Skip to main content

Solo Developer · 2024 - Present

Bastion

Endpoint security for the organizations enterprise vendors left behind

< 0.5%

CPU Overhead

< 100MB

Memory

< 50ms

Response

$5-8

Target Price

RustAxumTonic gRPCSurrealDBYARA-XTokio

< 0.5%

CPU Overhead

At idle on 2015-era hardware

< 100MB

Memory

Resident memory during active monitoring

< 50ms

Response

Seven-layer pipeline, parallel execution

$5-8

Target Price

Per endpoint/month vs $30-50 enterprise

The Pricing Wall

Enterprise EDR solutions from CrowdStrike, SentinelOne, and Carbon Black cost $30-50 per endpoint per month. That model works for Fortune 500 companies with dedicated security budgets and full-time IT staff. It does not work for a school district with 200 workstations, a rural clinic with 15 machines, or a nonprofit running on donated hardware. These organizations face a binary choice: pay more than they can afford, or go unprotected. Most go unprotected. The ones that try settle for basic signature-only antivirus that misses behavioral threats, fileless attacks, and lateral movement entirely. Ransomware operators know this, and they target exactly these organizations. Endpoint security should not be a luxury.

  • A 200-machine school district faces $72,000-120,000 per year for real endpoint protection
  • Rural clinics handling HIPAA-regulated patient data run basic antivirus or nothing
  • Signature-only tools miss fileless attacks, lateral movement, and behavioral threats
  • Free and open-source alternatives lack the detection depth to meet compliance requirements

The Constraints Shaped the Architecture

The target price of $5-8 per endpoint per month dictated every technical decision. The agent has to run on aging hardware with minimal overhead, so I built it in Rust with zero unsafe blocks in the core. Threat correlation is a graph problem, so I chose SurrealDB for its native graph traversal instead of forcing relational joins. Signature matching uses YARA-X to leverage the entire community rule ecosystem rather than maintaining a proprietary signature database. HIPAA and FERPA compliance are not afterthoughts bolted on at the end. They are design constraints from day one, because healthcare and education are the primary audiences.

Rust for Resource Constraints

Zero-cost abstractions and no garbage collector mean the agent runs under 0.5% CPU at idle and under 100MB memory. That matters when the hardware is a 2015 school lab machine.

SurrealDB for Threat Correlation

Threats correlate across layers. A suspicious file hash in static analysis, combined with unusual network behavior, combined with a known MITRE ATT&CK pattern is a graph traversal problem. SurrealDB handles that natively.

YARA-X for Community Rules

Instead of building a proprietary signature database, Bastion uses YARA-X to match against the full ecosystem of community-maintained threat rules. Better coverage, no vendor lock-in.

BSL 1.1 Licensing

Business Source License allows community use and self-hosting while preventing enterprise vendors from extracting the work. The organizations Bastion serves can use it. The companies that created the pricing problem cannot resell it.

Seven-Layer Detection Pipeline

Every event passes through seven independent analysis layers before reaching a verdict. Each layer runs as an isolated Tokio task, feeding results into SurrealDB where graph queries correlate signals across layers. A single indicator might be benign. Three correlated indicators from different layers are a threat.

Architecture Layers

Static Analysis

File signatures, cryptographic hashes, and PE header analysis catch known threats before execution.

YARA-XSHA-256PE Parser

Heuristic Analysis

Pattern-based detection identifies suspicious characteristics: obfuscated strings, packed binaries, unusual entropy distribution.

Custom Heuristic EngineEntropy Analysis

Behavioral Analysis

Runtime monitoring tracks process behavior, file system modifications, and network connections against known-malicious patterns.

TokioOS Event Hooks

PII Detection

Monitors for sensitive data exposure. Critical for HIPAA and FERPA compliance, where a data leak is not just a security incident but a regulatory violation.

Regex MatchersData Classification Engine

Memory Scanning

In-memory threat detection catches fileless malware and injected code that never touches disk.

Memory MapperYARA-X

Script Analysis

Deobfuscates and analyzes PowerShell, VBScript, and Office macros. Script-based attacks are the most common entry point for the organizations Bastion protects.

Script DeobfuscatorAST Parser

MITRE ATT&CK Mapping

Classifies detected behaviors against the ATT&CK framework for tactical context. Turns raw detections into actionable threat intelligence.

ATT&CK NavigatorSurrealDB Graph Queries

Parallel Layer Dispatch

The detection pipeline runs all seven layers concurrently using Tokio tasks. Each layer produces an independent verdict, and the correlation engine in SurrealDB combines them. This is why the response time stays under 50ms even with seven layers of analysis. Nothing waits in line.

View Code
Seven Tokio tasks run concurrently. SurrealDB correlates the results via graph traversal.
rust
pub async fn analyze(event: &SystemEvent, db: &SurrealClient) -> Verdict {
    let layers = vec![
        tokio::spawn(static_analysis(event.clone())),
        tokio::spawn(heuristic_analysis(event.clone())),
        tokio::spawn(behavioral_analysis(event.clone())),
        tokio::spawn(pii_detection(event.clone())),
        tokio::spawn(memory_scan(event.clone())),
        tokio::spawn(script_analysis(event.clone())),
        tokio::spawn(mitre_mapping(event.clone())),
    ];

    let results = futures::future::join_all(layers).await;
    correlate_signals(db, &results).await
}

Where It Stands

Bastion is in active development at 60,000+ lines of Rust, currently at version 13. The agent meets its performance targets on hardware from 2015 and later, running quietly alongside existing workloads without degrading the user experience. A Flutter-based management console provides centralized visibility across all endpoints in a deployment. The project is not deployed at scale yet — the technical foundation is proven, but real-world validation is the next step. The next milestone is a managed pilot with a school district to validate the $5-8 pricing target under actual production conditions with real threat exposure.

  • Under 0.5% CPU at idle and under 100MB memory, verified on 2015-era hardware
  • Sub-50ms response time across all seven detection layers running in parallel
  • HIPAA and FERPA compliance built into the detection and reporting pipeline from the start
  • BSL 1.1 license prevents enterprise extraction while keeping the project accessible
  • 60,000+ lines of Rust with zero unsafe blocks in the core detection engine