GNSAC Vigil – Technical Documentation v3

01Platform Overview

GNSAC Vigil is an integrated AI-powered Cyber Threat Intelligence (CTI) platform providing real-time dark web monitoring, automated threat analysis and response for enterprise security operations. Continuously scanning 150+ dark web forums, 500+ Telegram channels and 100+ OSINT sources, Vigil transitions your organisation from reactive to proactive security posture.

<5min

Mean Time to Detect

99.7%

Platform Uptime SLA

50M+

Records Monitored / Month

24/7

SOC Monitoring & Support

🛡️

Core Capabilities

Real-time credential leak detection and alerting
Brand protection: fake domains, social impersonation, phishing
Supply chain risk assessment and vendor monitoring
VIP executive and critical personnel protection
Automated response via playbook engine
Predictive risk scoring and threat trend analysis
Vulnerability monitoring and CVE matching
Compliance reporting: GDPR, KVKK, ISO 27001

🔗

Integration Ecosystem

SIEM: Splunk, IBM QRadar, Microsoft Sentinel, ArcSight
SOAR: Palo Alto XSOAR, Swimlane, Tines, Phantom
Ticketing: Jira Software, ServiceNow, Freshservice
Communications: Slack, Microsoft Teams, PagerDuty, Email
IdP: Azure AD, Okta, Ping Identity (SAML 2.0 / OIDC)
API: REST (OpenAPI 3.0), GraphQL, WebSocket, Webhook

💡 Key Differentiator

Unlike traditional CTI tools that rely solely on rule-based detection, Vigil combines proprietary AI models with regional threat intelligence expertise covering Turkey, UK and USA. This delivers 40% faster detection and 60% fewer false positives versus industry benchmarks. Discovered credentials are never validated against target systems; our ethical data collection policy is fully compliant with GDPR and KVKK.

02System Architecture

Vigil is built on a microservices architecture running on Kubernetes, designed for horizontal scalability, high availability and multi-tenant data isolation. Each layer scales independently; data collection and analysis layers are fully decoupled.

LIVE

Platform Data Flow Architecture

Kubernetes Multi-tenant v3.0

📡 DATA SOURCES

🕸️Dark Web Crawler150+ forums

📱Telegram Monitor500+ channels

📋Paste Sites30+ platforms

🔍OSINT Feeds100+ sources

🤝Partner APIsIntegrated feeds

⚡ INGESTION LAYER

⚡Apache KafkaMessage queue

🔄Data NormaliserSchema transform

♻️DeduplicationEngine

AI CORE

🧠 AI & PROCESSING

🧠NLP EngineTR/EN/RU/AR

📊Anomaly DetectionML-powered

⚖️Risk Scoring0–100 dynamic

🎯Entity ExtractionNER + graph

🗄️ STORAGE LAYER

🗄️PostgreSQLPrimary data

🔎ElasticsearchSearch engine

⚡Redis CacheReal-time

📦S3 Object StoreRaw archive

🔌 API LAYER

🔌REST APIOpenAPI 3.0

📡GraphQLFlexible queries

🔔WebSocketReal-time

📤Webhook DispatcherEvent-driven

🖥️ PRESENTATION LAYER

🖥️Web DashboardReact SPA

📱Mobile AppiOS & Android

🔗SIEM / SOARSplunk, Sentinel

💌Email/Slack/TeamsNotification channels

↑

ML FEEDBACK

10M+Records / Day

203M+Credentials

800+Sources

99.7%Uptime SLA

<5minDetection Time

📈

Scalability

Kubernetes-native horizontal auto-scaling. Up to 10 billion events per day; new pods spin up in seconds during traffic spikes.

🛡️

High Availability

Multi-AZ active-active failover with 99.7% uptime SLA. Rolling updates achieve zero-downtime deployments; planned maintenance under 8 hours per year.

🏢

Multi-Tenancy

Per-tenant encryption keys (BYOK), isolated database schemas and configurable data retention policies ensure complete data isolation.

03AI Analysis Engine

Vigil's proprietary AI engine combines multiple machine learning models for threat classification, false positive reduction and predictive risk assessment. Trained on 10M+ historical breach records, the engine continuously improves through feedback loops.

🧠

Multilingual NLP (Natural Language Processing)

Entity extraction optimised for Turkish, English, Russian and Arabic threat actor communications. Identifies credentials, PII and sensitive data patterns with 99.2% precision. Named Entity Recognition (NER) with contextual analysis minimises false matches.

