How SyberOps handles your data.
SyberOps operates two platforms: an agentic AI triage pipeline over your security alerts, and a multi-tenant threat hunting workspace. This page documents — for each — where data goes, who can see it, which third parties are involved, what controls you have, and where we are on compliance. Pick a platform below.
01 At a glance
Quick status of the commitments customers ask about most frequently. Each item is linked below to the full detail.
02 Where your data goes
Three distinct data flows leave your environment for SyberOps. Each has different scope, different vendors, and different protections. Layers 2 and 3 stay inside our boundary or talk to lookup-only APIs; only Layer 1 sends alert text to a large language model.
Your environment
│
│ TLS 1.3 / wss://
▼
┌────────────────────────────────────────┐
│ SyberOps backend (Railway, us-west) │
│ • stateless Express + WebSocket │
│ • Postgres (Neon, AES-256 at rest) │
│ • per-tenant row isolation │
└────────────────────────────────────────┘
│
├──── Layer 1 ────► api.anthropic.com
│ Full alert text. Triage agent reasoning.
│ Zero Data Retention enabled (in flight).
│
├──── Layer 2 ────► api.abuseipdb.com (IPs only)
│ www.virustotal.com (hashes / domains / IPs only)
│ One indicator at a time, no surrounding context,
│ LOOKUP-only — never submission.
│
└──── Layer 3 ────► (stays local)
MITRE ATT&CK mapping, knowledge base, asset registry,
block / exclusion lists, audit log, final report.
Never leaves SyberOps.
For customers who can't have ANY alert text touch external infrastructure: the Sovereign and Air-gap tiers below route Claude calls through the customer's own Anthropic account or replace Anthropic with a local LLM.
03 Subprocessors
Third parties that process customer data on our behalf. Each is bound by a data-processing agreement. New subprocessors are announced 30 days in advance via this page.
| Vendor | Data processed | Region | Certifications |
|---|---|---|---|
| AnthropicLLM inference (Claude) | Alert text, agent reasoning | US (multi-region) | SOC 2 Type II · ZDR available · BAA available |
| AbuseIPDBIP reputation lookups | Individual IP addresses | US | Lookup-only API · no PII transmitted |
| VirusTotal (Google)Hash / domain / IP reputation | Individual hashes, domains, IPs | Global (Google Cloud) | SOC 2 / ISO 27001 (Google) · lookup-only |
| RailwayBackend compute hosting | Application runtime; alert text in-memory only | US-West | SOC 2 Type II |
| NeonPostgres (jobs, reports, audit log) | Triage reports, audit events | US-East (default; EU-West / APAC on request) | SOC 2 Type II · GDPR · encryption at rest |
| NetlifyFrontend CDN | Static assets (no customer data) | Global edge | SOC 2 Type II · ISO 27001 |
| ResendTransactional email (OTP) | Analyst email addresses, 6-digit OTP codes | US | SOC 2 · GDPR-compliant |
| GitHubSource code repository (private) | None (source only) | Global | SOC 2 Type II · ISO 27001 · FedRAMP Moderate |
04 Deployment tiers
Four deployment models depending on how sensitive your alerts are. Most agentic SOC vendors offer only Standard; SyberOps lets you choose the data-residency posture that fits your risk profile.
05 Security controls
Technical and organisational controls in place today across the platform.
wss://. No plaintext traffic anywhere.<alert> tags; system prompt explicitly instructs the model to treat the content as data, never as instructions. Multi-layer agent design isolates parsing from decision-making.06 Customer-side controls
Knobs you control on your own tenant — no support ticket required.
- Block list & exclusion list per tenant. Mark known-bad indicators as TP signal and known-good indicators as FP signal. Edits take effect on the next triage.
- Asset registry. Mark hosts as
environment: prod/test/devandcriticality: critical/high/medium/low. The agent down-weights severity for confirmed TPs on test hosts and up-weights for crown-jewel assets. - External-intel kill switch. Disable AbuseIPDB and VirusTotal calls entirely if you can't have IOCs leave your boundary. Agents fall back to MITRE-only + tenant knowledge base.
- PII redaction tier. Off, partial, or full. Configurable per tenant. Full redaction masks emails, internal hostnames, usernames, IPs, credit cards, AWS access keys, JWTs in stack traces, before alert text reaches the LLM.
- BYO Anthropic key. Plug in your own Anthropic workspace key — every Claude call for your tenant flows through your account, your ZDR setting, your billing relationship. (Phase 2)
- Data export. JSON export of all triage reports, audit events, and tenant configuration via
GET /api/v1/export. Available at any time. - Data deletion. Hard-delete via support request within 30 days of contract termination. Audit log retained per regulatory minimum, then destroyed.
