Skip to content

Hybrid and Disconnected Modes

Model Scanner supports two primary deployment modes to give you flexibility based on your network security requirements and how much data you want to share with HiddenLayer.

Deployment Modes

The Model Scanner API container can be deployed in either Hybrid Mode or Disconnected Mode. The architecture for these modes are very similar, except where the results are stored.

Hybrid Mode

In the hybrid deployment, the Model Scanner Orchestrator runs in your own environment (on-premises or in your cloud), while the HiddenLayer Console UI remains hosted by HiddenLayer. This setup provides a balance between local control and centralized visibility.

  • Scanning happens locally. Model files are never sent to HiddenLayer.
  • Only scan results are sent back to the HiddenLayer Console.
  • You will configure the Orchestrator with your API Client ID, Client Secret, and Tenant ID to securely send result data to the hosted console. Get these from the Console or your Console Admin.
EXPAND to see an example Hybrid Pod YAML Configuration - US Region

The Hybrid mode configuration is highlighted.


    modelscanner:
      enable: true
      orchestrator:
        tenant_id: 
        hybrid:
          enable: true
          client_id: 
          client_secret: 
          results_collector_url: "https://api.hiddenlayer.ai"  # URL for Results Collector (optional)
          auth_url: "https://auth.hiddenlayer.ai/oauth2/token"  # URL for Authentication (optional)
EXPAND to see an example Hybrid Pod YAML Configuration - EU Region

The Hybrid mode configuration is highlighted.


    modelscanner:
      enable: true
      orchestrator:
        tenant_id: 
        hybrid:
          enable: true
          client_id: 
          client_secret: 
          results_collector_url: "https://api.eu.hiddenlayer.ai"  # URL for Results Collector (required)
          auth_url: "https://auth.eu.hiddenlayer.ai/oauth2/token"  # URL for Authentication (required)
  • Ideal for organizations that want centralized insights but need to keep model artifacts private.

Disconnected Mode

In the fully disconnected mode, all components including scanning and storage are hosted and operated entirely within your environment. There is no communication with the HiddenLayer Console or external APIs.

  • Nothing leaves your environment, including scan results.
  • The HiddenLayer UI is not available for disconnected deployments, as there is no data being sent back to the UI. You will interact with results directly from logs or custom integrations.
  • Results are stored in Redis locally, where they can be accessed via API, logs, or custom integrations.
  • Suitable for high-security environments with strict data control policies.

Architecture

Model Scanner efficiently handles large ML models by utilizing an asynchronous task queue pattern built on Redis queues and binary object storage. When you upload a machine learning model to the scanner using an HTTP POST request, you have the flexibility to specify the data payload as:

  • A binary payload,
  • A local file pointer for models less than 2GB in size, or
  • An object store file pointer for larger files.

Model Scanner stores the results of the scanning process in an object store.

{% admonition type="info" name="Data Residency Requirements" %} If your data residency requirements do not allow connections to cloud services, you may choose to provision MinIO on your infrastructure.

{% img src="./images/model_scanner_orchestrator_architecture.png" alt="Model Scanner Enterprise Architecture" align="center" withLightbox=true width="800px" /%}