📊

Anomaly Detection

Unsupervised learning models (Isolation Forest, Autoencoder) detect unusual patterns in data exposure events. Models trained on 10M+ historical breach records identify novel attack vectors and emerging threat actor TTPs.

🎯

False Positive Reduction

Contextual analysis engine reduces false positive rates by 60% through source reliability scoring, cross-referencing with historical data, and multi-factor validation. Explainable AI (XAI) scores are generated for each finding to support analyst decision-making.

⚡

Predictive Risk Scoring

ML-powered dynamic risk score (0–100): evaluates threat actor activity, data sensitivity, exposure scope and historical exploitation rates. Mean detection time for critical findings is under 5 minutes; immediate notifications triggered for high-risk threats.

AI Analysis Response SchemaJSON

// POST /v1/findings/{id}/analyze — Sample AI analysis output
{
  "finding_id": "FND-2026-04812",
  "analyzed_at": "2026-03-25T08:14:22Z",
  "confidence_score": 0.94,
  "is_false_positive": false,
  "threat_level": "critical",
  "risk_score": 87,
  "patterns_detected": [
    { "type": "credential_reuse", "confidence": 0.89 },
    { "type": "targeted_campaign", "confidence": 0.72 }
  ],
  "threat_actor": {
    "alias": "DarkVortex",
    "confidence": 0.81,
    "known_ttps": ["credential_theft", "ransomware_deployment"]
  },
  "prediction": {
    "exploitation_probability": 0.67,
    "time_to_exploit_hours": 24,
    "recommended_urgency": "immediate",
    "recommended_actions": ["force_password_reset", "enable_mfa", "audit_sessions"]
  },
  "auto_actions_triggered": [
    { "action": "password_reset_initiated", "status": "completed" },
    { "action": "siem_alert_forwarded", "status": "completed" }
  ]
}
    

04Data Sources & Coverage

Vigil aggregates intelligence from 800+ sources across the surface, deep and dark web. Real-time monitoring of Turkish-language content provides a critical differentiator for Turkey-based organisations.

Source Category	Coverage	Update Frequency	Data Types
Dark Web Forums	150+ active forums	Real-time	Credentials, databases, exploit kits, initial access sales
Telegram Channels	500+ monitored channels	Real-time	Leaks, combolists, threat intel, sale announcements
Paste Sites	30+ platforms	Every 5 minutes	Code snippets, credentials, PII dumps, API keys
Marketplaces	25+ active markets	Hourly	Access sales, stolen data, ransomware toolkits
Ransomware Blogs	40+ groups tracked	Real-time	Victim announcements, data leak posts, negotiation logs
OSINT Feeds	100+ sources	Continuous	IoCs, CVEs, threat reports, attack campaigns

🇹🇷 Turkey Coverage

Turkish-language forums and local threat actors
BDDK, SPK and KGK sector-specific intelligence
Turkey-targeted phishing campaigns
Turkish ID, TCKN and IBAN leak monitoring
Early warning for KVKK breach notifications

🇬🇧 UK Coverage

FCA-regulated sector intelligence
UK-focused threat actor monitoring
Post-Brexit fraud and financial crime patterns
British financial and insurance sector threats
NCSC-aligned threat intelligence

🇺🇸 US Coverage

Finance, healthcare and critical infrastructure intel
CISA KEV (Known Exploited Vulnerabilities) integration
US-focused APT groups and state-sponsored actors
HIPAA and SOX compliance-oriented alerts
FBI IC3 threat indicator feeds

05Module API Reference

Each Vigil module is independently manageable via dedicated REST endpoints. All endpoints require JWT or API Key authentication; multi-tenant isolation is enforced through the user_id field embedded in the token.

🏷️ 5.1 Brand Protection

Detects and manages takedown requests for fake domains, social media impersonators, mobile app fraud and phishing pages targeting your brand.

