Cybelia Cloud
Security — Portail de supervision
Detection, compliance, response. Everything that happens on your fleet, seen, qualified and handled from a single portal. EU-hosted, native GDPR, native multi-organisation.
Chaque section présente deux colonnes : Ce que vous faites (actions utilisateur) et Ce que le système fait (traitement automatique). Les encadrés Pour le dirigeant reformulent l'essentiel sans jargon technique. Adressée en priorité au IT Director / IT Manager et au Executive / DPO.
Full visibility on every device in your fleet
Workstations, servers, network devices: every machine where the Cybelia Security agent is installed reports in real time to the portal. Unified view across sites and OSes.
- Access the list from the menu Périphériques
- Filtrez par statut, OS, société ou site
- Click on a device for its full detail
- Launch an SCA scan from a device's record
- Consult alerts associated with this device
- Synchronises the state of each agent in real time (active / disconnected / offline)
- Collecte les métadonnées : OS, version, IP, hostname, dernière vue
- Geolocates equipment with public IP on the interactive map
- Alerte si un agent ne répond plus après N minutes (paramétrable)
- Cloisonne par société et par tenant — aucune fuite inter-organisations
Detect, qualify, handle — in that order
The portal centralises all alerts from the detection engine. Each alert is classified by criticality, can be marked as a false positive (the AI propagates the rule), and can trigger a playbook.
- Consult the table from the menu Alertes
- Filtrez par criticité, équipement, période, type d'attaque
- Marquez une alerte comme faux positif — the rule is propagated and Cybele updates its recommendations
- Déclenchez un playbook depuis la fiche
- Assign or comment for team follow-up
- Classe : Critique Élevé Moyen Faible
- Corrèle les événements multi-équipements (campagnes d'attaque)
- Déclenche les playbooks configurés en réponse
- Notifies by email and/or Telegram depending on criticality
- Sur faux positif : auto-résolution pending AI recommendations matching the same rule
- Historique horodaté complet pour audit
Identify vulnerabilities before they are exploited
Continuous inventory of installed software, cross-referenced with public NVD, OVAL and OSV databases. CVSS score, patch and priority (known public exploit) on every CVE.
- Menu Vulnérabilités
- Filtrez par équipement, CVSS, logiciel, statut
- Détail : description, impact, version corrigée, vecteur
- Export the list for your team or provider
- Inventories all installed packages and versions
- Croise en continu avec NVD, OVAL, OSV (bases publiques)
- Attribue le score CVSS 3.x (0-10)
- Identifie la version corrigée disponible
- Priorise les CVE avec exploit public connu actif
- Updates the status as soon as the patch is installed
10+ frameworks, one score per framework
The SCA (Security Configuration Assessment) module audits the security configuration of each device. Score in %, finding by finding, remediation guide included.
- Menu Compliance
- Sélectionnez un référentiel pour le détail check par check
- Launch a manual scan on a device or the entire fleet
- Export results for audit or insurance
- Runs automatic scans every night, staggered over 4 h to spread the load — no midnight spike even at 5000 agents
- Mappe sur CIS, RGPD, NIS2, ISO 27001, PCI DSS, HIPAA, NIST, SOC 2, CMMC
- Calculates the score in % per framework and per device
- Aggregates for a global view of the fleet
- Provides the corrective measure for each gap
Frameworks detected automatically
| Référentiel | Target | Périmètre | Obligation EU |
|---|---|---|---|
| CIS Benchmarks | IT Director / CISO | Durcissement OS — Windows, Linux, macOS | Référence sectorielle |
| RGPD / GDPR | DPO / Executive | Mesures techniques — données personnelles | Oui — fines up to 4 % of revenue (data-protection authority) |
| NIS2 | CISO / IT Director | EU directive on network and information system security | Oui — transposition European obligatoire |
| PCI DSS v3.2.1 / v4.0 | IT Director | Security des environnements carte bancaire | Contractuel si traitement CB |
| HIPAA | IT Director | Données de santé (US et international) | Si partenaires US/santé |
| NIST SP 800-53 | CISO | Contrôles de sécurité — référence internationale | Base de nombreux référentiels |
| ISO 27001:2013 | CISO / Auditeur | Système de management de la sécurité de l'information | Certification volontaire UE |
| CMMC v2.0 | IT Director | Sous-traitants US DoD | Si contrats défense US |
| SOC 2 / TSC | IT Director / Auditeur | Security, dispo, confidentialité SaaS | Certification volontaire |
| GPG 13 | CISO | Monitoring — UK NCSC | Référence UK / MSP |
Playbooks that run themselves, 24/7
A playbook = a trigger + a series of actions. Configured once, applied every time the condition is met.
- Créez un playbook depuis le menu Playbooks
- Choose the trigger: alert type, criticality, device, rule
- Enchaînez les actions : isolation, notification, blocage IP, ticket
- Testez en mode simulation avant activation
- Consultez l'historique d'exécution étape par étape
- Evaluates triggers on each incoming alert
- Exécute la chaîne d'actions de manière transactionnelle
- Réessaye les actions ayant échoué (retry exponentiel)
- Traces each execution in the audit log
- Stoppe et notifie en cas d'échec critique
Library of pre-configured playbooks (MITRE ATT&CK)
Cybele — your augmented security analyst
Ask a question in natural language: Cybele analyses alerts, reads logs, proposes a remediation plan. Or launch it in tâche autonome — it works alone on your incident while you do something else.
