Eight products, each best-in-class at its security layer. Buy them together as one platform โ replace 5-7 vendors and cut TCO by 62%.
Hyperconverged infrastructure for the zero-knowledge era.
CyForge is HCI by Gartner's definition โ compute + storage + network + management converged on commodity hardware. Built on KubeVirt, Longhorn, and OVN. No proprietary appliances. No phone-home. No per-socket licensing. Replaces Nutanix and VMware VCF at half to one-third the TCO.
150-1,500% VCF renewal hikes have reopened every 2-year HCI plan. CyForge migrates VMs from vSphere via cross-provider migration with automatic rollback.
HX hit end-of-sale Sept 2024. Customers being pushed into Nutanix economics. CyForge runs on the same x86 hardware they already have.
India DPDPA, EU NIS2, GCC nation-state requirements need air-gappable infrastructure. CyForge is sovereign by construction โ zero phone-home, source-code escrow.
Yotta, CtrlS, NxtGen layer CyForge on existing capacity. They become sovereign cloud providers overnight. 70/30 revenue share.
Single Helm chart. Bare metal to first VDI session in under 30 minutes.
KubeVirt, libvirt, VMware, AWS, Azure, GCP, Proxmox, Nutanix, Hyper-V โ one API.
OSS foundation. Add nodes without compounding vendor cost.
Verified zero phone-home telemetry. Source-code escrow available.
Nine hypervisors. One API. Zero lock-in.
CyAxis provides a unified VmProvider SPI across every major hypervisor and cloud โ provision, migrate, snapshot, scale on KubeVirt, libvirt, VMware, AWS, Azure, GCP, Proxmox, Nutanix, and Hyper-V from one control plane. No competitor covers this many providers behind a single interface.
On-prem KubeVirt for baseline, burst to AWS/Azure/GCP during peaks. Same API, same audit, same identity model.
Move a VM from VMware to KubeVirt, or AWS to Azure, with validation and automatic rollback. Verified in production.
Primary on Nutanix, DR on Proxmox or AWS. CyAxis replicates regardless of underlying virtualization.
Provision dev environments on the cheapest available capacity. Devs see one Terraform provider; platform team optimizes the backend.
KubeVirt โ VMware live-verified. Snapshot+convert+import flow for cloud providers.
Same metrics, same logs, same alerts across all 9 providers.
Returns NOT_SUPPORTED / CLOUD_IMPOSSIBLE for ops AWS can't do โ no fake success.
Zero-knowledge VDI. The credential never reaches the user.
CyDusk is a passwordless VDI broker. When a user clicks "connect to db-prod-01", the credential is fetched server-side, injected into the RDP/SSH/VNC tunnel by the broker, and never crosses the user's network. Stolen laptops, browser extensions, keyloggers, and clipboard scrapers cannot obtain the credential. Ever.
Give 200 contractors access to internal apps without ever giving them passwords. Revoke in <60s via per-session CAE.
Replace CyberArk. DBA clicks "connect", sees the session, never sees the password. Full session recording with forensic watermarking.
Browser-only access to clinical apps and trading terminals. No local install. No VPN. No PHI/PII on endpoint. HIPAA + RBI + SEBI compliant by architecture.
India engineering team accesses parent-company systems. Credentials stay in the parent's vault. India endpoints see only pixels. Data residency satisfied.
Citrix per-CCU pricing + NetScaler + Director adds up fast. CyDusk delivers VDI at 1/10 the list price, including FIDO2 and session recording.
Patent filings in progress. Verifiable property: stolen endpoints cannot exfiltrate the credential.
Passwordless authentication built in. No paid add-on. Smart cards work via PKCS#11 redirection.
Per-tenant DCT watermark. Every recording cryptographically attributable to the user session.
RDP, SSH, VNC, SPICE all rendered in browser via Guacamole. No client install, no VPN, no training.
Remote Browser Isolation. Pixels only. Nothing else.
