◆ DOCS / INTEGRATION_GUIDE

Integration guide.

Three steps to live traffic. The rest of this page covers deployment models, standards we implement, and the questions every team asks before they sign.

// QUICKSTART

Three steps. Five minutes.

01 → 03
ZERO CODE CHANGES

Get your client certificate

Sign up free — you receive a .p12 file containing the client certificate that authenticates you to the dashboard. Install it on the machines your team uses to log in.

Issue certificate

Point DNS at the edge

Add an A-record for the domain you want to protect, pointing at the edge IP we provide on signup. Propagation typically completes within minutes. No changes to your origin DNS or hosting.

Open the dashboard, watch the traffic

Within seconds of DNS propagation, every connection to your domain appears in the live dashboard — full fingerprint, verdict, geo, ASN, latency. Tune the verdict threshold per site when you are comfortable with what you see.

Open dashboard

// DEPLOYMENT

Three ways to plug it in.

MOD_01 → MOD_03
YOU PICK THE BOUNDARY

MOD_01

DNS-only

Default · simplest

One A-record at the edge. We handle TLS termination, the visitor never reaches your origin directly. Best for sites that are already serving over HTTPS and have no internal-only services to keep behind the edge.

MOD_02

WireGuard tunnel

Recommended for private origin

Same as DNS-only, plus a WireGuard tunnel between our edge and your origin. Your origin can have a private IP that is never reachable from the public internet. Setup is one config file and one wg-quick up.

MOD_03

Self-host (Enterprise)

On-prem or your own VPS

Run the NetSpectra edge binary on infrastructure you control. Same detection engine, same dashboard, your operational boundary. Includes a deployment runbook and a walkthrough with our engineering team.

// API

Verdicts and signals, over a REST you already know.

MTLS AUTHENTICATED
JSON RESPONSES

Every endpoint authenticates with the same client certificate that opens the dashboard. Responses are JSON, pagination is cursor-based, errors carry both a code and a human-readable reason. Webhook events stream over standard HTTPS POST with HMAC signature headers.

The full API reference — endpoint catalogue, schemas, request examples — lives inside the dashboard once you sign in. Teams that evaluate before signup can request the OpenAPI brief from engineering.

▸ Open dashboard Request OpenAPI brief

// STANDARDS

Protocols we actually implement.

IETF
NO PROPRIETARY EXTENSIONS

RFC 8446

TLS 1.3 protocol

RFC 9113

HTTP/2

RFC 7541

HPACK header compression

RFC 5280

X.509 PKI certificate profile

RFC 9001

QUIC (planned)

RFC 8555

ACME (cert issuance integration)

// BUILT ON

Open foundations. Honest attribution.

TOOLCHAIN
SOURCE TRAIL

Ada

Language used in flight control and nuclear safety systems

SPARK

Formal verification subset of Ada — mathematical proof of contracts

GNATprove

SPARK proof engine — discharges verification conditions

Orchestration layer — networking, storage, control plane

WireGuard

Secure tunnel between edge and your private origin

github.com/netspectra-oi

Public source artefacts (binaries pending — see /signup for early access)

Source artefacts and binaries are gated until release — /signup for early access, or write to engineering@netspectra.org for an NDA review.

// FAQ

Questions every team asks before they sign.

COMMON
ANSWERED PLAINLY

Do I need to install JavaScript on my pages?

No. NetSpectra reads network signatures at the TLS layer, before HTTP reaches your application. There is no client-side SDK, no JS challenge, no cookie injected by us.

What happens if the edge becomes unavailable?

Each tier has documented failover behaviour. The dashboard surfaces per-edge health in real time, and you can configure DNS health checks (or use our managed DNS) to fail over to a different edge or fail open at your discretion.

Can I self-host the engine?

Yes, on the Enterprise tier. You run the edge binary on your own infrastructure with the same detection engine that runs on our hosted nodes. Source artefacts and deployment runbook are part of the contract.

How fast is detection?

Decision latency is sub-millisecond on the hot path. Real-world end-to-end overhead added by NetSpectra in front of a public CDN-style application is in the order of microseconds, not milliseconds — well below network jitter.

Where does the data live?

Connection records and dashboard data live in the region you choose at signup. We do not sell or share telemetry. Standard retention is 30 days; longer retention is available on higher tiers. A data-processing addendum is available on request.

Is there an API?

Yes. Verdicts, fingerprints and connection records are available over a REST API authenticated by your client certificate. Real-time events stream over webhooks on Adaptive PRO. Full API reference lives inside the dashboard once you sign in.

Can I get the formal-verification artefacts?

On request, for serious evaluations. NetSpectra's crypto and decision core are implemented in Ada/SPARK with formal proofs. We share proof reports and SPARK boundary documentation under NDA — write to engineering@netspectra.org.

// READY TO INTEGRATE

Three steps stand between you and the live edge.

▸ Start free Talk to engineering