Real-time protection status. Malware reports. Cookie tracking. Location privacy. Everything Nexxus guards, in one place.
Detailed forensic reports on every threat Nexxus has detected and neutralised. Each report includes origin analysis, payload details, and indicators of compromise.
| Domain | Name | Purpose | Status | Expiry | Risk |
|---|
33 tracking vectors neutralised. Every protocol that can reveal your identity or location is either blocked, tunnelled, spoofed, normalised, or stripped.
Continuous behavioural authentication replaces traditional 2FA. Your typing rhythm, device credentials, input patterns, and browsing behaviour form a unique cryptographic identity that cannot be replicated.
Keystroke Dynamics — Your typing speed, key hold duration, and inter-key timing create a rhythm fingerprint unique to you. Even identical passwords typed by different people have measurably different timing signatures.
Device Binding — Your hardware attributes (CPU, memory, screen, timezone, languages) are hashed into an HMAC-SHA256 credential. The raw hardware data is never stored.
Input Analysis — Mouse velocity, scroll patterns, click intervals, and touch pressure form a behavioural profile that is nearly impossible to forge.
Session Behaviour — Page dwell time, scroll depth, navigation cadence, and transition patterns are continuously compared to your established profile.
Anomaly Detection — Statistical divergence from your profile triggers re-verification. The system learns and adapts as your patterns naturally evolve.
Answer 6 questions about your threat model and Nexxus generates a tailored VPN & security configuration. The cookie learning engine continuously adapts to new trackers it discovers.
The cookie learning database auto-classifies new cookies using pattern matching, tracking network detection, and CNAME cloaking analysis. User decisions train the classifier for improved accuracy over time.
Beyond VPN. A comprehensive security platform with 9 independent defence systems — WAF, DDoS shield, bot detection, API security, DNS protection, Zero Trust, CDN integrity, threat intelligence federation, and adaptive rate limiting.
24/7 system-level VPN connectivity with crash recovery, captive portal handling, battery-aware profiles, and per-app routing policies. Kill switch enforced at all times.
VPN adjusts cipher overhead and scan frequency based on battery level. Kill switch remains armed at all power levels.
Adaptive ML-style cookie classification that learns from your decisions, detects evercookies across 17 storage vectors, uncloaks CNAME-cloaked trackers, and shares anonymized threat intelligence with the community.
Evercookies use multiple storage mechanisms to respawn after deletion. We monitor all 17 known vectors including HTTP cookies, localStorage, IndexedDB, ETags, canvas fingerprints, HSTS supercookies, and more.
Client-side security platform that surpasses traditional CDN/WAF providers. Certificate pinning, SCT enforcement, DNSSEC validation, HTTP smuggling detection, request rate anomaly analysis, and version downgrade protection — all running on-device.
SPKI hash pinning per domain with multi-pin support. SCT enforcement ensures certificates are logged in Certificate Transparency logs — three modes: Disabled, Report-Only, and Enforce (minimum 2 SCTs required).
Cross-validates responses from 4+ DoH resolvers. DNSSEC validation detects Secure, Insecure, Bogus, or Indeterminate states. DNS mesh detects poisoning and inconsistencies automatically.
Detects CL.TE, TE.CL, TE.TE obfuscation, H2.CL/H2.TE downgrade attacks, H3 frame injection, request line injection, and header name space attacks across HTTP/1.1, HTTP/2, and HTTP/3.
Monitors all dependencies for integrity hash validation, vulnerability scanning, and detects version downgrade attempts. Semver comparison prevents malicious rollbacks.
Extended 25-question security assessment with branching logic, personalized setup scripts, network environment auto-detection, geo-fencing rules, per-app bandwidth management, and custom obfuscation profiles for different adversary models.
Each tier adjusts VPN protocol, cipher suite, hop count, Tor routing, obfuscation level, and scan frequency. Obsidian tier provides CryonVPN with Cryon-Obsidian cipher, 5-hop routing, and hourly security scans.
