CyberVault Documentation
Comprehensive reference for integrating, deploying, and managing the CyberVault AI-powered threat detection and response platform. Covers API integration, SDK usage, architecture, and operational guides.
This documentation covers the latest release. For v3.x documentation, see the v3.x migration guide.
Quick Links #
Installation
Get up and running with CyberVault in minutes
API Reference
Complete REST API endpoint documentation
Architecture
System design and component overview
Deployment Guide
Production deployment best practices
System Architecture #
CyberVault's architecture is built on a zero-trust, microservices design. The platform consists of five core layers working in concert to provide real-time threat detection, automated response, and comprehensive visibility across your infrastructure.
All layers are deployed across 3 geographically distributed regions with automatic failover. Mean time to recovery (MTTR) is under 30 seconds.
Installation #
System Requirements #
| Component | Minimum | Recommended | Notes |
|---|---|---|---|
| CPU | 4 cores | 8+ cores | AVX2 instruction set required |
| RAM | 16 GB | 32 GB+ | For 10k+ events/sec processing |
| Storage | 100 GB SSD | 500 GB NVMe | Includes event store + models |
| OS | Ubuntu 22.04 | Ubuntu 24.04 / RHEL 9 | Windows via WSL2 |
| Network | 100 Mbps | 1 Gbps | Low-latency to CyberVault region |
Installation Steps #
Install the CLI Tool
Install the CyberVault CLI using one of the supported package managers:
# Using curl curl -fsSL https://get.cybervault.io/install.sh | bash # Or using npm npm install -g @cybervault/cli # Verify installation cv --version # Should output: v4.2.0
Authenticate
Connect your instance to your CyberVault account:
cv auth login # Enter your API key when prompted: # CV_API_KEY=cv_prod_xxxxxxxxxxxxxxxx
Initialize Configuration
Create your configuration file with recommended defaults:
cv init --profile production --region us-east-1 # Generates ~/.cybervault/config.yaml
Start the Agent
Launch the CyberVault agent with systemd:
systemctl enable --now cybervault-agent systemctl status cybervault-agent # Verify connection cv status # Output: ✅ Connected — Threat engine active
Ensure ports 443 (HTTPS) and 8443 (agent heartbeat) are open outbound to *.cybervault.io. Inbound ports 9090 (metrics) and 6060 (profiling) must be accessible to your monitoring stack.
Configuration #
The CyberVault configuration is managed through ~/.cybervault/config.yaml. All settings support environment variable overrides with the CV_ prefix.
# ~/.cybervault/config.yaml global: api_key: cv_prod_xxxxxxxxxxxxxxxx region: us-east-1 log_level: info # debug | info | warn | error threat_detection: enabled: true mode: auto # auto | manual | passive sensitivity: high # low | medium | high | critical ai_model: cv-threatnet-v3 rules: custom_rules_path: ./rules/ default_deny: true monitoring: metrics_port: 9090 profiling_port: 6060 alerting: channels: - type: email recipients: [soc@company.com] - type: webhook url: https://hooks.example.com/cybervault response: auto_contain: true auto_block: true response_team: soc-team-a escalation_timeout: 5m
Any configuration value can be overridden at runtime. For example: CV_THREAT_DETECTION_SENSITIVITY=critical will override the YAML configuration.
Threat Detection Engine #
The CyberVault Threat Detection Engine (TDE) is the core analysis component. It combines signature-based detection, heuristic analysis, and deep learning models to identify threats with industry-leading accuracy.
Detection Pipeline
Engine Parameters #
| Parameter | Type | Default | Description |
|---|---|---|---|
| sensitivity | string | high | Detection sensitivity level |
| ai_model | string | cv-threatnet-v3 | AI model identifier for inference |
| max_events_per_sec | number | 50000 | Max events the engine processes per second |
| correlation_window | string | 5m | Time window for event correlation |
| false_positive_rate | number | 0.02 | Target FP rate (2% default) |
| custom_signatures | array | [] | Array of custom detection rules |
API Reference #
The CyberVault REST API uses standard HTTP methods and returns JSON responses. All endpoints require authentication via API key or OAuth2 Bearer token.
All API requests should be made to: https://api.cybervault.io/v4. The API version is embedded in the URL path.
Authentication Endpoint Stable
Authenticate to obtain an access token. Tokens expire after 24 hours and must be refreshed.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| api_key | string | Required | Your CyberVault API key |
| scope | string | Optional | Token scope: read, write, admin |
curl -X POST https://api.cybervault.io/v4/auth/token \ -H "Content-Type: application/json" \ -d '{ "api_key": "cv_prod_xxxxxxxxxxxxxxxx", "scope": "admin" }'
Response (200 OK)
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 86400,
"refresh_token": "cv_rt_xxxxxxxxxxxxxxxx",
"scope": "admin"
}
Threats API Stable
Retrieve all detected threats with filtering and pagination support.