- Customer audit access. See every time a SyberOps engineer accessed your tenant data. Logged automatically; exposed in the Compliance dashboard.
07 Compliance roadmap
Honest status of each compliance commitment. We don't claim certifications we don't hold. Items marked "in flight" have an active engagement; items marked "planned" have a target quarter but no work started yet.
08 Vulnerability disclosure
If you believe you've found a security issue in SyberOps, please email security@syberops.com. Our PGP key fingerprint is available on request.
We commit to:
- Acknowledging your report within 24 hours.
- Providing an initial assessment within 72 hours.
- Resolving high- and critical-severity findings within 14 days.
- Crediting you publicly once the fix ships (with your permission).
- Not pursuing legal action against good-faith research that follows responsible disclosure.
Please give us a reasonable window to remediate before public disclosure.
09 Contact
- Security questions, DPA / BAA requests, customer audit access: trust@syberops.com
- Security vulnerability disclosure: security@syberops.com
- General inquiries: hello@syberops.com
For customers under contract, your Customer Success contact is the fastest path for any of the above.
01 What it does
The SyberOps Threat Hunting Platform is a multi-tenant hunting workspace. Analysts turn any IOC, IOA, MITRE ATT&CK technique, or free-text hypothesis into native detection queries, fan them across each client's connected SIEM/EDR tools, and get an aggregated, reputation-enriched read-out with known threat-intel matches — backed by an append-only audit trail. It applies the same data-minimisation and tenant-isolation principles as the triage Agent.
Indicator / Hypothesis ─► Classify ─► Generate per-tool queries
│
▼
Fan out (client × tool, concurrent)
│
▼
Aggregate ─► Optional AI assessment
│
▼
Export (CSV / Excel) · Audit
Supported tools today: Microsoft Sentinel, Microsoft Defender for Endpoint, Splunk, Securonix, SentinelOne, Wazuh, Rapid7 InsightIDR, and Seceon. Analysts can also start from a curated library of MITRE ATT&CK-mapped hypotheses, upload a CSV/Excel of indicators for a bulk hunt, and enrich every finding with reputation from VirusTotal and AbuseIPDB. Curated threat intel is ingested from abuse.ch (ThreatFox / URLhaus / MalwareBazaar) and vetted security-research feeds for analyst review before any hunt.
02 Where your data goes
A hunt talks to your connected tools within a single client tenant and enriches findings from lookup-only intel and reputation services (queried by indicator value only). The AI layer is used solely to draft hunt hypotheses from public threat intelligence — it never receives customer results. Raw event rows never leave the platform.
Analyst: indicator / hypothesis
│
▼
┌────────────────────────────────────────┐
│ Hunting backend (stateless workers) │
│ • FastAPI · bounded concurrency gate │
│ • Postgres — RBAC, encrypted creds, │
│ threat-intel store, audit log │
│ • per-tenant client scoping │
└────────────────────────────────────────┘
│
├──── Connected tools ──► Sentinel · Defender · Splunk · Securonix ·
│ SentinelOne · Wazuh · Rapid7 · Seceon (least-privilege API
│ creds, TLS-verified, one client tenant at a time)
│
├──── Threat intel ─────► abuse.ch (ThreatFox / URLhaus / MalwareBazaar) +
│ security-research feeds — lookup / ingest only
│
├──── Reputation ───────► VirusTotal · AbuseIPDB
│ Queried by indicator value only (an IP / domain / hash) —
│ no customer event data is ever sent.
│
└──── AI (hypotheses) ──► api.anthropic.com (optional)
Used ONLY to draft hunt hypotheses from PUBLIC threat intel +
MITRE. It never receives client results, logs, hosts, or creds.
03 Architecture & components
Stateless API, isolated per-instance workers, encrypted secrets at rest, and pluggable tool adapters. Nothing sensitive is hard-coded — all credentials come from the environment or the encrypted connection store.
04 Security controls
Technical controls in place today, verified in a security review of the platform.
05 Data handling
What the hunting platform stores, what it deliberately does not, and the boundary around the optional AI layer.
06 Disclosure & contact
A full security review of the hunting platform (findings and remediations) is available to customers under NDA. To request it, report a vulnerability, or ask a security question, use the same channels as the triage platform:
- Security questions, DPA / BAA requests, review access: trust@syberops.com
- Security vulnerability disclosure: security@syberops.com
We acknowledge reports within 24 hours and resolve high- and critical-severity findings within 14 days.
syberops.com · agent.syberops.com