CyLens runs Chromium in an isolated server-side container. Users get only an AES-256 pixel stream. Zero-days, phishing pages, malicious USB devices, and weaponized downloads never reach the endpoint. Includes hardware-accelerated WebRTC, H.264 fallback, CDP screencast, PKCS#11 smart-card redirection, USB/IP device forwarding, and CDR file sanitization.
Analysts who must browse unknown URLs (threat intel, OSINT, customer support links) do so in CyLens. Zero endpoint exposure to drive-by malware.
Sensitive SaaS (Salesforce, internal portals) opened only in CyLens. DLP + clipboard controls + screenshot blocking enforced at the pixel layer.
Engineering staff on classified networks browse via CyLens. Zero data ever lands on the workstation; export-control compliance enforced.
Citrix charges premium add-on rates/user for the equivalent capability. CyLens ships at the platform's bundled rate as part of the Enterprise tier.
Every file downloaded through CyLens is sanitized โ macros stripped from Office docs, exploits removed from PDFs, archives reconstructed clean.
WebRTC (<200ms), H.264 hardware-accelerated, CDP screencast โ works on any endpoint.
Smart cards stay at HQ while sessions run in the cloud. WebAuthn / FIDO2 passkeys via redirection.
Content Disarm & Reconstruct on every download. Macros, scripts, embedded objects stripped.
Per-tenant DCT watermark on every pixel stream. Screen captures stay attributable.
One policy hierarchy. From tenant to packet.
CyMatrix is a hierarchical, most-restrictive-merge policy engine. NetworkPolicy, RuntimePolicy, DevicePosturePolicy, GeolocationPolicy, and DLP (380+ patterns with real validators โ IBAN MOD-97, Aadhaar Verhoeff, Luhn) flow from SYSTEM โ TENANT โ NETWORK โ VM. Translated to OVN ACLs in real-time and enforced at the logical switch layer.
One tenant's policy can never expose another tenant's data. OVN address-set isolation enforces at the network layer; DLP enforces at the data layer.
380+ DLP patterns include Aadhaar (Verhoeff-validated), PAN, GST, bank IFSC. Real validators, not regex approximations.
Impossible-travel detection (Mumbai login + London login 10 minutes later = blocked). Country-of-origin enforcement for export controls.
VM-level firewall rules synthesized from policy. Hot-reload, no agent. OVN translates declarative intent to flow rules.
Forcepoint is moving to SaaS-only. CyMatrix DLP is on-prem and integrated into VDI/RBI/audit โ no separate scan agent on endpoints.
Higher-scope policy wins on conflict. SYSTEM > TENANT > NETWORK > VM.
Real validators (IBAN MOD-97, Aadhaar Verhoeff, Luhn) โ not regex approximations.
Policy change to network ACL in <1s. Hot reload, no restart.
Every policy change attributed, immutable, exportable to SIEM.
Per-tenant key derivation. KEK never on disk. Sovereign by construction.
CyVault is a credential vault built on HashiCorp Vault Raft 3-node + Transit envelope encryption. Per-tenant keys are derived via HKDF, so a leak of one tenant's derived key never compromises another tenant. The Key Encryption Key (KEK) lives only in Vault Transit โ never on disk, never in environment variables, never in memory longer than needed.
Each tenant gets HKDF-derived keys. A compromise of one tenant cannot decrypt another. Master key stays in Vault Transit.
Cloud provider passwords (AWS, Azure, GCP) encrypted at rest per-tenant. Vault Transit Phase 3 promoted in production.
Every VDI ticket wrapped with AES-256-GCM before Redis persist. Closes the plaintext-credential vulnerability that most VDI brokers ship with.
Per-session DEK wrapped via Vault Transit. Recordings cryptographically tied to session metadata.
Tenant ID + master key โ derived key. No cross-tenant blast radius.
KEK never on disk, never in env. Only Vault knows the master.