OCR Logs & incident attachments
The AI digests raw logs, error screenshots, scan reports attached to an incident. Structured extraction of IOCs (indicators of compromise): IPs, hashes, URLs, suspicious behaviour.
- IA Cybelia Cloud souveraine — hébergée EU, RGPD natif
- Claude (Anthropic) en option — analyses complexes ou multi-étapes
- Formats : logs syslog, journaux Windows, PDF de rapport, screenshots
- Extraction d'IOC structurés réutilisables dans les playbooks
- Aucune donnée ne quitte votre instance
Cybele — 24/7 SOC analyst
Cybele answers questions in natural language about alerts, agents, CVEs and logs of the current tenant — exclusively. Strict isolation, no data leakage between tenants.
- "Pourquoi tant de tentatives SSH sur SRV-PROD-01 ?" — analyse contextuelle
- "Quels postes n'ont pas appliqué la CVE-2025-XXXXX ?" — inventaire ciblé
- "Le score conformité RGPD a baissé, pourquoi ?" — analyse différentielle
- Accès en lecture seule aux données du tenant
- All sessions traced and auditable
AI Triage Colleague — False positives & learning
An AI agent configured for the SOC that triages incoming alerts, proposes qualification (true positive / false positive / to investigate), and propagates false-positive rules validated by a human analyst. Continuous learning.
- Automatic triage of alerts by context and history
- Propagation of validated false-positive rules (a recorded FP no longer needs requalifying)
- Autonomous execution of hundreds of actions until resolution or ceiling
- Automatic skip of recommendations matching an already recorded FP
- Validation humaine obligatoire pour les actions critiques
A monthly report, ready to present
On the 1st of each month, a PDF is generated automatically per tenant: security posture, alerts of the month, compliance scores, top 10 CVEs, actions taken. Identifiable format, Cybelia Cloud branding.
- Download from the menu Rapports
- Filtrez par mois, par société
- Request on-the-fly generation for a custom period
- Forward to your management, provider or auditor
- Generates the PDF in the background on the 1st of the month (scheduled job)
- Aggregates: alerts by criticality, top CVEs, compliance scores, active/inactive agents, average MTTR
- Stores encrypted files on disk, isolated per tenant
- Notifie par e-mail quand prêt
The portal is itself a security product
2FA, email verification, lockout after failed attempts, JWT RS256, tenant isolation at the database level: portal security is treated as the security of a critical production system.
Authentication & user accounts
- Mots de passe : bcrypt (hash + sel), jamais stockés en clair.
- JWT RS256 : tokens signed by RSA private key, verified by public key. No risk of client-side tampering.
- Vérification e-mail obligatoire on signup: 6-digit code + 3 reminders (D+7, D+14, D+21). Without validation: account suspended.
- 2FA TOTP obligatoire before the first remote agent: QR code + 10 backup codes. Compatible with all standard authentication apps.
- Verrouillage après 5 essais : on the 5th failure, the account is locked and the email must be re-verified to unlock it.
- Rate limiting : 200 requests per minute per IP by default, stricter on authentication routes.
Data isolation
- tenant_id extracted from the signed JWT — cannot be forged, even by an authenticated user from another tenant.
- Toutes les requêtes SQL filtrent par tenant_id côté backend (never on the frontend, never relying on the presentation layer).
- Cybelia Security agents, alerts and incident events are tagged
tenant:<id>et filtrés systématiquement. - PDF reports, CSV exports, emails are strictly scoped to the tenant.
Network & transport
- HTTPS uniquement via reverse proxy + Let's Encrypt — TLS 1.2+ avec ciphers modernes.
- CORS strict : uniquement le domaine officiel du portail.
- Le frontend ne parle jamais directement to the Cybelia Cloud Security detection engine — everything goes through the backend which holds the secrets.
- Connexion agent : outbound encrypted WebSocket (WSS) only. The agent receives no inbound connection — no open port on supervised machines.
Native multi-tenant architecture
A superadmin manages N tenants. Each tenant can manage N companies (group entities). Cloisonnement strict en base de données, pas par convention applicative.
Resellers & sales management
- Mode distributeur : a reseller can be assigned to several tenants for commercial pooling.
- Crédits agents : each reseller has a quota of Cybelia Security agents free, sold or in demo.
- Commissions : automatically traced in a dedicated table for reporting and reversal.
- Facturation intégrée : payment gateway and native integration with Cybelia Cloud invoicing — unified accounting, no double entry.
A unified installer — Linux, macOS, Windows
A single script. Automatic OS detection, dependency installation, service configuration, connectivity validation with the portal. Graphical mode if a screen is available, otherwise command-line menu.
