The NOGTUS Unified Security Landscape Awareness Platform is structured as a stack of 11 capability planes — sensing, transformation, structured persistence, forensic evidence, correlation, intelligence enrichment, operational lifecycle, operational exchange, compliance interpretation, reporting, and AI access — each with a defined contract, each with named subsystems (NAVE, NASE, NEL, NME, NIC, NIM, NIO, NCB, NCC, NTR, NFE), each with an articulated epistemic role. The narrative below is the platform's canonical architectural reference.
Network observation and protocol-aware telemetry emission. Anchored by NAVE — NOGTUS Apex Vision Engine — with deep packet inspection, signature reasoning, behavioral baseline divergence, and Apex decision analysis arbitrating expensive lanes under cost-aware policy.
Parsing, normalization, masking, enrichment, canonicalization. Anchored by NASE — NOGTUS Aptos Synthetic Engine — disciplining heterogeneous logs into canonical operational form before downstream layers operate on it.
Searchable storage, aggregation, retention discipline. Anchored by NEL — NOGTUS Mega Lake — schema-governed columnar persistence with sub-second query over the long forensic tail.
Session detail, packet-linked context, investigatory recall. Anchored by NME — NOGTUS Minutia Engine — preserving session continuity between alarm and packet without severing the chain of technical support.
Sequence, threshold, deduplication, suppression, scoring. Anchored by NIC — NOGTUS Insight Correlator — runtime correlation under ruleset and trigger trees, severity tuning, validation, and audit trail.
Threat intelligence contextualization, prioritization. Anchored by NIM — NOGTUS Intelligence Matrix — observables joined to live traffic at deterministic identifiers, retroactive promotion across the lake.
Triage, escalation, lifecycle progression. Anchored by NIO — NOGTUS Lifecycle Orchestrator — controlled lifecycle states (containment, eradication, recovery), each transition recorded with evidence and timestamp.
Ticketing, timeline continuity, stakeholder communication. Anchored by NCB — NOGTUS InterHub Exchange — preserving timeline continuity across hand-offs between SOC, IR, threat intelligence, and customer-facing reporting.
Mapping incidents to governance significance. Anchored by NCC — NOGTUS Compliance Compass — multi-framework dashboard against ISO 27001, NIST CSF, PCI DSS, SOC 2, MITRE ATT&CK, CIS v8, GDPR, POJK, UU PDP.
Multi-tier reporting and stakeholder awareness output. Anchored by NTR — NOGTUS 360 Awareness Reports — Tier-1 operational, Tier-2 service-level, Tier-3 governance-grade for boards and regulators.
Interactive retrieval, summarization, future intelligence amplification. Anchored by NFE — NOGTUS AI Fabric Engine — operating on structured platform data, not on raw chaos. AI-readiness under human governance.
Every meaningful analytical, operational, governance, and reporting outcome within the platform must be rooted in evidence that can be traced, re-examined, correlated, and defended. Evidence-first is not rhetoric — it is a platform-wide architectural commitment that reduces epistemic fragility in cyber operations.
The platform respects vendor-neutrality at the substrate level — open standards, ECS/OCSF schemas, MITRE ATT&CK, STIX/TAXII — while owning the operational layer through named modules, branded engines, and integrated workflows. Customers retain interoperability; Neurogs retains operational differentiation.
All modules are core modules. None is an optional add-on. The architecture is internally coherent across all 11 capability planes — each module a capability surface, a technical responsibility boundary, a commercial meaning layer, and a product maturity anchor.
Heterogeneous data is canonicalized before being trusted. Confidence emerges from disciplined transformation, not from raw accumulation. NASE — the transformation engine — exists to discipline heterogeneity into canonical operational form before downstream layers operate on it.
The platform is engineered for the operational realities customers actually inhabit — including air-gapped, sovereign, hybrid, and customer-tenant deployment — not for an idealized SaaS-only world. Sovereignty is a structural design property, not a marketing concession.
AI is architected to amplify human judgment, not to replace it. AI-readiness means the data estate, evidence estate, and operational estate are prepared for intelligence amplification under human governance. NFE operates on structured platform data, not on raw chaos.
The architecture is built on four kinds of truth that flow into the platform from different sources. They are correlated by community_id (flow correlation) and log_id (record identity). Together they constitute the platform's operational basis for decision-making.
Produced by NAVE through protocol-aware traffic observation. The substrate that grounds detection in what was actually transmitted — not in what was reported, claimed, or summarized upstream.
Produced by NASE through disciplined transformation of heterogeneous logs. Vendor formats, timestamp conventions, and field availability collapse into one canonical operational form before downstream confidence is granted.
Produced by NME through full-packet capture and forensic continuity. The substrate that allows an investigator to move from a verdict back to the bytes that produced it, without severing the chain of technical support.
Produced by analyst actions, ticket progression, and lifecycle state changes through NIC, NIO, and NCB. The substrate of human judgment, recorded with the same evidentiary discipline as the machine-derived layers.
Architecture is verified at the edge of measurement. The figures below are the anchors that govern detection coverage, ingest throughput, retention economics, and forensic recall — the operational reality the planes are engineered to sustain.
Curated detection rules across protocols, exploit families, and post-exploitation techniques — versioned, validated, rollback-capable.
Threat-intelligence indicators correlated against live traffic at the sensor edge under deterministic identifier joins.
Sustained ingest into the schema-governed Mega Lake plane.
Proprietary columnar layout — sub-second query over 1B+ rows for the long forensic tail.
Each alarm produced by the platform carries community_id, log_id (UUIDv7), and a Reasoning Chain — the chain-of-evidence record that links verdict to source, rule, enrichment, and confidence weighting. Edit-Lock Governance preserves the chain across analyst annotation; later evidence revises the verdict without rewriting history.