Method	Endpoint	Description
GET	/v1/brand-threats	List threats — filters: `type`, `status`, `limit`, `offset`
POST	/v1/brand-threats	Create a new brand threat
GET	/v1/brand-threats/stats	Summary statistics (total, active, resolved)
GET	/v1/brand-threats/{id}	Get specific threat detail
PUT	/v1/brand-threats/{id}	Update threat information
DELETE	/v1/brand-threats/{id}	Delete threat
PATCH	/v1/brand-threats/{id}/status	Update status: active / investigating / resolved
POST	/v1/brand-threats/{id}/takedown	Initiate takedown request
POST	/v1/brand-threats/{id}/resolve	Mark threat as resolved

POST /v1/brand-threats — Create Brand ThreatcURL + JSON

curl -X POST https://api.vigil.gnsac.com.tr/v1/brand-threats \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "threat_type": "fake_domain",
    "title": "Fraudulent domain detected: acme-bank-uk.com",
    "target": "acme-bank-uk.com",
    "risk_score": 82,
    "details": { "registrar": "Namecheap", "ip": "185.220.101.45" }
  }'

// Response 201 Created
{
  "id": "bt-9f8a3c2d",
  "threat_type": "fake_domain",
  "status": "active",
  "risk_score": 82,
  "detected_at": "2026-03-25T09:00:00Z",
  "takedown_requested": false
}
      

📋 Threat Types

fake_domain — Fraudulent website impersonating your brand
social_impersonation — Fake social media account
app_impersonation — Fraudulent app in app stores
phishing — Phishing page or campaign
content_abuse — Unauthorised use of brand assets

🔗 5.2 Supply Chain

Monitors third-party vendors' dark web exposure, historical breaches and security risk scores.

Method	Endpoint	Description
GET	/v1/vendors	Vendor list — filters: `risk_level`, `category`, `search`
POST	/v1/vendors	Add a new vendor
GET	/v1/vendors/stats	Supply chain statistics
GET	/v1/vendors/{id}	Vendor detail
PUT	/v1/vendors/{id}	Update vendor information
DELETE	/v1/vendors/{id}	Remove vendor
GET	/v1/vendors/{id}/breaches	Vendor breach history
POST	/v1/vendors/{id}/breaches	Add manual breach record

👑 5.3 VIP Protection

Personal data exposure and reputational threat monitoring for C-suite executives, board members and critical personnel.

Method	Endpoint	Description
GET	/v1/vip	VIP persons list
POST	/v1/vip	Add VIP person
GET	/v1/vip/stats	VIP protection statistics
GET	/v1/vip/{id}	VIP person detail and alerts
PUT	/v1/vip/{id}	Update VIP person information
DELETE	/v1/vip/{id}	Remove VIP person
PATCH	/v1/vip/{id}/monitoring	Configure monitoring channels (email, social, darkweb)
GET	/v1/vip/{id}/alerts	VIP-related alerts list
POST	/v1/vip/{id}/alerts/{alert_id}/resolve	Mark alert as resolved

⚙️ 5.4 Playbook Automation

Define automated response workflows for threat events. Playbooks trigger automatically when configured events occur (credential_leak, brand_threat, etc.).

Method	Endpoint	Description
GET	/v1/playbooks	Playbook list
POST	/v1/playbooks	Create a new playbook
GET	/v1/playbooks/stats	Playbook statistics
GET	/v1/playbooks/{id}	Playbook detail (actions + recent runs)
PUT	/v1/playbooks/{id}	Update playbook
DELETE	/v1/playbooks/{id}	Delete playbook
PATCH	/v1/playbooks/{id}/status	Change status: active / draft / paused
POST	/v1/playbooks/{id}/run	Manually trigger playbook
GET	/v1/playbooks/{id}/runs	Execution history
POST	/v1/playbooks/{id}/actions	Add action step
DELETE	/v1/playbooks/{id}/actions/{action_id}	Remove action step

Trigger Types

Type	Description
`credential_leak`	Credential exposure detected
`brand_threat`	New brand threat created
`vip_alert`	Alert created for VIP person
`vendor_risk`	Vendor risk score reached critical level
`critical_finding`	Finding with risk score ≥ 80 detected

Action Types

Type	Description
`send_notification`	Send email, Slack or Teams notification
`create_ticket`	Auto-create Jira / ServiceNow ticket
`force_password_reset`	Force password reset via AD/LDAP
`block_ip`	Add IP block to firewall rules
`escalate`	Create SOC team escalation
`webhook`	Send POST to custom webhook endpoint

🔮 5.5 Predictive Alerts

AI-generated predictions with probability scores for future threats. Take proactive measures against attacks that haven't occurred yet but are highly likely.