Profiles your adversary from Opportunistic (script kiddies) through Organized (cybercrime), Corporate (espionage), Nation-State (intelligence), to Advanced Persistent Threat (unlimited resources). Each triggers appropriate obfuscation.
Auto-switch servers, enable Tor, or activate maximum obfuscation based on physical region. Per-app bandwidth allocation with 5 priority tiers from Background to Critical ensures optimal traffic routing.
Detects 7 leak types: DNS, IPv6, WebRTC (STUN/TURN), HTTP header (X-Forwarded-For), UDP split-tunnel, torrent/P2P, and mDNS/SSDP broadcast leaks. Auto-remediation blocks leaks in real-time with severity scoring.
Every Nexxus device receives a truly personalised security system — no two devices ever share the same setup. The Personalisation Engine combines 12 device hardware attributes, 8 live network signals, and 6 behaviour dimensions into a 128-byte SecurityDNA vector that drives 16 independent security axes, yielding over 12 billion distinct valid configurations. The Network Encryption Enforcer actively scans connected WiFi, assesses risk in real time, and escalates VPN encryption and invisibility automatically.
A 128-byte entropy vector is deterministically generated from three sources: DeviceFingerprint (OS, architecture, CPU cores, RAM, TPM, encryption state, form factor, cellular, Bluetooth, DPI, OS version, device-ID hash), NetworkEnvironmentProfile (WiFi security type, captive portal, DNS encryption, IPv6 exposure, LAN density, DPI detection, bandwidth, proxy detection), and BehaviorProfile (daily hours, download tier, streaming fraction, P2P usage, .onion usage, travel history). Every byte of the DNA drives one independent security knob — changing a single hardware attribute produces a completely different profile.
Security tier (5) × VPN protocol (3) × Cipher suite (4) × Hop count (5) × Obfuscation level (5) × DNS strategy (7: Cloudflare DoH, Google DoT, Quad9 DoH, Mullvad DoH, NextDNS, Local VPN DNS, Dual-stack) × Stealth schedule (5: Always-on, Network-triggered, Time-window, Battery-aware, Adaptive) × Cookie policy (6: Strict block, First-party only, ML classify, Auto-clear, Site containers, ML+Auto) × Fingerprint resistance (5: Minimal → Maximum → Adaptive) × Traffic padding (6: Off, Fixed-size, Constant-rate, Burst mimicry, Random, Adaptive) × Scan frequency (6) × Server rotation (5) × Log level (5) × WAF mode (4) × CT profile (3) × Leak-type bitmask (128) = 12,096,000,000+ combinations.
The Network Encryption Enforcer actively scans your connected WiFi, classifies the risk, and immediately applies the minimum required encryption: Acceptable → Standard VPN tunnel (AES-256-GCM), Elevated (unencrypted DNS, legacy protocol) → Enhanced VPN + obfuscation, High (open WPA, captive portal) → Multi-hop VPN + domain fronting, Critical (open/WEP network, DPI active) → Maximum: 5-hop + quantum-resistant + Tor routing. On every scan: MAC address is randomised, device invisibility is activated, IPv6 link-local is suppressed, broadcast traffic is blocked, and ARP poisoning defences are armed. The VPN encryption level only ever escalates — it never drops below the worst network seen in a session.
1. Device Lock (HMAC-SHA256 fingerprint) → 2. Always-On VPN (kill-switch armed) → 3. Aegis Platform (WAF, DDoS, Bot, API, DNS, Zero Trust, CDN, Federation, Rate Limiter) → 4. Aegis Shield (CT, DNSSEC, HTTP smuggling) → 5. Cookie Intelligence (ML learning) → 6. Security Center (dashboard) → 7. Leak Detection (DNS, IPv6, WebRTC, HTTP headers, UDP, P2P, mDNS) → 8. Geo-Fencing (Fortress+ tiers) → 9. WiFi Network Guard (scan, invisibility, DNS enforcement).