Config :
/etc/cybelia-agent/Logs :
journalctl -u cybelia-agent -f
Config :
/Library/Application Support/Cybelia/Logs :
/var/log/cybelia-agent.log
Config :
C:\ProgramData\CybeliaAgent\Logs : Event Viewer +
agent.log
- Download the installer matching your OS from the portal
- Launch it — the GUI opens (or CLI menu on a headless server)
- Cliquez sur Installer, collez le token d'enrôlement
- Le test de connectivité est automatique en fin d'installation
- Pour désinstaller : même installeur, bouton Désinstaller (purge)
- Détecte l'OS, installe les dépendances nécessaires
- Copies the runtime, writes the configuration with restricted ACLs
- Crée et démarre le service système (systemd / launchd / service Windows)
- Test : DNS + TCP + TLS + handshake WebSocket avec le token
- En désinstallation : purge complète (service, fichiers, logs, config)
# Installation silencieuse
./cybelia-agent-installer --install --token AGENT_TOKEN --portal https://security.cybelia.cloud
# Désinstallation purge
sudo ./cybelia-agent-installer --uninstall
# Test de connectivité seulement
./cybelia-agent-installer --validate --portal https://security.cybelia.cloudshell, sysinfo, services, logs, ping, resize are accepted by the agent. Any other command is rejected. 30-second timeout per command. Pas de RCE arbitraire possible depuis le portail.From pilot to 5000+ agent deployment
The portal starts on a single node and switches to master/worker cluster mode as soon as load requires it. Real-time indicator for the superadmin, worker addition in one command.
- Surveille l'onglet Cluster dans Admin
- When the composite score exceeds 90 %, provide the IP of a new Ubuntu VM
- Lance
./deploy_worker.sh <ip> <name> - The worker appears in the node list in under 60 seconds
- Calcule un score composite = max(CPU %, RAM %, file d'analyse %, disque %)
- Niveaux : OK < 70 % Attention 70-90 % Critique ≥ 90 %
- 15-second frontend polling, metrics computed on demand on the backend
- Les scans SCA nocturnes sont échelonnés sur 4 heures via assignation déterministe par hash(agent_id) — pas de pic à minuit
- The worker deployment script installs the Cybelia Cloud Security detection engine, configures the cluster and automatically verifies correct enrolment
4 access levels, backend-verified
Restrictions are applied côté serveur, pas seulement visuellement côté interface. Le tenant_id of the signed JWT conditions every SQL query — impossible to bypass.
| Fonctionnalité | Viewer | Admin tenant | Admin société | Superadmin |
|---|---|---|---|---|
| Tableau de bord, alertes, agents | ✓ | ✓ | ✓ | ✓ |
| Télécharger rapports PDF | ✓ | ✓ | ✓ | ✓ |
| Using Cybele & AI tasks | ✓ | ✓ | ✓ | ✓ |
| Marquer alerte en faux positif | ✗ | ✓ | ✓ | ✓ |
| Déclencher un playbook | ✗ | ✓ | Limité | ✓ |
| Create / modify playbooks | ✗ | ✓ | ✗ | ✓ |
| Manage tenant users | ✗ | ✓ | ✗ | ✓ |
| Configurer les notifications | ✗ | ✓ | ✓ | ✓ |
| Activer la 2FA TOTP | ✓ | ✓ | ✓ | ✓ |
| Accès onglet Cluster | ✗ | ✗ | ✗ | ✓ |
| Gérer tous les tenants | ✗ | ✗ | ✗ | ✓ |
| Configuration SMTP & système globale | ✗ | ✗ | ✗ | ✓ |
tenant_id est extrait du token JWT signé RS256. Il est impossible, even by tampering with URL parameters or HTTP headers, to access another organisation's data with a valid token from another tenant — the SQL query filters mandatorily on the backend before any read.Six profiles, one platform
From IT Director to DPO through CISO, auditor, MSP and executive — each role has views and rights tailored to its responsibilities.
IT Director / IT Manager
Consolidated view of the fleet, CVE vulnerability tracking, agent deployment, cluster, technical KPIs.
DPO & Compliance
GDPR, NIS2, ISO 27001 scores per framework. Monthly PDF report usable as proof of regulator due diligence.
CISO
Real-time alerts, MITRE ATT&CK playbooks, compliance scoring, risk analysis.
MSP / Reseller
Multi-tenant superadmin mode: supervision of N SMEs from a single portal, agent credits, native billing.
Executive
Mainstream monthly PDF report, "For the executive" callouts, overview without technical jargon.
External auditor
CSV compliance exports, full timestamped history, exportable scores by framework.
Proprietary cloud SIEM, open-source stack to integrate or Cybelia Cloud Security — which model to choose?
Three ways to cover the cybersecurity of an SME, a group or an MSP fleet — three budgets, three effort levels, three levels of sovereignty.