Method	Endpoint	Description
GET	/v1/predictions	Predictions list — filters: `type`, `confidence`
POST	/v1/predictions	Create manual prediction
GET	/v1/predictions/stats	Prediction statistics
GET	/v1/predictions/trends	30-day trend analysis
GET	/v1/predictions/{id}	Prediction detail with AI reasoning
POST	/v1/predictions/{id}/validate	Provide outcome feedback (model improvement)
DELETE	/v1/predictions/{id}	Delete prediction

🔍 5.6 Dark Search

Real-time querying across dark web, Telegram and OSINT sources with advanced search operators for precision results.

Method	Endpoint	Description
POST	/v1/search	Execute a search query
GET	/v1/search/history	Past searches
GET	/v1/findings	Findings list — filters: `severity`, `type`, `date_from`
GET	/v1/findings/stats	Finding statistics
GET	/v1/findings/{id}	Finding detail
POST	/v1/findings/{id}/analyze	Trigger AI analysis

Query Operators

Operator	Description	Example
`site:`	Filter by specific source / forum	`site:raidforums "acme.com"`
`type:`	Filter by data type	`type:credentials "acme.com"`
`date:`	Date range filter	`date:2026-01-01..2026-03-25`
`severity:`	Filter by severity level	`severity:critical @domain.com`
`actor:`	Filter by threat actor name	`actor:DarkVortex`
`source:`	Filter by source category	`source:telegram @company`

🔓 5.7 Vulnerability Scan

Track known CVEs and security vulnerabilities targeting your organisation's digital assets.

Method	Endpoint	Description
GET	/v1/vulnerabilities	Vulnerability list — filters: `severity`, `asset_id`, `cve`
GET	/v1/vulnerabilities/{id}	Vulnerability detail with remediation guidance
GET	/v1/assets	Monitored assets list (domains, IPs, ASNs)
POST	/v1/assets	Add new asset
GET	/v1/assets/{id}	Asset detail with vulnerabilities
PUT	/v1/assets/{id}	Update asset
DELETE	/v1/assets/{id}	Remove asset from monitoring

📊 5.8 Reports

Automatically generate and download executive summary, technical detail and compliance reports.

Method	Endpoint	Description
GET	/v1/reports	Reports list — filters: `type`, `status`
POST	/v1/reports/generate	Generate new report (async)
GET	/v1/reports/{id}/download	Download PDF / XLSX report

Report Type	Description	Format
`executive_summary`	C-level summary threat report	PDF
`technical_detail`	Detailed technical report for SOC analysts	PDF, XLSX
`compliance_kvkk`	KVKK breach notification report (ready template)	PDF, DOCX
`compliance_gdpr`	GDPR Article 33 compliant breach report	PDF, DOCX
`threat_landscape`	Sector-specific threat landscape analysis	PDF

06Core API Reference

All API endpoints are accessible at https://api.vigil.gnsac.com.tr. Visit /docs for the interactive Swagger UI with OpenAPI 3.0 spec and code generation.

🔑 API Key Authentication

Authorization HeadercURL
curl -X GET https://api.vigil.gnsac.com.tr/v1/findings \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/json"

🔐 OAuth 2.0 Token

Client Credentials FlowcURL
curl -X POST https://api.vigil.gnsac.com.tr/oauth/token \
  -d "grant_type=client_credentials" \
  -d "client_id=<CLIENT_ID>" \
  -d "client_secret=<CLIENT_SECRET>"
// Response:
{ "access_token": "eyJ...", "expires_in": 3600 }

Rate Limits

Each API key is subject to a per-minute request quota based on its plan tier. When exceeded, the API returns 429 Too Many Requests; the Retry-After header indicates the backoff period in seconds.