Fortress+ tiers auto-configure geo-fence rules for restricted regions (CN: max obfuscation, IR: enable Tor, RU: switch server, KP: disconnect alert). Per-app bandwidth allocation with 5 priority tiers (Critical → Background). Custom rules can be added at runtime.
Scans connected WiFi networks, enforces DNS encryption, detects unencrypted ISP DNS servers, makes your device invisible on any network, blocks ISP/MNO tracking of search history, defeats firewall restrictions, and boosts connection speeds — all with perfect anonymity and automatic protection.
Detects and replaces unencrypted DNS servers with encrypted alternatives. Recognises ISP-assigned DNS (DHCP automatic), fec0:: Windows auto-configured servers, and private gateway DNS as unencrypted. Replaces with Cloudflare (1.1.1.1 / 2606:4700:4700::1111), Google (8.8.8.8), Quad9 (9.9.9.9), Mullvad, or NextDNS. Forces DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) for all queries. IPv6 DNS gets IPv6 encrypted replacements.
Analyses WiFi adapter information and generates a comprehensive assessment across 7 categories: DNS Encryption (detects unencrypted servers), DNS Assignment (flags ISP-controlled DHCP DNS), WiFi Protocol (identifies legacy 802.11a/b/g vs modern Wi-Fi 5/6/7), WiFi Encryption (WEP/Open → Critical, WPA → High), Link Speed (detects asymmetry/throttling), Device Identity (MAC exposure), IPv6 Privacy (link-local address fingerprinting). Auto-fixes applied where possible. Parses Windows network adapter details format directly.
Continuously scans nearby WiFi networks and classifies risk: Open/WEP → Critical, WPA → High, WPA2 → Acceptable, WPA3 → Safe. Captive portals detected via HTTP probe, DNS hijack, cert mismatch, and OS API. Auto-protect now also triggers on unencrypted DNS and legacy WiFi protocols. Hidden SSIDs detected and classified. Full adapter parsing with protocol version, band, channel, link speeds.
MAC Randomisation · ARP Suppression · mDNS Blocking · SSDP/UPnP Blocking · DHCP Hostname Anonymisation · NetBIOS Suppression · LLMNR Blocking · Probe Request Suppression · IPv6 Router Solicitation Block · IGMP Suppression · TCP/IP Stack Randomisation · WPAD Blocking. Your device becomes completely invisible to other devices on the same network.
DNS Queries → DoH · TLS SNI → Encrypted Client Hello (ECH) · Destination IP → VPN Tunnel · Traffic Volume → Padding · Timing → Obfuscation · HTTP Headers → Stripping · Cookies → Isolation · Search Queries → Private Proxy · DPI → Protocol Obfuscation · Cellular IDs → Masking · ISP Supercookies → Stripping · WebRTC → Protection. Covers all cellular components: RAN, Core Network, PGW, SGW, HSS, MME.
Strips 12 tracking parameter types from URLs (Google/Facebook/Microsoft click IDs, UTM, analytics tags). Blocks search engine cookies. Routes searches through private engines (DuckDuckGo, Startpage, SearXNG, Brave, Mojeek, MetaGer). Strips referrer headers. Auto-clears every 15 minutes. Aware of ISP retention policies (AT&T 12-36mo, Verizon 6-12mo, T-Mobile 3-12mo, Comcast 6-24mo) — all defeated by VPN tunnel.
Bypass methods: HTTPS Disguise (443) · WebSocket Wrap · Domain Fronting · SSH Tunnel · Meek Transport · Shadowsocks AEAD · V2Ray VMess · QUIC Obfuscation. Speed boosts: DNS Caching · HTTP/2+3 Multiplexing · TCP Window Scaling · Traffic Compression · Intelligent Server Selection · Split-Horizon Routing. Automatic fallback through all methods if one is blocked.