Rotate KEK; old DEKs still decrypt. Background re-encrypt without taking the system offline.
AI copilot grounded in your live cluster โ approval-first by design.
CyPilot is a conversational AI assistant for operations and troubleshooting. Powered by an on-prem LLM (phi3:medium-128k) + RAG over your knowledge base + real-time cluster state. Intent parser classifies risk (READ_ONLY / LOW_RISK / DESTRUCTIVE). LOW_RISK operations auto-execute; DESTRUCTIVE always requires explicit approval. No autonomous-execute path on mutating operations. Ever.
"VM X is unreachable" โ CyPilot runs diagnostics, suggests fix, runs LOW_RISK remediation if confidence >0.85. Operator approves anything risky.
Junior SREs ask CyPilot how to do things. Grounded in your actual runbooks (RAG). No more "wait for the senior".
"How are PHI records encrypted in this cluster?" โ CyPilot answers with cluster-specific config + audit trail, not generic docs.
During incidents, CyPilot pulls correlated signals (CyOptics + Prometheus + logs) and proposes the most likely root cause. With citations.
phi3:medium-128k. No prompt data leaves your cluster. Sovereign AI.
90+ default knowledge entries; ingests your runbooks. nomic-embed-text embeddings, cosine similarity.
DESTRUCTIVE actions never auto-execute. LOW_RISK allowlist is narrow + explicit.
Self-healing AI. Alert in, remediation out โ with audit, dedup, and approval gates.
CyGuru is the alert-driven self-heal pipeline. Two detection inputs (Alertmanager webhook + 60s SelfMonitorLoop probes), one dedup layer (60-minute window), one approval gate (default OFF for destructive), one executor. Handlers ship for pod crashloops, MongoDB rolling restarts, node memory pressure cordoning, and stale OVN chassis recovery. Every action audited; every action reversible.
Crashloop >3 restarts in 5min โ CyGuru proposes pod-restart with audit. Admin approves; executor runs; success metric exported.
Mongo replica becomes unreachable โ CyGuru proposes safe rolling restart. Avoids 3am pages for the SRE on-call.
Node >90% memory โ cordon + drain non-critical pods. New schedules go elsewhere. Operator notified, not paged.
OVN chassis registered by UUID instead of hostname โ known production bug โ CyGuru auto-fixes via node-agent restart.
60-minute dedup key prevents alert storms from generating remediation storms.
Default policy: human approves before execution. Trust earned over time.
proposed / deduped / approved / executed counters; duration histograms; auto-dashboards.
AI network observability. Beautiful. Real-time. Sovereign.
CyOptics is a modern, AI-augmented network observability platform. Live flow telemetry, OVS bridge graphs, OVN ACL hit-counters, physical NIC throughput heatmaps, and AI-driven anomaly detection โ all in one beautiful UI. Replaces SolarWinds + ThousandEyes + parts of Datadog Network. Runs on your infrastructure. No flow data ever leaves your cluster.
Which ACL rule dropped this packet? CyOptics shows the trace inline. No more ovn-trace via SSH.
Real-time bandwidth heatmap per gateway. AI flags when usage trends toward saturation 30 minutes ahead.
Anomaly: tenant A's pod is talking to tenant B's pod. CyOptics catches it; CyMatrix policy auto-enforces deny.
Sudden burst of new connections from a single source IP โ AI flags as scan; CyMatrix policy can auto-block.
Where did this PHI flow go? CyOptics generates the answer in minutes, not the days a SOC team would take.
Modern UI with WebGL flow graphs, heatmaps, and force-directed topology.
30-day baseline per flow / per service. Deviations score risk in real time.
Native understanding of OVN logical switches, ACLs, address sets. No mapping layer.
Flows + anomalies pushed to Splunk / Sentinel / QRadar in real time.
Enterprise tier Enterprise tier covers 1,500 users with every product included. No add-on licenses. No infrastructure surcharges. No hidden CALs.