Nuaj presents
NuajProtect
Threat traffic
stops at the edge.
NuajProtect blocks hostile IPs, scans, brute-force attempts, and DDoS sources before they reach your applications — across Linux servers, MikroTik routers, forwarding relays, and transparent inline bridge appliances.
Live Operations Dashboard
Live visibility across protected endpoints, blocked threats, source countries, feeds, and Gatekeeper detections.
How It Works
Six layers.
One edge decision.
NuajProtect evaluates inbound traffic at the edge, applies local policy, and shares high-confidence detections across protected endpoints.
Allowlist
Trusted sources bypass enforcement checks where policy allows, keeping known-good access clean and predictable.
Blocklist
Curated threat intelligence is converted into enforceable block policy across Linux, MikroTik, relay, and bridge deployments.
Banlist
Gatekeeper detections, DDoS triggers, and application-reported threats create shared bans that can be distributed across your protected endpoints.
GeoIP
Country-level policy for regions you do not serve, exposed services that should be limited, or high-risk traffic sources.
DDoS
Traffic spikes and hostile sources can trigger rate limits, local blocking, and shared enforcement across other protected endpoints.
Gatekeeper
Application-aware detection for scans, brute-force attempts, hostile access patterns, and service-reported abuse.
Performance depends on hardware, NIC, kernel, policy size, traffic profile, and deployment mode.
The Platform
One platform.
Seven ways to protect the edge.
Deploy NuajProtect directly on servers, inside MikroTik routers, as a forwarding relay, or as a transparent inline bridge appliance.
Agents
Linux Agent
Protect Linux servers and VMs directly. The agent applies NuajProtect policy locally before hostile traffic reaches exposed services.
- Ubuntu
- Debian
- RHEL / Rocky / AlmaLinux
- Fedora
- x86_64 and ARM64
- Sentry Mode
- Relay Mode
MikroTik Agent
MikroTik routers can protect directly at the edge, forward protected traffic in Relay Mode, or operate as a transparent Bridge Mode deployment when the network design supports it. NuajProtect syncs policy into RouterOS with smart incremental updates.
- RouterOS 7.13+
- Sentry, Relay, and Bridge Mode
- Incremental address-list sync
- Policy-driven feed selection
- QR onboarding
- No firewall replacement required
NuajBridge
A zero-config transparent bridge appliance. WAN and EDGE remain unaddressed; MGMT uses DHCP for secure outbound communication to NuajProtect Central.
- WAN and EDGE have no IP
- Dedicated MGMT port
- QR onboarding
- Transparent Bridge Mode
- Optional Relay Mode
Deployment Modes
Sentry Mode
Direct protection for exposed servers or routers. NuajProtect runs at the endpoint and blocks hostile traffic before it reaches local services.
Used with: Linux Agent, MikroTik Agent
Relay Mode
Traffic is forwarded through a NuajProtect relay before reaching the protected origin. Useful for NAT, shared hosting, remote services, and centralized protection.
Used with: Linux Agent, MikroTik Agent, NuajBridge
Bridge Mode
Transparent inline protection. NuajBridge sits between the upstream connection and protected edge while WAN and EDGE remain unaddressed.
Used with: MikroTik Agent, NuajBridge
Network Architecture
NuajProtect can protect individual servers, routers, remote services, and entire network edges from the same central policy system.
The Comparison
Compare the edge protection stack.
Most tools solve only part of the problem. NuajProtect combines threat intelligence, Gatekeeper detections, Linux enforcement, MikroTik sync, forwarding relays, bridge appliances, and centralized policy.
NuajProtect is not another firewall appliance. It is a centralized edge protection system that works with the infrastructure operators already use.
| NuajProtect | CrowdSec | FortiGate | pfSense+ | Firewalla | Untangle | |
|---|---|---|---|---|---|---|
| Annual Cost (5 endpoints) | $1,490/yr | $1,860+/yr | $5,500+ yr1 | $645+/yr | $1,395 once | ~$500/yr |
| Threat Intelligence | ||||||
| Curated IP Blocklist | 3M+ included | +$900/mo | +$500/yr | manual DIY | ~100K | ~100K |
| Global Community Banlist | included | community | — | — | — | — |
| Threat Scoring | included | +$49/mo | FortiGuard | — | basic | — |
| Real-Time Feed Updates | instant | hourly | real-time | manual | real-time | daily |
| MikroTik RouterOS Sync | ✦ ONLY HERE | — | — | — | — | — |
| DDoS Protection | ||||||
| Fast-Path Filtering | Linux / MikroTik / Bridge | agent / bouncer model | appliance-dependent | — | — | — |
| Auto-Mitigation | global ban | bouncers | HW | manual | alert only | basic IPS |
| Threat filtering throughput | multi-Gbps | SW limited | 700 Mbps | 1 Gbps | 500 Mbps | 500 Mbps |
| Management | ||||||
| Cloud Dashboard | included | free | +$$/yr | local only | app | ETM |
| Live Threat Map | ✦ ONLY HERE | — | — | — | — | — |
| Analytics | included | basic | +$3K/yr | — | limited | reports |
| Multi-Site (unlimited) | included | $31/eng | +$5K/yr | per-box | MSP | ETM |
| Hardware Security | ||||||
| 30s Device Revocation | ✦ ONLY HERE | — | yes | — | app | — |
| Auto Token Rotation | ✦ 7-day auto | — | — | — | — | — |
| Data Sovereignty | ||||||
| Self-Hosted Option | perpetual lic. | SaaS only | cloud dep. | local | local | SaaS |
| Air-Gapped Capable | offline mode | — | — | yes | — | — |
Comparison based on publicly available information and typical deployment assumptions as of May 2026. Pricing, features, hardware requirements, throughput, and licensing terms vary by vendor, region, device model, and deployment size.