| SIEM cloud propriétaire étranger | vs | Open-source stack to integrate yourself | vs | Cybelia Cloud Security |
|---|---|---|---|---|
| ✗Hébergement hors EU — données potentiellement soumises au Cloud Act ou équivalent | ~Hosting at your expense — security, updates, compliance to organise | ✓Hébergement souverain EU, RGPD natif, isolation tenant_id signé cryptographiquement | ||
| ✗Per-event, per-gigabyte ingested, per-user billing — unpredictable and growing cost | ~Open source = "gratuit" mais coût caché en intégration et maintenance | ✓Abonnement Cybelia Cloud par agent — coût maîtrisé, sans surprise | ||
| ✗Multi-tenant en option payante ou inexistant — un SIEM par client pour un MSP | ~Multi-tenant to develop or patch yourself — risk of cross-client leak | ✓Multi-tenant natif : un MSP supervise 50 SME depuis un seul portail, cloisonnement garanti | ||
| ✗IA / analyste virtuel : module premium, parfois facturé à l'API call | ~AI to integrate yourself — investment and skills required | ✓Cybele incluse : OCR logs, analyste SOC 24h/24, triage IA des faux positifs | ||
| ✗PDF reports as paid option, often rigid and not customisable | ~Reports to design and generate yourself | ✓Rapport PDF mensuel automatique par tenant — preuve de diligence opposable | ||
| ✗Agents par OS facturés séparément (parfois licence Linux vs Windows distinctes) | ~Open-source agents to compile/maintain for each OS | ✓Agent unifié Linux / macOS / Windows — un seul installeur, un seul tarif | ||
| ✗Limited compliance frameworks (often CIS + one or two others) | ~To map and maintain yourself against regulatory changes | ✓10+ frameworks covered (CIS, GDPR, NIS2, ISO 27001, PCI DSS, HIPAA, NIST, SOC 2, CMMC, GPG 13) | ||
| ✗Support en anglais, fuseaux horaires défavorables, escalade complexe | ~Support communautaire — variable selon le projet | ✓Support francophone, fuseau EU, escalade directe à l'équipe Cybelia Cloud |
FAQs
Questions from IT directors, DPOs, CISOs and MSPs before switching to Cybelia Cloud Security.
Trois différences fondamentales. Hébergement souverain in the EU — your data never leaves the territory, no exposure to the Cloud Act or equivalent. Multi-tenant natif avec isolation par tenant_id signé cryptographiquement — un MSP supervise 50 SME depuis un seul portail. IA intégrée sans coût additionnel — Cybele (24/7 SOC analyst, log OCR, AI false-positive triage) is included, not a premium option billed by usage. Plus multilingual support and predictable per-agent billing instead of the "per-event or per-gigabyte ingested" model.
Cybele accède en lecture seule to the alerts, agents, CVEs and logs of the current tenant — exclusively. Strict isolation guaranteed by the same multi-tenant architecture as the rest of the portal: a false positive recorded in one tenant doesn't affect any other tenant, a recommendation never propagates across clients. All AI actions are logged and auditable in the event log. You can choose between theIA Cybelia Cloud souveraine (hébergée EU) par défaut, ou Claude (Anthropic) en option pour les analyses complexes.
Une instance master sur Ubuntu 22.04 (8 vCPU, 16 Go RAM) supporte environ 2500 agents actifs. Au-delà, ajout d'un worker en un script — la capacité est linéaire avec le nombre de workers. Architecture tested on 5000+ agent deployments. The composite score (max CPU/RAM/analysis queue/disk) is shown in real time to the superadmin with three alert levels (green < 70 %, yellow 70-90 %, red ≥ 90 %). Nightly SCA scans are staggered over 4 hours via deterministic hash — no spike at midnight even at 5000 agents.
Un installeur unifié pour Linux (systemd), macOS (launchd) et Windows (service natif). Download from the portal, launch, paste the enrolment token — the GUI does the rest (or CLI menu on a headless server). Automatic connectivity test at end of install (DNS + TCP + TLS + WebSocket handshake). For mass deployment, non-interactive mode via script (--install --token AGENT_TOKEN) integrable into GPO, Ansible, Puppet, MDM or any other deployment tool. Full purge uninstall available.
Strict isolation guaranteed at the database level, not by application convention. The tenant_id est extrait du JWT signé RS256 (clé privée RSA, vérification par clé publique). Il est impossible, even by tampering with URL parameters or HTTP headers, to access another organisation's data with a valid token. All SQL queries filter by tenant_id on the backend (never on the frontend). Agents, alerts, PDF reports, CSV exports and emails are strictly scoped to the tenant. For an MSP: its 50 SME clients don't see each other, the MSP sees everything in superadmin mode.
The NIS2 directive (transposed into EU national law) requires essential and important entities to implement technical measures for cyber risk management, incident detection, and authority notification. Cybelia Cloud Security addresses several key requirements: scoring NIS2 automatique par équipement et par référentiel, détection d'incidents 24h/24 avec délai < 60 secondes, rapports PDF mensuels opposables à l'audit, playbooks MITRE ATT&CK for incident response, full logging of access and actions. The monthly report constitutes proof of due diligence in case of audit or incident.
Distinguer l'installation technique of the portal and the first agent (fast via playbook) of the mise en exploitation effective across the entire fleet. The rollout phase includes: configuring tenants and companies, deploying the agent on all workstations/servers via GPO or orchestration tool, configuring playbooks adapted to your use cases, setting up notifications, training the IT / CISO / DPO teams. This phase runs over quelques semaines depending on fleet size and organisational complexity. The Cybelia Cloud team supports you with a pilot on a subset of the fleet before generalisation.
Your data belongs to you. Full export available at any time in CSV / JSON format: historical alerts, compliance scores, inventory of agents and vulnerabilities, full timestamped audit log, archived monthly PDF reports. Procedure for droit à l'effacement GDPR documented technically. If you cancel your subscription, you recover all your data in a reusable format. Cybelia Cloud commits contractually to portability — no "proprietary lock-in" effect.
Deploying Cybelia Cloud Security across your fleet
The Cybelia Cloud team supports deployment: portal installation, configuration of tenants and companies, agent deployment on a pilot subset before generalisation. Designed for European SMEs, groups and MSPs.
