --reset wipes it so a fresh self-signed one is minted. The cert/key live only
in the Docker volume — never on the host filesystem.
5. Configuration (.env)
The installer writes sensible values; the ones worth knowing (full list in .env.example):
| Variable | Purpose | Default |
|---|---|---|
OBRENIX_SECRET | Master secret — signs JWTs and encrypts stored integration creds (≥32 chars). Rotating it invalidates stored creds + sessions. | auto-generated |
POSTGRES_USER / POSTGRES_DB / POSTGRES_PASSWORD | Bundled Postgres credentials. | obrenix / obrenix / auto |
OBRENIX_DB_URL | External SQLAlchemy URL (external-DB mode). | computed from Postgres in compose |
OBRENIX_ENV | prod hides API docs + tightens CORS; dev opens them. | prod |
OBRENIX_HTTPS_PORT / OBRENIX_HTTPS_ALT_PORT / OBRENIX_HTTP_PORT | Published host ports (primary HTTPS · alt HTTPS · HTTP→HTTPS redirect). | 443 / 8081 / 80 |
OBRENIX_ALLOWED_ORIGINS | CORS origins (empty = same-origin single host). | derived |
OBRENIX_TOKEN_TTL | Access-token lifetime, seconds. | 43200 (12h) |
OBRENIX_REQUIRE_2FA | Force TOTP enrolment for every account. | true |
OBRENIX_MAX_UPLOAD_MB | Upload size cap. | 64 |
OBRENIX_RUN_SCHEDULERS | Which scheduler set the backend runs (core / all / none). | core |
OBRENIX_AI_INGEST / OLLAMA_URL / OLLAMA_MODEL | Local AI ingest engine + endpoint + model. | 1 · ollama:11434 · llama3.1:8b |
OBRENIX_SMTP_HOST/PORT/USER/PASSWORD/FROM/TLS | SMTP for password-reset + report email (can also be set in the UI). | port 587, TLS on |
HEXLIC_ENABLED | Turn the Hexarion license check on. | false |
BUILD_NUMBER | Unique 6-digit deploy id (regenerated each install/update). | random |
The local AI model isn't pulled automatically. Fetch it once:
docker compose exec ollama ollama pull llama3.1:8b.
6. Services & data
| Service | Container | Exposed? |
|---|---|---|
| frontend (nginx + SPA) | obrenix-frontend | Yes — the only service that publishes host ports (443 / 8081 / 80). |
| backend (FastAPI) | obrenix-backend | Internal only. |
| sync-worker (schedulers) | obrenix-sync-worker | Internal only. Pause scheduled jobs with docker compose stop sync-worker. |
| postgres 16 | obrenix-postgres | Internal only. |
| ollama (local AI) | obrenix-ollama | Internal only. |
Named volumes persist your data across rebuilds — uploads + generated reports, the
PostgreSQL database, the TLS cert/key, and the local-AI models. backup.sh and
Settings → Backup handle them for you.
External database: answer “no” to the bundled-DB prompt, or apply the overlay:
docker compose -f docker-compose.yml -f docker-compose.external-db.yml up -d
7. Updating
The canonical update is the script — it pulls, refreshes the BUILD_NUMBER, rebuilds and restarts:
cd /opt/obrenix
./update.sh # or: ./update.sh --no-cache
update.sh is non-interactive and cron-safe: it runs git pull --ff-only,
regenerates BUILD_NUMBER, then docker compose build --pull +
docker compose up -d --remove-orphans. If the browser still shows the old version after
updating, hard-refresh (Ctrl+Shift+R) and purge any CDN cache.
8. Backup, air-gapped & uninstall
- Backup / restore — encrypted database backup/restore and scheduled auto-backup are
built into Settings → Backup (local + OneDrive / SharePoint / Google Drive). On the host,
backup.shbundles apg_dump+ uploads +.env/secretsinto a dated tarball (cron-friendly); daily-ops helpers ship alongside —start.sh·stop.sh·restart.sh·logs.sh·health.sh. - Air-gapped install — move the code with
git bundle, load the base images viadocker save/docker load, and pre-pull the local AI model. - Uninstall —
docker compose down --volumes --remove-orphansremoves the stack and its data.
Licensing & first run
- Create the administrator. Browse to
https://<your-host>/. While no users exist, the sign-in page shows a "Create administrator" wizard (email + password) instead of a login form — this is the first admin. - Enrol 2FA. Two-factor auth is mandatory by default
(
OBRENIX_REQUIRE_2FA=true): on first login you scan a TOTP QR code and confirm a code. - Activate (optional). The built-in license check (hexlic) is
off by default (
HEXLIC_ENABLED=false), so the product runs unrestricted. When enabled, an activation window lets you drop in a license file to activate PRO, or start a 14-day trial. - Connect sources. Sign in as the admin and start wiring up sources under Settings → Integrations.
Licensing is scoped to your legal entities — a primary company plus up to two additional entities that scope the Policy / Compliance pickers. A PRO license unlocks features by tier and additional- company count; license changes are applied at the install's next heartbeat.
Support
Questions, an enterprise rollout, an air-gapped install or a tailored compliance scope — the Hexarion team is one message away.