Discord has open-sourced Osprey, its internal event stream decisions engine capable of evaluating 2.3 million rules per second across 400 million daily actions. Engineered with a Rust coordinator and stateless Python worker nodes, Osprey provides a horizontally scalable architecture for real-time threat detection and mitigation. The project is managed in partnership with the ROOST organization and internet.dev. Osprey operates as an event stream decisions engine that investigates real-time platform activity and executes automated responses. By offering a scalable architecture, the project has seen early adoption by networks like Bluesky and Matrix.org. This open-source transition shifts a proprietary tool into a configurable resource for the broader engineering community.
Osprey evaluates JSON-formatted event payloads, called Actions, against dynamically loadable rules. These rules are written in SML, a domain-specific language with a Python syntax that supports static validation. SML provides accessibility for security analysts while remaining extensible for software engineers. Developers can expand the engine using User Defined Functions written in standard Python. UDFs define the standard library for Osprey and enable external API calls or machine learning model integrations. The system tracks state across specific targets, known as Entities, allowing operators to apply labels and classifications.
After processing an Action, the engine generates verdicts or effects that are routed to configurable output sinks. The open-source release utilizes the Pluggy Python library to provide integration points for these sinks, replacing internal Discord dependencies. A standard deployment utilizes Apache Kafka to route results into an Apache Druid cluster, which powers real-time analysis through the Osprey UI.
An InfoQ review of the roostorg/osprey GitHub repository reveals a decoupled polyglot architecture designed to handle sustained event throughput. To manage high concurrency, the system employs a coordinator service written in Rust. The repository code shows the coordinator manages asynchronous event streams from message queues and prioritizes synchronous gRPC requests to maintain stable latency.
The rule evaluation occurs on stateless Python worker nodes. To optimize execution speed, the Python workers parse the SML rules into an Abstract Syntax Tree at startup. This step front-loads the compilation cost and minimizes per-event processing time. Rules are distributed to the workers via ETCD, enabling dynamic updates in production without requiring a redeployment of the application. Because the workers are stateless and containerized via Docker, organizations can horizontally scale processing capacity to accommodate traffic spikes. The combination of the Rust coordinator for traffic shaping and the scalable Python workers provides a resilient system for continuous event evaluation.
The adoption of Rust and Python polyglot architectures is becoming a standard pattern for systems that require high throughput. In this model, Rust serves as the data plane, managing network traffic, memory allocation, and high-concurrency execution. Python acts as the control plane, handling business logic, machine learning integrations, and user APIs. This separation allows engineering teams to maximize hardware utilization while maintaining developer velocity in the application layer. Osprey utilizes this pattern for event streaming, and it is also the foundation of widely adopted data tools. For example, the Polars DataFrame library and Hugging Face tokenizers rely on a Rust core for compute-heavy operations while exposing a Python control plane for usability.