Request a demo Parler à un expert cybersécuritéCybelia Cloud
Security — Portail de supervision
Detection, compliance, response. Everything that happens on your fleet, seen, qualified and handled from a single portal. EU-hosted, native GDPR, native multi-organisation.
Chaque section présente deux colonnes : Ce que vous faites (actions utilisateur) et Ce que le système fait (traitement automatique). Les encadrés Pour le dirigeant reformulent l'essentiel sans jargon technique. Adressée en priorité au IT Director / IT Manager et au Executive / DPO.
Full visibility on every device in your fleet
Workstations, servers, network devices: every machine where the Cybelia Security agent is installed reports in real time to the portal. Unified view across sites and OSes.
- Access the list from the menu Périphériques
- Filtrez par statut, OS, société ou site
- Click on a device for its full detail
- Launch an SCA scan from a device's record
- Consult alerts associated with this device
- Synchronises the state of each agent in real time (active / disconnected / offline)
- Collecte les métadonnées : OS, version, IP, hostname, dernière vue
- Geolocates equipment with public IP on the interactive map
- Alerte si un agent ne répond plus après N minutes (paramétrable)
- Cloisonne par société et par tenant — aucune fuite inter-organisations
Detect, qualify, handle — in that order
The portal centralises all alerts from the detection engine. Each alert is classified by criticality, can be marked as a false positive (the AI propagates the rule), and can trigger a playbook.
- Consult the table from the menu Alertes
- Filtrez par criticité, équipement, période, type d'attaque
- Marquez une alerte comme faux positif — the rule is propagated and Cybele updates its recommendations
- Déclenchez un playbook depuis la fiche
- Assign or comment for team follow-up
- Classe : Critique Élevé Moyen Faible
- Corrèle les événements multi-équipements (campagnes d'attaque)
- Déclenche les playbooks configurés en réponse
- Notifies by email and/or Telegram depending on criticality
- Sur faux positif : auto-résolution pending AI recommendations matching the same rule
- Historique horodaté complet pour audit
Identify vulnerabilities before they are exploited
Continuous inventory of installed software, cross-referenced with public NVD, OVAL and OSV databases. CVSS score, patch and priority (known public exploit) on every CVE.
- Menu Vulnérabilités
- Filtrez par équipement, CVSS, logiciel, statut
- Détail : description, impact, version corrigée, vecteur
- Export the list for your team or provider
- Inventories all installed packages and versions
- Croise en continu avec NVD, OVAL, OSV (bases publiques)
- Attribue le score CVSS 3.x (0-10)
- Identifie la version corrigée disponible
- Priorise les CVE avec exploit public connu actif
- Updates the status as soon as the patch is installed
10+ frameworks, one score per framework
The SCA (Security Configuration Assessment) module audits the security configuration of each device. Score in %, finding by finding, remediation guide included.
- Menu Compliance
- Sélectionnez un référentiel pour le détail check par check
- Launch a manual scan on a device or the entire fleet
- Export results for audit or insurance
- Runs automatic scans every night, staggered over 4 h to spread the load — no midnight spike even at 5000 agents
- Mappe sur CIS, RGPD, NIS2, ISO 27001, PCI DSS, HIPAA, NIST, SOC 2, CMMC
- Calculates the score in % per framework and per device
- Aggregates for a global view of the fleet
- Provides the corrective measure for each gap
Frameworks detected automatically
| Référentiel | Target | Périmètre | Obligation EU |
|---|---|---|---|
| CIS Benchmarks | IT Director / CISO | Durcissement OS — Windows, Linux, macOS | Référence sectorielle |
| RGPD / GDPR | DPO / Executive | Mesures techniques — données personnelles | Oui — fines up to 4 % of revenue (data-protection authority) |
| NIS2 | CISO / IT Director | EU directive on network and information system security | Oui — transposition European obligatoire |
| PCI DSS v3.2.1 / v4.0 | IT Director | Security des environnements carte bancaire | Contractuel si traitement CB |
| HIPAA | IT Director | Données de santé (US et international) | Si partenaires US/santé |
| NIST SP 800-53 | CISO | Contrôles de sécurité — référence internationale | Base de nombreux référentiels |
| ISO 27001:2013 | CISO / Auditeur | Système de management de la sécurité de l'information | Certification volontaire UE |
| CMMC v2.0 | IT Director | Sous-traitants US DoD | Si contrats défense US |
| SOC 2 / TSC | IT Director / Auditeur | Security, dispo, confidentialité SaaS | Certification volontaire |
| GPG 13 | CISO | Monitoring — UK NCSC | Référence UK / MSP |
Playbooks that run themselves, 24/7
A playbook = a trigger + a series of actions. Configured once, applied every time the condition is met.
- Créez un playbook depuis le menu Playbooks
- Choose the trigger: alert type, criticality, device, rule
- Enchaînez les actions : isolation, notification, blocage IP, ticket
- Testez en mode simulation avant activation
- Consultez l'historique d'exécution étape par étape
- Evaluates triggers on each incoming alert
- Exécute la chaîne d'actions de manière transactionnelle
- Réessaye les actions ayant échoué (retry exponentiel)
- Traces each execution in the audit log
- Stoppe et notifie en cas d'échec critique
Library of pre-configured playbooks (MITRE ATT&CK)
Cybele — your augmented security analyst
Ask a question in natural language: Cybele analyses alerts, reads logs, proposes a remediation plan. Or launch it in tâche autonome — it works alone on your incident while you do something else.