Plan	Request Limit	Burst	WebSocket	Exports	Headers
Starter	100 / min	150	5 connections	2 / hour	`X-RateLimit-Limit` `X-RateLimit-Remaining` `X-RateLimit-Reset`
Professional	500 / min	750	25 connections	20 / hour	Same headers
Enterprise	2,000 / min	3,000	Unlimited	Unlimited	Same headers
On-Premises	Unlimited (local)	—	Unlimited	Unlimited	—

Endpoint-Specific Limits

Endpoint Group	Limit	Notes
`/v1/search/*`	30 / minute	Full-text and advanced search queries — Elasticsearch load constrained
`/v1/findings/bulk`	10 / minute	Bulk create or update operations (max 100 records per request)
`/v1/reports/generate`	5 / hour	PDF/XLSX report generation — processing time 30–120 seconds
`/v1/ai/*`	50 / minute	AI analysis, prediction and insights endpoints
`/v1/webhooks/test`	10 / hour	Webhook connectivity test trigger
`/v1/assets/scan`	20 / day	Active asset scanning and vulnerability discovery operations

429 Too Many Requests — Example ResponseHTTP
HTTP/1.1 429 Too Many Requests
Retry-After: 30
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1743512400
Content-Type: application/json

{
  "error": "rate_limit_exceeded",
  "message": "API rate limit exceeded. Retry after 30 seconds.",
  "retry_after_seconds": 30,
  "limit": 100,
  "reset_at": "2026-04-01T10:00:00Z"
}

HTTP Error Codes

Code	Meaning	Description
400	Bad Request	Missing or invalid parameter
401	Unauthorized	Invalid or expired API key
403	Forbidden	Insufficient permissions for this resource (RBAC)
404	Not Found	Resource not found
409	Conflict	Resource already exists
422	Unprocessable Entity	Validation error (field details in response)
429	Too Many Requests	Rate limit exceeded; check `Retry-After` header
500	Internal Server Error	Server error; report `request_id` to support

Error Response Format

Error ResponseJSON
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "'threat_type' is required",
    "field": "threat_type",
    "request_id": "req_01abc123"
  }
}

Pagination

List Response FormatJSON
{
  "data": [ /* records */ ],
  "pagination": {
    "total": 248,
    "limit": 20,
    "offset": 0,
    "has_more": true
  }
}
// Usage: ?limit=20&offset=20

07Integration Guides

Vigil provides ready-made connectors and a robust webhook infrastructure for seamless integration with your enterprise security ecosystem.

📊 7.1 Splunk SIEM Integration

The Vigil Add-on for Splunk automatically forwards findings, alerts and timeline events to your Splunk index.

inputs.conf — Splunk Add-on ConfigurationINI
[vigil://findings]
interval = 60
api_key = <VIGIL_API_KEY>
base_url = https://api.vigil.gnsac.com.tr
index = vigil_threats
sourcetype = vigil:finding
severity_filter = high,critical

[vigil://alerts]
interval = 30
api_key = <VIGIL_API_KEY>
index = vigil_alerts
sourcetype = vigil:alert

Sample SPL QuerySplunk SPL
index=vigil_threats sourcetype="vigil:finding"
| where risk_score >= 70
| stats count by threat_level, finding_type
| sort -count
| rename threat_level AS "Threat Level", count AS "Count"

🔷 7.2 Microsoft Sentinel Integration

Vigil alerts are converted into Microsoft Sentinel incidents via a Logic App connector.

KQL Query ExampleKQL
VIGILFindings_CL
| where risk_score_d >= 80
| where TimeGenerated > ago(24h)
| project TimeGenerated, title_s, threat_level_s, risk_score_d, source_url_s
| order by risk_score_d desc

🔔 7.3 Webhook Integration

Vigil sends signed POST requests to your configured webhook endpoints for every event. HMAC-SHA256 signature verification guarantees message integrity.

Webhook Payload SchemaJSON
{
  "event_id": "evt-7a3b2c1d",
  "event_type": "finding.critical",
  "timestamp": "2026-03-25T10:30:00Z",
  "data": {
    "finding_id": "FND-2026-04812",
    "title": "Credential leak: admin@company.com",
    "severity": "critical",
    "risk_score": 87,
    "source": "telegram_channel",
    "affected_asset": "company.com"
  }
}
// Signature header: X-Vigil-Signature: sha256=<HMAC>

Python — Signature VerificationPython
import hmac, hashlib

def verify_vigil_webhook(payload_body, signature_header, secret):
    expected = hmac.new(
        secret.encode(), payload_body, hashlib.sha256
    ).hexdigest()
    received = signature_header.replace("sha256=", "")
    return hmac.compare_digest(expected, received)

Attempt	Delay	Behaviour
1st attempt	Immediate	Non-2xx → retry
2nd attempt	30 seconds	Non-2xx → retry
3rd attempt	5 minutes	Non-2xx → dead-letter queue

🎫 7.4 Jira Integration

Critical findings and playbook actions automatically create Jira Software tickets.

