Table of contents

Roadmap

Kernloom is built incrementally, following the same philosophy as the product itself: observe first, understand what is there, then extend carefully.

This page shows what is available today and what is planned.

Available

Kernloom Shield

XDP-based kernel hook that attaches to your network interface and filters traffic before it reaches your application, proxy, or WAF. Handles rate limiting, blocking, and tuple-level enforcement directly at the packet layer.

Kernloom IQ

The local intelligence layer. IQ watches incoming traffic, builds a behavioural baseline, and makes progressive enforcement decisions — rate-limit first, block if behaviour continues. Runs as a daemon, writes decisions into Shield’s kernel maps, and auto-recovers when a source cleans up.

Includes autotune: thresholds adapt to your real traffic over a 7–14 day bootstrap period without manual configuration.

Kernloom Graph

Graph learner for service-to-service communication. IQ passively records which services communicate with which during the learning phase. Once you freeze the baseline, any source attempting an unrecognised communication path is blocked immediately.

Designed for internal nodes (identity providers, databases, internal APIs) where the set of known peers is stable. Enables host-level microsegmentation without a service mesh or sidecar.

Planned

Kernloom Forge

Central policy management for managed deployments. Forge introduces policy packs — versioned, reviewable sets of PDPConfig profiles that can be pushed to multiple nodes. Designed for teams managing more than one or two KLIQs.

Will enable GitOps-style policy workflows: review in pull request, deploy to nodes on merge.

Kernloom Trust

Attestation and trust-aware policy decisions. Trust integrates with IMA/Keylime to verify that the node enforcing policy is in a known-good state. Attestation status becomes an input to IQ decisions: a node whose measurement does not match the expected digest can be quarantined automatically.

Kernloom Correlate

A global view across multiple nodes. Correlate aggregates risk scores, communication graphs, and enforcement events from multiple KLIQs into a single view. Designed for environments with many nodes where per-node monitoring becomes impractical.

Principles

Kernloom follows a few hard rules that shape what gets built and in what order:

  • Observe first. Every component ships with a safe, non-enforcing mode. You review what it sees before committing to enforcement.
  • No new infrastructure. Kernloom deploys on the Linux host you already run. No service mesh, no sidecar, no separate control plane required.
  • Transparent decisions. Every enforcement action is logged with the reason. Nothing happens silently.
  • Open source. The core is open. Assessment assumptions are visible. No black-box scoring.