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
| severity | string | all | Filter by severity: critical, high, medium, low |
| status | string | all | Filter by status: active, investigating, mitigated, closed |
| mitre_tactic | string | all | Filter by MITRE ATT&CK tactic ID |
| page | number | 1 | Pagination page number |
| per_page | number | 50 | Results per page (max: 200) |
curl -X GET "https://api.cybervault.io/v4/threats?severity=critical&per_page=10" \ -H "Authorization: Bearer eyJhbGciOi..."
Response (200 OK)
{
"data": [
{
"id": "thr_9f8e7d6c5b4a3",
"severity": "critical",
"title": "Ransomware lateral movement detected",
"status": "active",
"mitre_attack": {
"tactic": "TA0008",
"technique": "T1021.004",
"name": "Remote Services: SSH"
},
"source_ip": "192.168.1.105",
"detected_at": "2025-01-15T14:23:01Z",
"confidence": 0.97,
"automated_response": true
}
],
"pagination": {
"page": 1,
"per_page": 10,
"total": 147,
"total_pages": 15
}
}
Trigger automated or manual response actions on a threat.
| Field | Type | Required | Description |
|---|---|---|---|
| action | string | Required | Action: isolate, block_ip, kill_process, contain |
| note | string | Optional | Response note for audit trail |
| notify_team | boolean | Optional | Notify SOC team (default: true) |
curl -X POST https://api.cybervault.io/v4/threats/thr_9f8e7d6c5b4a3/respond \ -H "Authorization: Bearer eyJhbGciOi..." \ -H "Content-Type: application/json" \ -d '{ "action": "isolate", "note": "Isolating host pending forensic analysis", "notify_team": true }'
Monitoring API Stable
Retrieve real-time security metrics and dashboards data.
{
"uptime": "99.99%",
"threats_blocked_24h": 2847,
"active_alerts": 12,
"mean_detection_time": "0.3ms",
"scan_coverage": "100%",
"agent_health": {
"total_agents": 1204,
"healthy": 1201,
"degraded": 2,
"offline": 1
},
"top_threat_types": [
{ "type": "Ransomware", "count": 342 },
{ "type": "Phishing", "count": 287 },
{ "type": "DDoS", "count": 156 }
]
}
Python SDK Stable
The official CyberVault Python SDK provides a type-safe, async-native interface to the platform API.
Installation
pip install cybervault # Or with extras for async support pip install "cybervault[async]"
Usage Example
from cybervault import CyberVaultClient from cybervault.exceptions import CyberVaultError # Initialize the client client = CyberVaultClient( api_key="cv_prod_xxxxxxxxxxxxxxxx", region="us-east-1", log_level="info" ) # Authenticate client.auth.login() # Fetch critical threats threats = client.threats.list( severity="critical", status="active", per_page=50 ) for threat in threats: print(f"[THR-{threat.severity.upper()}] {threat.title}\n") print(f" MITRE: {threat.mitre_attack.tactic} — {threat.mitre_attack.name}\n") print(f" Confidence: {threat.confidence:.1%}\n") # Respond to a threat client.threats.respond( threat_id="thr_9f8e7d6c5b4a3", action="isolate", note="Automated response — ransomware containment" ) # List all endpoints covered by monitoring endpoints = client.list_endpoints( status="healthy", tags=["production", "critical-infra"] ) # Async usage import asyncio from cybervault import AsyncCyberVaultClient async def main(): client = AsyncCyberVaultClient(api_key="cv_prod_xxxxx") await client.auth.login() threats = await client.threats.list(severity="critical") await client.close() asyncio.run(main())
Error Handling
| HTTP Status | Exception | Description |
|---|---|---|
| 401 | AuthenticationError | Invalid or expired API key |
| 403 | PermissionError | Insufficient scope for the requested action |
| 429 | RateLimitError | Rate limit exceeded — check Retry-After header |
| 500 | InternalServerError | Server-side error — contact support |
try: threats = client.threats.list(severity="critical") except AuthenticationError as e: print(f"Auth failed: {e}") except RateLimitError as e: print(f"Rate limited. Retry after {e.retry_after} seconds") except CyberVaultError as e: print(f"API Error {e.status_code}: {e.message}")
Rate Limits Stable
Rate limits are applied per API key and vary by plan. Limits are reset on a rolling window basis.
| Plan | Requests/min | Requests/day | Burst Limit |
|---|---|---|---|
| Starter | 60 | 10,000 | 10 burst |
| Professional | 600 | 500,000 | 100 burst |
| Enterprise | 6,000 | Unlimited | 1,000 burst |
# Response headers include rate limit info X-RateLimit-Limit: 600 X-RateLimit-Remaining: 547 X-RateLimit-Reset: 1737033600 # Unix timestamp Retry-After: 30 # Only on 429 responses
Deployment Guide #
CyberVault supports multiple deployment models. Choose the one that best fits your compliance and infrastructure requirements.
