Skip to content
OverviewGetting StartedAgent ArchitectureSkills DevelopmentSecurity FeaturesAPI ReferenceFAQ

Agent Architecture

How OpenSyber deploys and manages AI agent instances.

Instance Lifecycle

Each agent runs in an isolated Docker container on a hardened VM. The lifecycle follows these stages: provisioning configuring ready running.

Security Hardening

  • Read-only root filesystem — Prevents tampering with system binaries
  • Deny-by-default firewall — Only explicitly allowed ports are open
  • Loopback-only gateway — The agent gateway binds to 127.0.0.1, not 0.0.0.0
  • AES-256 credential vault — API keys and tokens stored encrypted at rest
  • Auto-patching — Same-day CVE patches applied automatically

Health Reporting

Agents report health metrics every 30 seconds: CPU usage, memory consumption, disk utilization, and active connections. These metrics are displayed on the dashboard and used for alerting.

Environment Variables

Agents support environment variables for configuration. Sensitive values like API keys should use the credential vault instead of plain environment variables.

OPENSYBER_INSTANCE_ID=inst_abc123 OPENSYBER_REGION=eu-central-1 OPENSYBER_LOG_LEVEL=info

Updates

Agent updates are rolling — your instance is updated without downtime. Critical security patches are applied within hours of disclosure. You can view patch history in the audit logs.