Open Source · MIT License

Enterprise security for those who protect others

The same Kubernetes security infrastructure used by Fortune 500 companies — free, open source, and deployed in a single command. Built for journalists, activists, and human rights organizations.

Get Started → View on GitHub

$ git clone github.com/JoseLorenzana272/fortress-in-a-box && ./install.sh

Why it exists

NGOs get hacked.
Constantly.

This is not theoretical. These are real organizations, real people, real consequences.

Breach · 2022

Red Cross

515,000+ vulnerable people's data stolen. The "Restoring Family Links" program shut down. People couldn't find their missing relatives.

Breach · 2022

Amnesty International

Breached by state-sponsored attackers. An organization that exists to protect human rights was itself being surveilled.

Ongoing

Bellingcat

The investigative group that exposed war crimes is constantly targeted by state actors trying to destroy evidence and silence sources.

The average security budget for a civil society organization. State-sponsored hackers have millions. The asymmetry is deliberate.

"Small team, critical data, zero security budget. Fortress in a Box changes that."

Architecture

Defense in depth

Four layers, each catching what the previous one might miss.

Layer 01

CI/CD Scanning

Every container image scanned for CVEs before it can reach your cluster. Pipeline fails automatically.

Trivy

Layer 02

Admission Control

Six security policies enforced at the API level. Insecure deployments rejected before they ever start.

Kyverno

Layer 03

Runtime Detection

Every running container is watched. Shell access or privilege escalation triggers an instant alert.

Falco

Layer 04

GitOps Recovery

Git is the source of truth. Deleted policies or tampered deployments restored automatically within minutes.

ArgoCD

Threat coverage

What it stops

Concrete threats, concrete responses. No vague promises.

Attacker opens a shell in your container

Falco detects it in seconds and fires a Discord alert

App deployed running as root

Kyverno blocks it before it ever reaches the cluster

Image with known vulnerabilities

Trivy scans in CI/CD — pipeline fails automatically

Security policies deleted

ArgoCD detects drift and restores from Git within 3 minutes

:latest image tag used

Kyverno blocks it — only pinned versions are allowed

Container privilege escalation

Policies enforce non-root, non-privileged, read-only filesystem

Data flow

From code push to full protection

Fully automated. No manual steps after ./install.sh.

GitHub Repository ← source of truth │ ▼ GitHub Actions CI/CD ├── docker build ├── trivy scan ── fails if CVEs found ├── docker push → GHCR └── update deployment manifest │ ▼ ArgoCD ← watches repo every 3 min, auto-applies │ ▼ Kubernetes Cluster ├── Kyverno ── blocks non-compliant deployments ├── Falco ── runtime threat detection │ └── Falcosidekick → Discord + Loki └── Grafana ── security dashboard

Admission control

Six policies. Zero exceptions.

Enforced by Kyverno at the Kubernetes API level. No insecure deployment gets through.

disallow-root-user

Blocks containers running as root. Prevents container escape via root privileges.

disallow-privileged

Prevents host kernel access. Blocks full host takeover from a compromised container.

disallow-latest-tag

Blocks mutable :latest tags. Prevents supply chain attacks via image mutation.

require-resource-limits

Enforces CPU and memory limits on all containers. Stops denial of service attacks.

require-readonly-rootfs

Forces read-only root filesystem. Prevents malware from being written at runtime.

disallow-host-network

Prevents direct access to host network. Stops traffic sniffing and lateral movement.

Installation

Up in five minutes

One command. Four layers of protection. No config files to learn.

01
Prerequisites A Kubernetes cluster with kubectl and helm v3+ installed.
02
Clone & run Clone the repository and execute the interactive installer.
03
Configure The installer asks for your GitHub repo URL, optional Discord webhook, and Grafana password.
04
Done Fortress is active. Access Grafana, ArgoCD, and Falcosidekick UI via port-forward.

terminal
# Clone the repository
$ git clone https://github.com/JoseLorenzana272/fortress-in-a-box.git
$ cd fortress-in-a-box

# Run the installer
$ chmod +x install.sh && ./install.sh

# Asks for: GitHub repo, Discord webhook (optional),
# and Grafana admin password.

╔════════════════════════════════════════╗
║       FORTRESS IS ACTIVE :D            ║
╚════════════════════════════════════════╝