Vigil Field	Jira Field	Mapping
`title`	Summary	Direct copy
`severity: critical`	Priority: Highest	Auto-matched
`severity: high`	Priority: High	Auto-matched
`severity: medium`	Priority: Medium	Auto-matched
`finding_url`	Description (link)	Deep link to Vigil
`assigned_analyst`	Assignee	Email match

💬 7.5 Slack / Microsoft Teams

Instant notifications routed to different channels based on severity. Integration completes in minutes with a webhook URL.

Slack Webhook ConfigurationJSON
{
  "integrations": {
    "slack": {
      "enabled": true,
      "channels": {
        "critical": "https://hooks.slack.com/services/T.../B.../critical",
        "high": "https://hooks.slack.com/services/T.../B.../security",
        "default": "https://hooks.slack.com/services/T.../B.../general"
      },
      "min_severity": "medium"
    }
  }
}

08Security & Compliance

GNSAC Vigil is designed with defence-in-depth principles to meet enterprise security requirements.

🔒

Data Encryption

AES-256-GCM encryption at rest; TLS 1.3 in transit. Customer-managed encryption keys (BYOK) and Hardware Security Module (HSM) support. Database columns are classified by sensitivity and encrypted with separate key sets.

👥

Access Control

Role-Based Access Control (RBAC) enforces least-privilege principles. MFA can be mandated; Single Sign-On via SAML 2.0 and OIDC. IP whitelisting and geo-restrictions supported. All sessions monitored in real-time with automatic session termination on suspicious access.

📋

Audit & Logging

Every API call, user action and system event is written to an immutable audit log. Real-time SIEM forwarding; configurable retention from 1–7 years. Reports required by regulatory authorities can be generated automatically.

🌐

Ethical Data Collection

Discovered credentials are never validated against target systems. Asset ownership is verified through DNS and document verification. Data minimisation principles applied; only organisation-relevant data is collected and processed.

Compliance Frameworks

GDPR

EU General Data Protection Regulation — Article 33 breach notification templates and DPA compliance support

KVKK

Turkish Personal Data Protection Law — data processing, storage and breach notification ready reports

SOC 2 Type II

Security, availability and confidentiality trust service criteria control evidence

ISO 27001

Information security management system framework — control implementations and risk treatment plan

CCPA

California Consumer Privacy Act — API support for data deletion and portability requests

FCA

UK Financial Conduct Authority guidelines — sector-specific threat intelligence compliance support

09Deployment & System Requirements

Vigil is offered in three deployment models aligned with your organisation's infrastructure policies and data sovereignty requirements.

☁️

SaaS (Managed Cloud)

Get started immediately with no infrastructure management. All updates applied automatically.

99.7% uptime SLA guarantee
Auto-scaling and load balancing
Multi-AZ redundancy
24/7 NOC monitoring
Daily backups and disaster recovery

🏗️

Private Cloud

Isolated tenant in your AWS, Azure or GCP environment. Ideal for organisations requiring data residency.

VPC/VNet isolation
Custom encryption keys (BYOK)
Region selection (Turkey available)
Custom security policies
Enterprise support SLA

🏢

On-Premises

Full control in your own data centre. Air-gapped network support.

Complete data sovereignty
Air-gapped operation
Hardware appliance option
Dedicated support and SLA
Source code audit rights

System Requirements (On-Premises)

Component	Minimum	Recommended
CPU	4 cores	8+ cores (Intel Xeon / AMD EPYC)
Memory	8 GB RAM	16+ GB DDR4 ECC
Storage	100 GB SSD	500+ GB NVMe SSD (RAID-1)
Network	100 Mbps	1 Gbps (outbound internet access required)
OS	Ubuntu 22.04 LTS or RHEL 8+	Same + Kubernetes 1.27+

Implementation Timeline (4 Weeks)

Week 1 — Discovery & Planning

Requirements gathering, asset inventory, integration mapping, deployment architecture finalisation.

Week 2 — Deployment & Configuration

Platform deployment, SSO/SAML integration, RBAC role definitions, initial asset onboarding.

Week 3 — Integration & Testing

SIEM/SOAR connection, webhook configuration, alert threshold tuning, UAT (User Acceptance Testing).

Week 4 — Training & Go-Live

SOC team training, playbook templates, runbook handover, go-live support and success metrics review.