OCR Logs & incident attachments
The AI digests raw logs, error screenshots, scan reports attached to an incident. Structured extraction of IOCs (indicators of compromise): IPs, hashes, URLs, suspicious behaviour.
- IA Cybelia Cloud souveraine — hébergée EU, RGPD natif
- Claude (Anthropic) en option — analyses complexes ou multi-étapes
- Formats : logs syslog, journaux Windows, PDF de rapport, screenshots
- Extraction d'IOC structurés réutilisables dans les playbooks
- Aucune donnée ne quitte votre instance
Cybele — 24/7 SOC analyst
Cybele answers questions in natural language about alerts, agents, CVEs and logs of the current tenant — exclusively. Strict isolation, no data leakage between tenants.
- "Pourquoi tant de tentatives SSH sur SRV-PROD-01 ?" — analyse contextuelle
- "Quels postes n'ont pas appliqué la CVE-2025-XXXXX ?" — inventaire ciblé
- "Le score conformité RGPD a baissé, pourquoi ?" — analyse différentielle
- Accès en lecture seule aux données du tenant
- All sessions traced and auditable
AI Triage Colleague — False positives & learning
An AI agent configured for the SOC that triages incoming alerts, proposes qualification (true positive / false positive / to investigate), and propagates false-positive rules validated by a human analyst. Continuous learning.
- Automatic triage of alerts by context and history
- Propagation of validated false-positive rules (a recorded FP no longer needs requalifying)
- Autonomous execution of hundreds of actions until resolution or ceiling
- Automatic skip of recommendations matching an already recorded FP
- Validation humaine obligatoire pour les actions critiques
A monthly report, ready to present
On the 1st of each month, a PDF is generated automatically per tenant: security posture, alerts of the month, compliance scores, top 10 CVEs, actions taken. Identifiable format, Cybelia Cloud branding.
- Download from the menu Rapports
- Filtrez par mois, par société
- Request on-the-fly generation for a custom period
- Forward to your management, provider or auditor
- Generates the PDF in the background on the 1st of the month (scheduled job)
- Aggregates: alerts by criticality, top CVEs, compliance scores, active/inactive agents, average MTTR
- Stores encrypted files on disk, isolated per tenant
- Notifie par e-mail quand prêt
The portal is itself a security product
2FA, email verification, lockout after failed attempts, JWT RS256, tenant isolation at the database level: portal security is treated as the security of a critical production system.
Authentication & user accounts
- Mots de passe : bcrypt (hash + sel), jamais stockés en clair.
- JWT RS256 : tokens signed by RSA private key, verified by public key. No risk of client-side tampering.
- Vérification e-mail obligatoire on signup: 6-digit code + 3 reminders (D+7, D+14, D+21). Without validation: account suspended.
- 2FA TOTP obligatoire before the first remote agent: QR code + 10 backup codes. Compatible with all standard authentication apps.
- Verrouillage après 5 essais : on the 5th failure, the account is locked and the email must be re-verified to unlock it.
- Rate limiting : 200 requests per minute per IP by default, stricter on authentication routes.
Data isolation
- tenant_id extracted from the signed JWT — cannot be forged, even by an authenticated user from another tenant.
- Toutes les requêtes SQL filtrent par tenant_id côté backend (never on the frontend, never relying on the presentation layer).
- Cybelia Security agents, alerts and incident events are tagged
tenant:<id>et filtrés systématiquement. - PDF reports, CSV exports, emails are strictly scoped to the tenant.
Network & transport
- HTTPS uniquement via reverse proxy + Let's Encrypt — TLS 1.2+ avec ciphers modernes.
- CORS strict : uniquement le domaine officiel du portail.
- Le frontend ne parle jamais directement to the Cybelia Cloud Security detection engine — everything goes through the backend which holds the secrets.
- Connexion agent : outbound encrypted WebSocket (WSS) only. The agent receives no inbound connection — no open port on supervised machines.
Native multi-tenant architecture
A superadmin manages N tenants. Each tenant can manage N companies (group entities). Cloisonnement strict en base de données, pas par convention applicative.
Resellers & sales management
- Mode distributeur : a reseller can be assigned to several tenants for commercial pooling.
- Crédits agents : each reseller has a quota of Cybelia Security agents free, sold or in demo.
- Commissions : automatically traced in a dedicated table for reporting and reversal.
- Facturation intégrée : payment gateway and native integration with Cybelia Cloud invoicing — unified accounting, no double entry.
A unified installer — Linux, macOS, Windows
A single script. Automatic OS detection, dependency installation, service configuration, connectivity validation with the portal. Graphical mode if a screen is available, otherwise command-line menu.