Cloud (SaaS)
Multi-tenant managed service with automatic updates and scaling
Self-Hosted
On-premise deployment with full data sovereignty and customization
Private Cloud
Dedicated infrastructure in your cloud provider (AWS, Azure, GCP)
Hybrid
Combine cloud intelligence with on-premise data processing
Kubernetes Deployment
# Helm deployment # Add the CyberVault Helm repository helm repo add cybervault https://charts.cybervault.io helm repo update # Install with custom values helm install cybervault cybervault/cybervault \ -f values.yaml \ -n cybervault \ --create-namespace
# values.yaml replicaCount: 3 threatEngine: ai_model: cv-threatnet-v3 sensitivity: high max_workers: 8 ingress: enabled: true hosts: - cybervault.internal tls: secretName: cv-tls-cert autoscaling: enabled: true minReplicas: 3 maxReplicas: 20 targetCPUUtilization: 75 resources: requests: cpu: "2000m" memory: "4Gi" limits: cpu: "4000m" memory: "8Gi"
Before going live, ensure: (1) TLS is configured with TLSv1.3 minimum, (2) RBAC is enabled with least-privilege policies, (3) Audit logging is pointed to an immutable log store, (4) Backup strategy covers event store and configuration, (5) Incident runbooks are documented and tested.
Compliance Setup #
CyberVault supports automated compliance monitoring and reporting for major frameworks. The platform continuously validates your environment against compliance requirements.
| Framework | Support Level | Automated Checks | Reporting |
|---|---|---|---|
| SOC 2 Type II | Full | 342 checks | Continuous + On-demand |
| ISO 27001 | Full | 114 controls | Quarterly + On-demand |
| HIPAA | Full | 89 safeguards | Continuous |
| GDPR | Full | 67 requirements | Quarterly |
| PCI DSS | Beta | 256 checks | On-demand |
| NIST CSF 2.0 | Full | 228 functions | Continuous |
# Enable compliance monitoring cv compliance enable --framework soc2 --type II # Run a compliance scan cv compliance scan --framework iso27001 # Export audit report cv compliance export --framework hipaa --format pdf \ --output ./audit-reports/hipaa-2025-q1.pdf
Troubleshooting #
Common Issues
| Issue | Probable Cause | Solution |
|---|---|---|
| Agent shows as disconnected | Network block or stale auth token | Check firewall rules; run cv auth refresh |
| High false positive rate | Sensitivity too high for your environment | Lower sensitivity to medium or tune custom rules |
| Slow event processing | Engine worker saturation | Increase max_workers or scale engine replicas |
| API returns 429 | Rate limit exceeded | Implement exponential backoff; upgrade plan if needed |
| Detection gaps | Log sources not configured | Verify all SIEM connectors and log collectors are active |
Debug Logs
# Enable debug logging cv config set log_level = debug # View real-time logs cv logs --follow # Export debug bundle for support cv support debug-bundle --output ~/cybervault-debug.tar.gz
Glossary #
| Term | Definition |
|---|---|
| TDE | Threat Detection Engine — CyberVault's core analysis pipeline combining signature, heuristic, and AI detection methods. |
| SOAR | Security Orchestration, Automation, and Response — automated playbook execution for incident containment and remediation. |
| MITRE ATT&CK | Adversarial Tactics, Techniques, and Common Knowledge — a globally accessible knowledge base of adversary tactics and techniques. |
| Zero Trust | Security model requiring continuous verification of every access request regardless of origin or network location. |
| FP Rate | False Positive Rate — the percentage of benign events incorrectly flagged as threats. |
| MTTR | Mean Time to Recovery — average time to restore normal operations after a security incident. |
| Threat Intelligence Feed | Stream of threat indicators (IOCs, IOAs) from CyberVault's global intelligence network of 500+ enterprise clients. |
Support #
Documentation: You're reading it!
Community: forum.cybervault.io
Support Portal: support.cybervault.io
Emergency SOC: soc@cybervault.io / +1-800-555-SEC1
SLA Response Times: Critical — 15 min | High — 1 hr | Medium — 4 hrs | Low — 24 hrs