All systems operational · 99.99% uptime SLA
Console Support Docs Blog Contact →
HIDS — Host Intrusion Detection · Agent-based · Real-time · Brute-force · Trojan · Vulnerability · Baseline

Your servers.
Watched from
the inside.

NubexCloud HIDS installs a lightweight agent on each cloud host that monitors OS-level activity 24×7 — login attempts, running processes, network connections, file integrity, and security configuration. When an attacker gets through the perimeter, HIDS catches them on the host itself.

Install Agent → Detection Capabilities
4Detection categories
13+Threat types
24×7Real-time watch
~0CPU overhead
Cloud Host — prod-server-01 HIDS AGENT $ ps aux | grep suspicious root 4821 /tmp/.x7g8h --c2 → MALICIOUS PROCESS DETECTED ⚡ SSH Brute Force 4,200 failed attempts / 5 min ⚠ Trojan Process /tmp/.x7g8h QUARANTINED ☢ Rootkit kernel module SIGNATURE MATCH ↗ Malicious Outbound 45.33.32.156:4444 (C2) CONNECTION BLOCKED Agent active 4 alerts active Real-time · ~0% CPU overhead
13+
Threat categories
SSH · Trojan · Rootkit · CVE · Baseline
Real
-time detection
Continuous OS-level monitoring 24×7
~0%
CPU impact
Lightweight agent · no performance hit
SMS
+ Email alerts
Instant notification · all regions
Inside Your Host

HIDS watches what perimeter security cannot see.

WAF and DDoS protection guard the perimeter. But once an attacker is inside — through a compromised credential, a zero-day exploit, or a misconfigured service — perimeter tools are blind. HIDS is the agent watching inside every host.

🔐
Login Events
SSH · sudo · abnormal geography
ALERT root@45.33.x.x:ssh
WARN 3,842 failed attempts
⚙️
Running Processes
Startup path · parent PID · exec hash
ALERT /tmp/.x7g8h --daemon
OK nginx, mysql, sshd
🌐
Network Connections
Outbound C2 · unexpected ports
ALERT :4444 → 45.33.32.156
INFO 443→cdn, 3306→db
📁
File Integrity
Critical file changes · WebShell upload
ALERT /var/www/.shell.php
OK /etc/passwd, /etc/cron
🔧
System Configuration
Weak passwords · security baseline
WARN MySQL root: weak pwd
WARN Redis: no auth set
How the agent works
1. Agent collects
Lightweight process on each host continuously gathers OS events: login logs, process table, outbound connections, file changes, software versions
2. Cloud analysis engine processes
Collected data is compared against threat intelligence feeds, CVE databases, brute-force pattern databases, and security baseline libraries
3. Alert triggered immediately
Security events are classified by severity and sent to your team via email and SMS. The console shows the full event timeline per host
Agent CPU: < 0.5% · Memory: ~30 MB · Encrypted transport
Detection Capabilities

Four layers of host security — continuously active.

HIDS doesn't check once on deployment. It monitors continuously — every login attempt, every new process, every outbound connection, every configuration change. Security is not a point-in-time audit; it's a real-time watch.

01
Active monitoring
Intrusion Detection
SSH brute-force attacks (failed + successful)
Abnormal geographic login locations
Backdoor trojan processes — network signature
Suspicious process startup paths and exec
Malicious outbound communication (C2 channels)
Rootkit and kernel-level threat signatures
WebShell file uploads and execution
Malicious scheduled task injection
02
CVE scanning
Vulnerability Detection
OS kernel version vs CVE database
Dynamic library version vulnerabilities
System configuration file vulnerabilities
Nginx — known CVE detection
MySQL / sshd vulnerabilities
PHP · Redis · MongoDB versions
Web application vulnerability scan
Application vulnerability pattern match
03
Security posture
Baseline Check
System account weak password detection
MySQL root / app account weak passwords
PHP security configuration baseline
MongoDB / Redis authentication check
Nginx / HTTPD security config check
SSH key configuration review
Permission misconfigurations (world-write)
Compliance baseline library (auto-updated)
04
Response control
Alert Management
Email alert — per security event type
SMS alert — immediate intrusion notification
Login IP whitelist — allowlist per server
Geographic whitelist — city-level login control
Per-host alert threshold configuration
Alert suppression whitelist for known events
Cross-region unified console dashboard
Event timeline and history per host
Live Security Events

What a real HIDS alert stream looks like.

HIDS classifies every detected event by severity — Critical, High, Medium — and streams them in real time to your security console and alert channels. This is what the first five minutes after enabling HIDS on a production server typically reveals.

HIDS Security Event Feed — prod-server-01 ● LIVE
CRITICAL
Intrusion
SSH brute-force SUCCESS — root login from 45.33.32.156 (TOR exit node)
14:32:07
HIGH
Trojan
Malicious process detected — /tmp/.x7g8h · C2 connection to 45.33.32.156:4444
14:32:09
HIGH
Rootkit
Rootkit signature match — hidden kernel module · process concealment detected
14:32:11
HIGH
WebShell
WebShell detected — /var/www/html/.admin.php · PHP eval pattern match
14:33:02
MEDIUM
Vuln
CVE-2024-6387 — OpenSSH 9.2p1 · severity: CRITICAL · patch available
14:35:18
MEDIUM
Baseline
Weak password — MySQL root account · password in top-100 list · change recommended
14:36:44
INFO
Login
Normal login — admin from 10.0.1.5 (UAE) · whitelisted IP · no alert
14:40:01
All events shown above occurred within 8 minutes of enabling HIDS on an unprotected production server. This is not unusual.
Product Versions

Free for core protection. Enterprise for full coverage.