Config :
/etc/cybelia-agent/Logs :
journalctl -u cybelia-agent -f
Config :
/Library/Application Support/Cybelia/Logs :
/var/log/cybelia-agent.log
Config :
C:\ProgramData\CybeliaAgent\Logs : Event Viewer +
agent.log
- Download the installer matching your OS from the portal
- Launch it — the GUI opens (or CLI menu on a headless server)
- Cliquez sur Installer, collez le token d'enrôlement
- Le test de connectivité est automatique en fin d'installation
- Pour désinstaller : même installeur, bouton Désinstaller (purge)
- Détecte l'OS, installe les dépendances nécessaires
- Copies the runtime, writes the configuration with restricted ACLs
- Crée et démarre le service système (systemd / launchd / service Windows)
- Test : DNS + TCP + TLS + handshake WebSocket avec le token
- En désinstallation : purge complète (service, fichiers, logs, config)
# Installation silencieuse
./cybelia-agent-installer --install --token AGENT_TOKEN --portal https://security.cybelia.cloud
# Désinstallation purge
sudo ./cybelia-agent-installer --uninstall
# Test de connectivité seulement
./cybelia-agent-installer --validate --portal https://security.cybelia.cloudshell, sysinfo, services, logs, ping, resize are accepted by the agent. Any other command is rejected. 30-second timeout per command. Pas de RCE arbitraire possible depuis le portail.From pilot to 5000+ agent deployment
The portal starts on a single node and switches to master/worker cluster mode as soon as load requires it. Real-time indicator for the superadmin, worker addition in one command.
- Surveille l'onglet Cluster dans Admin
- When the composite score exceeds 90 %, provide the IP of a new Ubuntu VM
- Lance
./deploy_worker.sh <ip> <name> - The worker appears in the node list in under 60 seconds
- Calcule un score composite = max(CPU %, RAM %, file d'analyse %, disque %)
- Niveaux : OK < 70 % Attention 70-90 % Critique ≥ 90 %
- 15-second frontend polling, metrics computed on demand on the backend
- Les scans SCA nocturnes sont échelonnés sur 4 heures via assignation déterministe par hash(agent_id) — pas de pic à minuit
- The worker deployment script installs the Cybelia Cloud Security detection engine, configures the cluster and automatically verifies correct enrolment
4 access levels, backend-verified
Restrictions are applied côté serveur, pas seulement visuellement côté interface. Le tenant_id of the signed JWT conditions every SQL query — impossible to bypass.
| Fonctionnalité | Viewer | Admin tenant | Admin société | Superadmin |
|---|---|---|---|---|
| Tableau de bord, alertes, agents | ✓ | ✓ | ✓ | ✓ |
| Télécharger rapports PDF | ✓ | ✓ | ✓ | ✓ |
| Using Cybele & AI tasks | ✓ | ✓ | ✓ | ✓ |
| Marquer alerte en faux positif | ✗ | ✓ | ✓ | ✓ |
| Déclencher un playbook | ✗ | ✓ | Limité | ✓ |
| Create / modify playbooks | ✗ | ✓ | ✗ | ✓ |
| Manage tenant users | ✗ | ✓ | ✗ | ✓ |
| Configurer les notifications | ✗ | ✓ | ✓ | ✓ |
| Activer la 2FA TOTP | ✓ | ✓ | ✓ | ✓ |
| Accès onglet Cluster | ✗ | ✗ | ✗ | ✓ |
| Gérer tous les tenants | ✗ | ✗ | ✗ | ✓ |
| Configuration SMTP & système globale | ✗ | ✗ | ✗ | ✓ |
tenant_id est extrait du token JWT signé RS256. Il est impossible, even by tampering with URL parameters or HTTP headers, to access another organisation's data with a valid token from another tenant — the SQL query filters mandatorily on the backend before any read.Six profiles, one platform
From IT Director to DPO through CISO, auditor, MSP and executive — each role has views and rights tailored to its responsibilities.
IT Director / IT Manager
Consolidated view of the fleet, CVE vulnerability tracking, agent deployment, cluster, technical KPIs.
DPO & Compliance
GDPR, NIS2, ISO 27001 scores per framework. Monthly PDF report usable as proof of regulator due diligence.
CISO
Real-time alerts, MITRE ATT&CK playbooks, compliance scoring, risk analysis.
MSP / Reseller
Multi-tenant superadmin mode: supervision of N SMEs from a single portal, agent credits, native billing.
Executive
Mainstream monthly PDF report, "For the executive" callouts, overview without technical jargon.
External auditor
CSV compliance exports, full timestamped history, exportable scores by framework.
Proprietary cloud SIEM, open-source stack to integrate or Cybelia Cloud Security — which model to choose?
Three ways to cover the cybersecurity of an SME, a group or an MSP fleet — three budgets, three effort levels, three levels of sovereignty.
