The Defend-O-Tron is a small, silent appliance that sits between your internet connection and your network. It quietly watches every packet on the way past — looking for attacks, shutting them down before they reach your firewall, and sharing what it learned with every other device in the community. Below is what it gives you, and where to find each piece in the admin interface.
The Defend-O-Tron drops in between your ISP equipment and your router. Traffic flows through untouched in both directions — attackers see your existing firewall, not the appliance. There's no software to install on anything else, no special configuration, no client agents.
If something ever doesn't feel right, unplug the Defend-O-Tron and plug your router back into the ISP modem the way it used to be. You're back to your original setup in seconds.
Where to find it: Cabling is covered in the Installation Guide. Once it's in line, there's nothing to tune.
When the Defend-O-Tron catches an attacker, every other Defend-O-Tron eventually learns about it too. When some other device catches a new bad actor, yours hears about it within minutes. This is the CrowdSec community feedback loop in action: each device contributes anonymized alerts (just the offending IP, the scenario, the timestamp — nothing about you) and pulls down the collective blocklist in return.
Your appliance is never working alone, and you're never the first to discover that the IP that just probed you has been hammering 30 other people too.
Where to find it: Live activity in the Cyber-Threats dashboard. Detailed per-IP context lives in the optional Cloud Dashboard below.
Every packet between the ISP and your router gets inspected in real time. Suricata is the eyes — recognizing thousands of attack patterns from a continuously-updated ruleset. CrowdSec is the brain — deciding whether to block the source, for how long, and at what scope. The result lands in nftables and takes effect immediately, with no proxying and no measurable latency on legitimate traffic.
Rules and scenarios refresh daily on their own. You don't tune signatures; the project does.
Where to find it: Live decisions on the Cyber-Threats dashboard. The honeypot rules that catch most automated scans are described on the Honeypot page.
Optional but recommended: point your network's DNS at the Defend-O-Tron and you get AdGuard Home in front of every lookup. AdGuard blocks ads, phishing domains, malware command-and-control infrastructure, and (if you want) entire categories of content — streaming, social, gambling, adult, anything you'd rather not have on your network.
You also see, for the first time, exactly what your network is asking for.
Where to find it: DNS Filter page and the AdGuard admin UI at https://adguard.protected.lan.
Most security appliances detect attacks. Far fewer can prove they did, in a way an auditor will accept months or years later. The Defend-O-Tron records every event, every threat decision, every nftables block as it happens, and signs the day's logs with an Ed25519 key anchored to NTP-attested time. When an auditor asks for proof of, say, last quarter — you produce a single signed ZIP and walk away.
This is the kind of capability that's normally a paid SIEM add-on on Cisco / Fortinet / Sophos. It's built into the appliance and it runs automatically.
NIS2 Article 21 ready. SOC 2, ISO 27001, and Cyber Essentials use the same evidence.
Where to find it: Compliance Reporting — including the live NIS2 Evidence dashboard and the one-command evidence-pack export.
A new firmware update lands in the admin interface as a blue Update available banner. Click Download & stage, wait for the progress bar, click Apply, reboot when convenient. That's the whole flow.
The previous firmware stays on the device — if anything feels off after an update, roll back in seconds. The original factory image is always preserved as a last-resort recovery point, even if every other firmware on the device has been deleted.
Where to find it: Firmware Update — the Firmware Image entry in the Cockpit sidebar.
Forward syslog from your other firewalls, routers, web servers, and Windows servers into the Defend-O-Tron, and CrowdSec's parser pipeline turns those logs into the same threat decisions the appliance already enforces locally. It's a way to catch attacks that hit somewhere else in your environment — and then block them everywhere.
Tested with MikroTik, pfSense, Ubiquiti UniFi (UDM and managed UniFi gear), NGINX, Apache, HAProxy, Traefik, Linux rsyslog, Docker, and Windows Event Forwarding.
Where to find it: External Log Ingress with worked examples per platform.
Run your own firewalls, reverse proxies, or web servers? Attach them to the Defend-O-Tron's CrowdSec Local API and they'll consume the same threat decisions the appliance is enforcing — without round-tripping packets through it. Decisions stream out; enforcement happens locally at every edge.
One central threat picture; coverage at every device that matters.
Where to find it: CrowdSec API — fully-worked setups for Linux nftables/iptables, NGINX, Traefik, MikroTik, and pfSense.
Sign up for a free CrowdSec community account and you get a global threat dashboard, deep per-IP context (who else has seen this attacker, what they tried, what country and ASN they're from), and — useful when you need it — an unban button for the inevitable false positive.
The appliance works perfectly without this. It just gets prettier and more searchable with it.
Where to find it: Enroll the device from the admin terminal with
sudo cscli console enroll <token>. The dashboard lives at app.crowdsec.net.
Manage everything from any browser, no special software. Cockpit provides the admin shell — system overview, services, accounts, network, storage, software updates, terminal — and the Defend-O-Tron drops its own pages in alongside (Firmware Image, Root CA Download, AdGuard DNS, Cyber-Threat Dashboard, System Metrics, Proxy Status, etc.).
Light / dark theme follows your browser preference. The built-in terminal saves you an SSH client.
Where to find it: Admin Interface covers every page in detail.
A 64-bit Arm Cortex-A55 quad-core at 2 GHz under the hood — fast enough to inspect a gigabit of traffic with room to spare, frugal enough to run on USB-C power. The Rockchip RK3568B2 even ships with a small NPU on-chip, opening the door to on-device AI inference in future firmware. PCIe NVMe storage is replaceable.
Schematics are published. Bootloader is reflashable. You can repair the device yourself. This is right-to-repair as a feature, not as a compromise.
Where to find it: Hardware Specifications for the full bill of materials; Open Source Hardware for schematics, pinouts, and the upstream NanoPi R5s reference design.
When you actually need help, one command in the admin terminal opens a temporary WireGuard tunnel to our support team and a strictly-scoped SSH session inside it. A new key pair gets generated every time; nothing is reused, nothing persists.
Press Enter on the terminal to end the session — the tunnel and the support account collapse instantly. It is never open unless you opened it.
Where to find it: Remote Support — the
tech-supportcommand.