All cloud hosts get basic HIDS protection automatically. Enterprise unlocks the full detection suite — vulnerability scanning, security baseline checks, and advanced alert management.

Feature
Free
Enterprise ✦
SSH brute-force detection
✓ Included
✓ Included
Abnormal login detection
✓ Included
✓ Included
Backdoor trojan detection
✓ Included
✓ Included
Malicious process detection
✓ Included
✓ Included
Rootkit and WebShell detection
✓ Included
✓ Included
Email + SMS alerts
✓ Included
✓ Included
Login IP and geo whitelist
✓ Included
✓ Included
OS kernel vulnerability detection (CVE)
— Not included
✓ Enterprise
Third-party software vulnerability (Nginx, MySQL, etc.)
— Not included
✓ Enterprise
Security baseline check (weak passwords, config)
— Not included
✓ Enterprise
Application config baseline (PHP, Redis, MongoDB)
— Not included
✓ Enterprise
Web and application vulnerability scan
— Not included
✓ Enterprise
Compliance — classification protection (MLPS)
— Not included
✓ Enterprise
Use Cases

Every industry running servers needs HIDS. These four need it most.

HIDS is not optional for industries with data protection requirements. The question isn't whether your servers will be targeted — it's whether you'll know about it before the damage is done.

💳
Finance · Banking · Payments
Unauthorised access to financial servers carries the highest regulatory penalty.
Payment processors, trading platforms, and banking APIs are prime targets for account takeover attacks via SSH credential brute-force. HIDS detects brute-force before it succeeds and alerts immediately when any suspicious process accesses financial data directories.
SSH brute-force detection Compliance support
🏥
Healthcare · Patient data · Clinical
Patient data is 10× more valuable on dark markets than credit card data.
Healthcare servers storing EMR (electronic medical records) are targeted by ransomware gangs that know healthcare organisations cannot afford downtime. HIDS detects the early signs of ransomware: abnormal process spawning, mass file access patterns, and C2 outbound connections.
Trojan detection Malicious outbound blocking
☁️
SaaS · Multi-tenant · B2B
A vulnerability in your application server exposes all your customers simultaneously.
SaaS platforms face unique risk: a compromised server doesn't just expose one company's data — it exposes all their customers'. HIDS vulnerability scanning identifies unpatched CVEs in web application stacks (PHP, Node, Python dependencies) before attackers exploit them.
CVE scanning Baseline check
🏛
Government · Enterprise · MLPS
Classification protection compliance requires continuous host security monitoring.
Government and enterprise systems subject to MLPS (Multi-Level Protection Scheme) and similar compliance frameworks require continuous monitoring, audit logs, and documented incident response. HIDS Enterprise provides the detection capability and event records needed for classification protection certification.
MLPS compliance Audit log
Global Network

A truly global infrastructure for fast, reliable service delivery.

26
Regions
33
Availability Zones
25ms
Regional latency
99.95%
SLA uptime
Active region
Hub region (Dubai HQ)
Backbone link
Customer Stories

Found. Contained. Remediated.

Finance · Enterprise · UAE · SSH brute-force
HIDS detected a successful SSH root login from an unrecognised IP at 2:34am. We had the server isolated and the attacker's backdoor removed before 3am. Without HIDS, we would have discovered the breach weeks later during a routine audit — by which point payment data would have been long gone.
Head of Security · Payment processing company · Dubai
26min
detect to contain
SaaS · Enterprise · KSA · CVE detection
HIDS Enterprise flagged CVE-2024-6387 (regreSSHion) on 14 servers within hours of public disclosure. Our team patched all 14 before any active exploitation was attempted against us. Our competitors who weren't running HIDS got breached through the same vulnerability that week.
CTO · B2B SaaS platform · Riyadh · 400+ enterprise customers
14
servers patched · 0 breached
E-commerce · Enterprise · Egypt · Baseline check
The baseline check found MySQL root running with a password in our top-500 weak password list — on a production database that had been live for 18 months. HIDS also flagged Redis running without authentication on a public interface. Two critical misconfigurations in a single scan. Fixed within an hour.
Infrastructure Lead · Online retail · Cairo · 1.8M monthly users
2
critical misconfigs found instantly
Trusted by teams across the region
Falcon AITradeSparkMasaarNEXAGENSalam DigitalOrbita
FAQ

Common questions about HIDS

Your hosts are being watched — by us, not them.

Install once.
Know everything
happening inside.

Lightweight agent. Real-time intrusion detection. Vulnerability scanning. Security baseline. Email + SMS alerts. Catch attackers on the host — not in the aftermath.

Install Agent → Read the Docs
13+
Threat types
Real-time
Detection speed
~0%
CPU overhead
Free + Pro
Two tiers