Autonomous threat detection, AI-driven analysis, and automated endpoint isolation — capabilities typically found only in enterprise platforms costing $60,000–$120,000 annually. Built for K-12 schools — and every lean team that has to defend a network without an enterprise budget.
Real detection prowls in the shadows — not on flashy dashboards
K-12 school districts are among the most targeted sectors for cyberattacks in the United States — and the same pressures hit local governments, healthcare clinics, churches, nonprofits, and small businesses. They operate large, heterogeneous networks with thousands of endpoints, hold sensitive PII, fall under strict regulatory frameworks — and are chronically underfunded for cybersecurity.
TigerNDR is a custom-designed, AI-powered Network Detection and Response platform. It provides autonomous 24/7 threat detection, real-time network flow analysis, syslog event correlation, and automated endpoint isolation — running entirely on your own hardware, on your local network, and fully internet-independent.
Designed and built by TigerNDR LLC using AI-assisted development — delivering capabilities that traditionally demand a dedicated security engineering team and a multi-month build cycle.
A distributed, purpose-built architecture where each node serves a single primary function. Separation of concerns provides fault isolation, enables independent scaling, and simplifies security hardening.
All security-relevant processing occurs on your own hardware within your local network. No telemetry, logs, or analysis results leave the premises.
Continuous detection and containment without human intervention. Oversight required only for releasing contained endpoints and reviewing alerts.
Security controls layered across network (firewall policies), host (UFW, SSH key auth), application (agent guardrails, I/O classification), and process (CHOMP isolation).
CHOMP transforms TigerNDR from a passive monitoring system into an active defense platform capable of containing threats faster than any human operator. Mean time to contain: under 10 seconds.
When a host crosses threat thresholds, CHOMP registers a quarantine tag on the firewall in seconds — blocking the endpoint and emailing your team the details. It runs with hard safety limits: one target per event, a Never-Isolate list protecting all critical infrastructure, a one-way valve (TIGR can isolate, but only a human can release), and a scoped key that can do nothing but quarantine. Aligns with NIST CSF RS.MI-1.
Each agent performs one well-defined function, has access only to the data required for that function, and communicates through shared data stores — not direct coupling. Every agent is secured by local AI I/O classification and Python-level runtime guardrails.
Total platform: ~38,300 lines of Python across 77 source files and ~10,400 lines of PHP — ~48,700 lines combined, the figure cited above. Plus 86 supporting shell scripts (not included in the line count). Built entirely with AI-assisted development.
After years in the trenches, these are the non-negotiables when adding AI to critical systems.
These aren't theory — they're how we ship secure AI systems.
On 1 May 2026, the Five Eyes intelligence alliance jointly published the first major government framework governing AI systems that take autonomous actions. We treated it as a deadline, not a suggestion: TigerNDR was audited row-by-row against every published control within 24 hours of release, and the platform demonstrated substantial alignment across the standard. Where the framework calls for more, we've named the owners and the remediation work — because the only audit worth doing is the one you publish honestly.
Read the Guidance (PDF) ↗TigerNDR directly addresses the DETECT and RESPOND functions that NIST identifies as the areas where K-12 organizations most commonly have capability gaps.
TigerNDR is built with Claude under Anthropic's Cybersecurity Verification Program (CVP) — a vetting process that authorizes approved organizations for legitimate dual-use security development while keeping prohibited uses blocked. CVP verifies the development context, not the product itself: it affirms what TigerNDR is being built for — defensive threat detection and response.
Open architecture built on standard protocols. Your data stays yours. No per-seat licensing, no annual renewals that double in year two. Runs on existing infrastructure — three of four nodes use hardware you already own.
Designed for one-person or small IT security teams. TIGR handles the monitoring, scoring, and alerting autonomously. You handle the decisions. AI-assisted development keeps the entire platform buildable and maintainable by a lean team.
All processing happens locally on your own hardware. No sensitive data, network telemetry, or authentication logs leave your local network. Regulatory compliance (FERPA, COPPA, HIPAA) is structural, not contractual.
TigerNDR is being packaged as a deployable appliance for K-12 districts and other lean organizations. Multi-tenant management plane on the roadmap. Currently optimized for Palo Alto NGFW environments, with broader vendor support coming as the platform matures.
Most organizations fall into two categories: those who've experienced a ransomware attack, and those who haven't yet. Enterprise tools exist — but they're designed for SOCs, six-figure budgets, and analyst teams. TigerNDR was conceived to resolve all three of these constraints simultaneously: enterprise-grade detection and response capabilities, at a fraction of commercial cost, with all data processing performed entirely within your own network.The problem TigerNDR was built to solve
TigerNDR speaks to the platforms you already run — pulling asset, identity, and telemetry context from each into one queryable intelligence layer. Known compatible integrations:
A secure, on-prem conversational assistant sits on top of the platform behind an SSO login gate. Ask your network questions in plain English — device lookups, ticket status, threat context — with answers generated entirely by local inference. No data leaves your network.
__ __ _ ____ _ ___
\ \ / /_ _ _ __ _ _ __ _ / ___| | |_ _|
\ \ / / _` | '__| | | |/ _` || | | | | |
\ V / (_| | | | |_| | (_| || |___| |___ | |
\_/ \__,_|_| \__, |\__,_| \____|_____|___|
|___/
I'll draft something that hits the right technical notes for a public audience while staying true to the system's capability profile. Since this is for a featurette, I'll keep it high-level on function, not on internal architecture.
Here is a draft you can use:
Varya is an advanced, context-aware orchestration layer designed to unify network visibility, security monitoring, and incident response workflows across complex, multi-vendor environments. It moves beyond simple monitoring by integrating deep, real-time data streams from the entire infrastructure stack — from wired and wireless access points to core routing elements and security appliances.
In short, Varya isn't just a dashboard; it's the operational brain that correlates disparate data sources into actionable security posture intelligence, drastically reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
Let me know if you want me to adjust the tone — more aggressive, more academic, or more focused on a specific vendor stack.
Whether you're a one-person IT security shop or an organization-wide team, we'd love to show you what TIGR can do. Request a demo, ask about deployment, or just say hello.
We typically respond within 24 hours.