Architecture Overview
SecureCheap is designed as a multi-tenant SaaS platform with a clear separation between the data collection layer, the processing layer, and the presentation layer.
High-level architecture
Your Infrastructure SecureCheap Platform
──────────────────────────────── ──────────────────────────────────────────
Your Servers API Gateway (nginx + TLS 1.3)
└── SC Agent (lightweight) ──────▶ │
collected every 15s │ Ingest Service
│ (validates + normalizes metrics)
Your Domains │
└── HTTP/SSL Checks ───────────────▶ │ Storage Layer
from 3 probe locations │ ┌──────────────┬──────────────────┐
│ │ TimescaleDB │ PostgreSQL │
Your Cloud APIs │ │ (time-series)│ (accounts, config)│
└── Provider read-only ────────────▶ │ └──────────────┴──────────────────┘
calls to AWS/DO/CF APIs │
│ Processing Layer
│ ├── Alert Engine (threshold eval)
│ ├── Security Scanner
│ ├── Cost Analyzer
│ └── AI Assistant (LLM inference)
│
│ Notification Service
│ └── Email / Slack / Discord / Telegram
│
│ Dashboard (Next.js, Vercel Edge)
│ API (Next.js API Routes + Node.js)Data flow
Server metrics (agent-based)
1. Agent collects metrics from OS (procfs, sysfs)
2. Agent sends compressed JSON payload over HTTPS to api.securecheap.com/v1/ingest
3. Ingest validates auth token and workspace
4. Data written to TimescaleDB (compressed time-series)
5. Alert engine evaluates thresholds every 15s
6. Dashboard queries via REST API with time-range parametersHTTP monitors (probe-based)
1. Scheduler dispatches check job to all configured probe locations
2. Each probe independently performs: DNS → TCP → TLS → HTTP → keyword match
3. All probe results collected and aggregated
4. Consensus: monitor is DOWN only if ALL probes agree
5. Results written to TimescaleDB
6. Response time percentiles computed on readRegional probes
| Location | ASN | Purpose |
|---|---|---|
| Frankfurt | Hetzner AS24940 | EU primary |
| New York | DigitalOcean AS14061 | US primary |
| Singapore | Vultr AS20473 | APAC primary |
All probes run independently and their results are cryptographically signed to prevent spoofing.
Probe source IPs are published at https://api.securecheap.com/v1/probe-ips.
You can allowlist these in your firewall to ensure checks complete even when blocking unknown traffic.
Agent architecture
See: Monitoring Agent
Security practices
See: Security Practices