| SIEM cloud propriétaire étranger | vs | Open-source stack to integrate yourself | vs | Cybelia Cloud Security |
|---|---|---|---|---|
| ✗Hébergement hors EU — données potentiellement soumises au Cloud Act ou équivalent | ~Hosting at your expense — security, updates, compliance to organise | ✓Hébergement souverain EU, RGPD natif, isolation tenant_id signé cryptographiquement | ||
| ✗Per-event, per-gigabyte ingested, per-user billing — unpredictable and growing cost | ~Open source = "gratuit" mais coût caché en intégration et maintenance | ✓Abonnement Cybelia Cloud par agent — coût maîtrisé, sans surprise | ||
| ✗Multi-tenant en option payante ou inexistant — un SIEM par client pour un MSP | ~Multi-tenant to develop or patch yourself — risk of cross-client leak | ✓Multi-tenant natif : un MSP supervise 50 SME depuis un seul portail, cloisonnement garanti | ||
| ✗IA / analyste virtuel : module premium, parfois facturé à l'API call | ~AI to integrate yourself — investment and skills required | ✓Cybele incluse : OCR logs, analyste SOC 24h/24, triage IA des faux positifs | ||
| ✗PDF reports as paid option, often rigid and not customisable | ~Reports to design and generate yourself | ✓Rapport PDF mensuel automatique par tenant — preuve de diligence opposable | ||
| ✗Agents par OS facturés séparément (parfois licence Linux vs Windows distinctes) | ~Open-source agents to compile/maintain for each OS | ✓Agent unifié Linux / macOS / Windows — un seul installeur, un seul tarif | ||
| ✗Limited compliance frameworks (often CIS + one or two others) | ~To map and maintain yourself against regulatory changes | ✓10+ frameworks covered (CIS, GDPR, NIS2, ISO 27001, PCI DSS, HIPAA, NIST, SOC 2, CMMC, GPG 13) | ||
| ✗Support en anglais, fuseaux horaires défavorables, escalade complexe | ~Support communautaire — variable selon le projet | ✓Support francophone, fuseau EU, escalade directe à l'équipe Cybelia Cloud |
FAQs
Questions from IT directors, DPOs, CISOs and MSPs before switching to Cybelia Cloud Security.
Trois différences fondamentales. Hébergement souverain in the EU — your data never leaves the territory, no exposure to the Cloud Act or equivalent. Multi-tenant natif avec isolation par tenant_id signé cryptographiquement — un MSP supervise 50 SME depuis un seul portail. IA intégrée sans coût additionnel — Cybele (24/7 SOC analyst, log OCR, AI false-positive triage) is included, not a premium option billed by usage. Plus multilingual support and predictable per-agent billing instead of the "per-event or per-gigabyte ingested" model.
Cybele accède en lecture seule to the alerts, agents, CVEs and logs of the current tenant — exclusively. Strict isolation guaranteed by the same multi-tenant architecture as the rest of the portal: a false positive recorded in one tenant doesn't affect any other tenant, a recommendation never propagates across clients. All AI actions are logged and auditable in the event log. You can choose between theIA Cybelia Cloud souveraine (hébergée EU) par défaut, ou Claude (Anthropic) en option pour les analyses complexes.
Une instance master sur Ubuntu 22.04 (8 vCPU, 16 Go RAM) supporte environ 2500 agents actifs. Au-delà, ajout d'un worker en un script — la capacité est linéaire avec le nombre de workers. Architecture tested on 5000+ agent deployments. The composite score (max CPU/RAM/analysis queue/disk) is shown in real time to the superadmin with three alert levels (green < 70 %, yellow 70-90 %, red ≥ 90 %). Nightly SCA scans are staggered over 4 hours via deterministic hash — no spike at midnight even at 5000 agents.
Un installeur unifié pour Linux (systemd), macOS (launchd) et Windows (service natif). Download from the portal, launch, paste the enrolment token — the GUI does the rest (or CLI menu on a headless server). Automatic connectivity test at end of install (DNS + TCP + TLS + WebSocket handshake). For mass deployment, non-interactive mode via script (--install --token AGENT_TOKEN) integrable into GPO, Ansible, Puppet, MDM or any other deployment tool. Full purge uninstall available.
Strict isolation guaranteed at the database level, not by application convention. The tenant_id est extrait du JWT signé RS256 (clé privée RSA, vérification par clé publique). Il est impossible, even by tampering with URL parameters or HTTP headers, to access another organisation's data with a valid token. All SQL queries filter by tenant_id on the backend (never on the frontend). Agents, alerts, PDF reports, CSV exports and emails are strictly scoped to the tenant. For an MSP: its 50 SME clients don't see each other, the MSP sees everything in superadmin mode.
The NIS2 directive (transposed into EU national law) requires essential and important entities to implement technical measures for cyber risk management, incident detection, and authority notification. Cybelia Cloud Security addresses several key requirements: scoring NIS2 automatique par équipement et par référentiel, détection d'incidents 24h/24 avec délai < 60 secondes, rapports PDF mensuels opposables à l'audit, playbooks MITRE ATT&CK for incident response, full logging of access and actions. The monthly report constitutes proof of due diligence in case of audit or incident.
Distinguer l'installation technique of the portal and the first agent (fast via playbook) of the mise en exploitation effective across the entire fleet. The rollout phase includes: configuring tenants and companies, deploying the agent on all workstations/servers via GPO or orchestration tool, configuring playbooks adapted to your use cases, setting up notifications, training the IT / CISO / DPO teams. This phase runs over quelques semaines depending on fleet size and organisational complexity. The Cybelia Cloud team supports you with a pilot on a subset of the fleet before generalisation.
Your data belongs to you. Full export available at any time in CSV / JSON format: historical alerts, compliance scores, inventory of agents and vulnerabilities, full timestamped audit log, archived monthly PDF reports. Procedure for droit à l'effacement GDPR documented technically. If you cancel your subscription, you recover all your data in a reusable format. Cybelia Cloud commits contractually to portability — no "proprietary lock-in" effect.
Deploying Cybelia Cloud Security across your fleet
The Cybelia Cloud team supports deployment: portal installation, configuration of tenants and companies, agent deployment on a pilot subset before generalisation. Designed for European SMEs, groups and MSPs.
Request a demo Parler à un expert cybersécurité