Live testing · v0.1.10 — Baryon is in early public preview. Expect bugs, missing UI states, and rough edges — for example adding an instance currently asks to install Gluon even if you already have it. We're shipping fixes constantly. Send feedback from inside the app or to lapizh@icloud.com.
BARYON SYSTEMS
Public preview · v0.1.10

Sovereign infrastructure
for sovereign teams.

Baryon Systems is a desktop application that hosts a growing line of independent security products. Today it ships two: Gluon, the eBPF host-defence stack, and Tachyon, the runaway-process autopilot. More products in the same shell are in private beta.

Download Baryon Systems Read the docs

— early users on the public preview

MIT core · Windows desktop · Linux ≥ 5.10 servers · zero vendor accounts

Tested on Ubuntu 22.04 Debian 12 Rocky 9 RHEL 8 Alpine 3.19 kernel ≥ 5.10
The product line

One desktop app. A growing line of products.

Baryon Systems is the shell. The products inside are independent of each other — different problems, different audiences, separate licenses. Pick the one you need.

Live · free during beta

Baryon Gluon

Kernel-grade defence for B2B / B2B2C APIs

eBPF firewall, hardware-bound identity, hash-chained WORM audit ledger, private Postgres tied to your tunnel, and a chat panel where kernel events become messages. Three independent layers, one console.

  • XDP drop at < 100 ns per packet
  • Per-host audit chain you can verify offline
  • TOTP + recovery codes baked in
Download Docs →
New · June 2026

Baryon Tachyon

Runaway-process autopilot

For the 3 a.m. pages where one Python script forks 40,000 times or a customer’s ML job saturates a shared box. Tachyon throttles the offender by itself, sub-second, so on-call wakes up to a logged incident instead of a fire.

  • For CI runners, multi-tenant nodes, gameservers, ML hosts
  • Zero policy out of the box: “> 50k syscalls/sec for 3s → stop”
  • Never touches init, sshd, or any pid you allow-list
Download Docs →
Coming soon

Baryon Quark

Confidential data analytics

Query encrypted customer datasets inside TEEs without ever decrypting them in userspace. SQL-shaped, attestation-first.

Notify me
Private beta

Baryon Lepton

Zero-trust API gateway

mTLS-everywhere fronting, per-partner attestation, policy as code. Drop-in between your edge and your services.

Request access
Coming soon

Baryon Boson

Unified compliance hub

GDPR, BSI C5, ISO 27001 evidence collection. Pulls from whichever Baryon products you run; never their dependency.

Notify me
Inside Gluon

One product. Five layers of defence.

This is Gluon’s internal architecture — nothing about Tachyon or any other Baryon product. Five layers that verify each other, shipped together.

eBPF/XDP firewall

Real C source, compiled by clang on your server, attached via ip link set xdp. SSH whitelist baked into the generator — you can't lock yourself out.

Layer 1 docs →

Identity & attestation

Per-host HMAC-SHA256 challenge-response and full systemd-sandbox snapshots. Pinned fingerprint on first pair.

Layer 2 docs →

Hash-chained ledger

Append-only JSONL. Every line's hash is prev on the next. verify() walks the chain and reports the first break.

Layer 3 docs →

Your Postgres, your tunnel

Vanilla postgres:16 + PostgREST + Realtime in Docker, bound to 127.0.0.1, reached only through SSH.

Layer 4 docs →

Built-in chat

Realtime + LISTEN/NOTIFY channels. Kernel firewall events post into #kernel-alerts automatically.

Layer 5 docs →

TOTP, by default

2FA enrolment with QR + manual secret, ±1-step skew window, full owner / member / guest role gating.

Trust model →
How Baryon Systems works

One installer. Two products today. The shell stays out of the way.

Install Baryon Systems on your Windows desktop. Sign in. Open the Products panel. Each product runs on its own — different installer flow, different Linux footprint, different audit trail.

Using Gluon

  1. Open Products → Gluon in the desktop app.
  2. Pair a Linux host. The desktop SSHes in and runs install.sh — creates the gluon user, installs clang + kernel headers, starts gluon-agent.service.
  3. Write firewall rules in the desktop, hit Apply. eBPF C is generated, shipped over SSH, clang-compiled on the host, ip link set xdp attaches it to the NIC.
  4. Watch the audit ledger walk its hash chain. Verify any line offline.

Using Tachyon

  1. Open Products → Tachyon in the desktop app.
  2. Pair a Linux host. The desktop runs a separate, much smaller installer that drops only the Tachyon binary and policy file. No Postgres, no chat, no firewall toolchain.
  3. Edit the policy (or accept the default: > 50k syscalls/sec for 3 s → stop). Add never-touch globs for processes you want Tachyon to leave alone.
  4. Walk away. Trips and recoveries are logged to Tachyon’s own SQLite store, surfaced in the desktop’s Tachyon panel.
Baryon Systems — first run 
# On your laptop:
$ BaryonSystems

# Sign-in panel → create account → Products panel opens.
# Two tiles are unlocked today: Gluon and Tachyon.

# Pick Gluon, pair a host:
ssh root@vps.example.com bash install.sh   # gluon-agent
GLUON_INSTALL_OK

# Pick Tachyon, pair the same (or a different) host:
ssh root@host2 bash tachyon-install.sh   # tachyon only
TACHYON_INSTALL_OK
How it differs

Baryon Systems vs. SaaS-shaped infrastructure.

The same problems. Two very different deals. (This table compares Gluon, the host-defence product, against the SaaS stack most teams cobble together.)

Capability
Hosted SaaS stack
Baryon Systems · Gluon
Audit trail you can hash-verify offline
Vendor-controlled
JSONL on your disk
Firewall you can read the source of
Black box
Generated C, compiled on-host
Per-row billing
Yes, always
Your hardware, your bill
Migration cost when you leave
Painful
Plain Postgres, done
Verifiable agent identity
Account-based
HMAC challenge-response
Inbound ports needed
Multiple, vendor-defined
Just SSH
In other words…
You pay them to know more than you.
You always know more than the software.
In numbers

Small, auditable, durable.

Every Baryon Systems product is written so one engineer can read the whole thing in an afternoon. Plain Python, plain SQL, plain Electron.

~1300
Lines of Python in the Gluon agent
~600
Lines of Python in the Tachyon daemon
0
Third-party deps in either agent
XDP
Real in-kernel packet filter (Gluon)
250 ms
Tachyon remediation loop
SSH
Only inbound port either product needs
Public preview · free during 2026

Install Baryon Systems on a $5 VPS this afternoon.

One installer, two products today, more on the way. The desktop comes seeded; you get the Gluon and Tachyon installers; we want your feedback when something breaks.

Download Read the docs first no signup · no telemetry