OVF / VMware Deployment (On-Premises)

GNSAC Vigil Local is shipped as a ready-to-deploy OVF template for VMware ESXi, vSphere or Workstation. No infrastructure expertise required — average deployment time is 20 minutes.

1

Download the OVF Package

Download the latest OVF package linked to your active licence from the GNSAC licence portal (license.gnsac.com.tr). Each package ships with a SHA-256 checksum — verify before importing: sha256sum gnsac-vigil-vX.X.ovf

2

Import into VMware

vSphere Client → File → Deploy OVF Template → select the downloaded .ovf file. Minimum resource allocation: 4 vCPU, 8 GB RAM, 100 GB disk. The VM arrives in a powered-off state after import.

3

Configure Network

VM Settings → Network Adapter → assign to your VLAN/portgroup. Static IP, gateway and DNS are configured via the console during first boot. Required outbound connectivity: license.gnsac.com.tr:443 and update.gnsac.com.tr:443

4

First Boot & Admin Password

Power on the VM and set the admin password and hostname via console. System services start automatically (vigil-api, vigil-frontend, postgresql). When ready, the console displays the IP address and management URL.

5

Licence Activation

Open https://<VM_IP> in a browser → Settings → Licence → enter your licence key → click Activate. The system generates a hardware fingerprint, sends it to the GNSAC licence server, receives a signed token and completes activation automatically.

✓

Deployment Complete

Dashboard access: https://<VM_IP> — default login: admin@vigil.local. A password change is enforced on first login. Support: support@gnsac.com.tr

Docker Compose — Quick Start (Development / Test)YAML
# gnsac-vigil/docker-compose.yml
version: '3.9'
services:
  api:
    image: registry.gnsac.com.tr/vigil-api:latest
    environment:
      - LICENSE_KEY=${LICENSE_KEY}
      - DB_URL=postgres://vigil:vigil@db:5432/darkweb_db
      - REDIS_URL=redis://redis:6379
    ports: ["8080:8080"]
    depends_on: [db, redis]
  frontend:
    image: registry.gnsac.com.tr/vigil-frontend:latest
    environment:
      - NEXT_PUBLIC_API_URL=http://api:8080
    ports: ["3000:3000"]
  db:
    image: postgres:16-alpine
    environment:
      - POSTGRES_DB=darkweb_db
      - POSTGRES_USER=vigil
      - POSTGRES_PASSWORD=vigil
    volumes: [vigil_data:/var/lib/postgresql/data]
  redis:
    image: redis:7-alpine
volumes:
  vigil_data:

Licence Activation Flow

Vigil Local licences are bound to a single machine per installation. Activation is performed through cryptographic verification with the GNSAC licence server.

🌐

Online Activation

Recommended for environments with internet access. Completes automatically in under 10 seconds.

Open the admin panel → Settings → Licence
Enter your licence key (format: VIGIL-XXXX-XXXX-XXXX)
Click Activate
The system generates a hardware fingerprint and sends it to the licence server
A signed activation token is returned and stored encrypted locally
Verify the dashboard shows the unlocked state

✈️

Offline Activation (Air-Gap)

Manual activation method for isolated networks with no internet access.

From the panel: Download Machine ID → saves machine-id.txt
From an internet-connected device, visit license.gnsac.com.tr/offline
Upload your licence key + machine-id.txt
Download the generated activation-token.sig file
In the admin panel, open Offline Activation and upload the token file

Licence Status Query — APIHTTP
GET /api/v1/license/status
Authorization: Bearer <admin_token>

// 200 OK — Success Response
{
  "status": "active",
  "plan": "enterprise",
  "license_key": "VIGIL-****-****-A3F2",
  "machine_id": "a1b2c3d4e5f6...",
  "activated_at": "2026-01-15T09:00:00Z",
  "expires_at": "2027-01-15T09:00:00Z",
  "days_remaining": 296,
  "features": ["brand_protection", "vip_monitoring", "ai_analysis", "playbooks"],
  "last_verified_at": "2026-03-25T08:00:00Z"
}

⚠️ Licence Transfer & Deactivation

To move a licence to a different machine, first revoke the current activation: Settings → Licence → Deactivate. The licence server frees the slot; you can then repeat the activation process on the new machine. Annual licences permit up to 3 machine transfers per year.