The Difference
Six advantages built for real operators.
NuajProtect is designed for people who operate real networks, servers, customer sites, and exposed infrastructure.
Performance
Fast-Path Filtering
Drop hostile traffic at the edge using efficient local enforcement on Linux, MikroTik, relays, and bridge appliances — without forcing customers into proprietary firewall hardware.
Integration
Native MikroTik Sync
Sync NuajProtect policy directly into RouterOS address lists with smart incremental updates. Keep MikroTik at the edge while adding centralized threat intelligence and shared protection.
Visibility
Real-Time Threat Visibility
See blocked sources by endpoint, country, feed, event type, and enforcement layer from a single operational dashboard.
Scalability
Scales With Your Infrastructure
Start with one Linux server, MikroTik router, relay, or bridge appliance, then expand across sites and customers using the same policy system.
Defense
Network-Wide DDoS Response
DDoS and abuse signals can trigger local enforcement and shared blocking across other NuajProtect endpoints on the next policy sync.
Coverage
Four Protection Paths
Protect Linux servers, MikroTik routers, forwarding relays, and transparent bridge appliances from one central dashboard.
Built-In Security
Shared protection without shared risk.
Gatekeeper detections, application signals, threat feeds, and endpoint events can become shared policy — while each deployment remains controlled, auditable, and revocable.
Communications
Mutual TLS Everywhere
Every endpoint uses device-specific credentials and secure outbound communication to NuajProtect Central. No inbound management ports are required.
Authentication
Multi-Factor Authentication
TOTP authenticator apps, WebAuthn/passkeys, SMS codes, and email verification — four MFA methods built in. Not a paid add-on.
Access Control
Role-Based Permissions
Six granular roles from Account User to Super Admin. Control exactly who can view, operate, or administer each tenant — across your entire organization.
Notifications
Real-Time Alerts
Configurable email and SMS notifications for DDoS attacks, agent offline events, and security incidents. Know instantly when something needs attention.
Integration
Application-to-Network API
Applications can report abuse that only they can see — failed logins, scans, scraping, suspicious sessions, or policy violations. Gatekeeper can convert those signals into network-level enforcement.
Flexibility
Policy Profiles
Apply standard protection profiles or customize policy per endpoint, site, customer, or deployment mode.
Pricing
Everything included.
No hidden add-ons.
Threat intelligence, dashboard access, endpoint policy, Gatekeeper events, analytics, and centralized management are included without forcing proprietary firewall hardware.
An endpoint is a protected Linux host, MikroTik router, forwarding relay, or NuajBridge appliance.
Shield
Evaluation · 1 endpoint
Free
forever
- 1 protected endpoint
- Basic threat feed
- 1-day activity history
- Dashboard access
- Community support
Guard
Small business · 5 endpoints
$149
/month
- 5 protected endpoints
- Threat intelligence feeds
- 7-day activity history
- Gatekeeper detection
- DDoS response policy
- MikroTik integration
- Relay Mode support
- Alerts and API access
Fortress
Multi-site · 25 endpoints
$549
/month
- Everything in Guard
- 25 protected endpoints
- Multi-site management
- Advanced analytics
- Customer/site grouping
- Priority support
Citadel
Operators · 100 endpoints
$1,799
/month
- Everything in Fortress
- 100 protected endpoints
- Advanced onboarding
- SLA with priority escalation
On-Premises
Total data sovereignty.
Full control of your security stack.
Deploy NuajProtect Central on your own infrastructure for complete control over policy, telemetry, logs, threat intelligence, and endpoint management. Built for organizations that require private operations, sovereign data handling, isolated environments, or air-gapped deployments.
Guard
5 endpoints
$4,900
perpetual license
+ $784/yr maintenance
- Self-hosted deployment
- Full product access
- Total data sovereignty
- Private threat intelligence pipeline
- Offline / air-gapped operation
- Custom retention policies
- Software updates & patches
- Threat feed access
- Priority support
Fortress
25 endpoints
$12,500
perpetual license
+ $2,000/yr maintenance
Everything in Guard, plus:
- 25 protected endpoints
Citadel
100 endpoints
$35,000
perpetual license
+ $5,600/yr maintenance
Everything in Fortress, plus:
- 100 protected endpoints
- Multi-tenant management
Sovereign
Unlimited endpoints
$75,000
perpetual license
+ $12,000/yr maintenance
Everything in Citadel, plus:
- Unlimited endpoints
- Nuaj Blocklist server
- White-label dashboard option
- Dedicated onboarding
All on-premises plans include full product access for the licensed endpoint count.
Maintenance covers software updates, threat feed access, security patches, and priority support. Annual maintenance is 16% of license price.
Get Started
Protect the edge.
Keep control.
Start with one endpoint, then expand protection across Linux servers, MikroTik routers, forwarding relays, and transparent bridge appliances from one NuajProtect account.
Built by operators
Forward-looking technology.
Built on real infrastructure.
Nuaj builds and operates security, AI, cloud, storage, and infrastructure technologies — shaped by hands-on experience running real networks, servers, data centers, and large-scale systems.
Security
NuajProtect
Edge threat protection for Linux servers, MikroTik routers, forwarding relays, and transparent bridge appliances. Built to stop hostile traffic before it reaches applications or networks.
Explore NuajProtectInfrastructure
Halton Data Center
Canadian data center operations providing colocation, cloud, hosting, and managed infrastructure services — with direct operational experience behind every Nuaj platform.
Visit HaltonDCAI Infrastructure
Applied AI Systems
AI infrastructure and applied AI development focused on practical automation, intelligent operations, private deployment, and high-performance systems for real business and infrastructure use cases.
Discuss AI infrastructure