Collector Mode: External Integration Gateway
While Endpoint Mode focuses on the internal world of a host, Collector Mode is designed for the external world. In this mode, the agent acts as the primary physical gateway for Hydra (the Integration & Network Specialist Agent). The Collector enables Myrmex to “see” and “act” upon devices that cannot run the agent locally—such as firewalls, switches, cloud APIs, and legacy servers.🔌 The Two Faces of Collection
In Collector Mode, the agent employs two distinct strategies to gather intelligence for Hydra:1. The Passive Ear (Syslog)
The agent acts as a high-performance Syslog server. Network devices (Firewalls, Switches, Routers) stream their security logs directly to the Collector.- Normalization: The Collector parses raw logs from vendors like Fortinet, Cisco, or Palo Alto and standardizes them for the AI.
- Buffering: If the connection to the Myrmex cloud is unstable, the Collector buffers logs locally to prevent data loss.
2. The Active Hand (Crawlers & APIs)
The Collector executes Crawlers—specialized automation scripts that pull data from external APIs.- SaaS & Cloud: Integrating with Microsoft 365, AWS, GCP, or CrowdStrike to pull event logs.
- Network Orchestration: Using SSH or REST APIs to programmatically update firewall rules or isolate network ports based on Hydra’s instructions.
🧠 Integration & Orchestration
Collector Mode transforms a standard server into an Orchestration Hub. Hydra uses this hub to execute its “Intent to Action” pipeline across your network perimeter:- Identity Sync: Pulling user and group information from Identity Management Systems.
- Perimeter Hardening: Automatically updating blacklists on edge firewalls when Perseus detects a threat on an internal endpoint.
- Vulnerability Correlation: Cross-referencing endpoint state with network traffic to identify exposed services.
🛡️ Secure Collection
Even in Collector Mode, the agent maintains the same rigorous security standards:- Credential Isolation: API keys and SSH credentials for your network devices are never stored on the Collector. They are injected in-memory only during the execution of a pull/push operation.
- Encrypted Streaming: All normalized data is compressed and sent via the same AES-256 encrypted tunnel used in Endpoint Mode.
- Local Sanitization: Sensitive information (like PII in logs) can be masked or sanitized at the edge before ever leaving your network.
📊 Scale & Performance
A single Myrmex Agent in Collector Mode can handle:- Syslog: Up to 10,000 events per second (EPS).
- Integrations: Simultaneous connection to dozens of cloud and network APIs.
- High Availability: Collectors can be deployed in clusters for load balancing and redundancy.
| Interaction Type | Channel | Typical Use Case |
|---|---|---|
| Inbound | Syslog (UDP/TCP/TLS) | Network equipment, IoT, Local Linux logs |
| Outbound | HTTPS / SSH / SNMP | Cloud APIs, SaaS, Switch management |
| Upstream | Myrmex Secure Tunnel | Normalized data to the AI Platform |
Collector Mode is activated by configuring a “Collector” profile in the Myrmex Platform. Once configured, the agent automatically pivots its internal engine to prioritize integration tasks.