Cyron v3.0: Multi-Protocol Detection, eBPF Kernel Agent, and On-Premise Deployment

Today we are releasing Cyron v3.0, the largest update in the platform’s history. This release transforms Cyron from an HTTP-only API security monitor into a multi-protocol, kernel-level threat detection and blocking platform with full on-premise deployment support.

Multi-Protocol API Security

Cyron v3.0 extends the entire detection pipeline across HTTP, WebSocket, and gRPC protocols. Every layer operates natively on each protocol: real-time threat scoring, deeper forensic analysis for ambiguous threats, behavioral engine, threat intelligence enrichment, System 2 Thinking reasoning, incident creation, SIEM alerts, and agent blocking.

Each protocol uses dedicated machine learning trained on wire-native features. The gRPC pipeline operates on raw protobuf wire-level metadata including field counts, nesting depth, unknown fields, and binary entropy, preserving protocol fidelity that JSON-decoded analysis cannot achieve.

Teams using gRPC can upload .proto schema files through the dashboard for schema-aware structural analysis.

iris: eBPF Kernel-Level Agent

iris is our next-generation Linux agent built on eBPF. A single compact binary replaces all previous Linux agents. It captures HTTP/1.1, HTTP/2, WebSocket, and gRPC traffic at the kernel layer and blocks threats with silent packet drops before the TCP handshake completes.

Key capabilities: content-based HTTP direction detection, HTTP/2 HPACK dual decoder (RFC 7540 compliant), auto-topology detection (Docker, Kubernetes, bare-metal), netlink interface watcher, request deduplication, cryptographically authenticated webhook receiver, and persistent block rules across agent restarts.

iris requires only the standard capabilities needed for network monitoring.

Cyron Standard On-Premise

Cyron Standard On-Premise brings the complete detection pipeline to customer-managed infrastructure. Delivered as an encrypted deployment package with cryptographically signed licenses, encrypted detection models, and scripted installation that completes in under 30 minutes.

Air-gapped deployments are supported with offline data transfer scripts for threat intelligence feeds. On-Premise pricing is tailored to deployment scope. Contact office@cyron.io.

Behavioral Intelligence Engine

A new anomaly detection engine identifies access pattern attacks where every individual request contains clean payloads: BOLA enumeration, credential stuffing, data scraping, webhook abuse, and more.

Four protocol-specific behavioral models (HTTP, WebSocket, gRPC, session) combine multiple detection approaches, requiring agreement across signals before flagging. This minimizes false positives while catching sophisticated behavioral attacks that signature-based detection misses.

Threat Intelligence Engine

Seven curated feeds replace the previous single-source system: Tor Exit Nodes, Feodo Tracker, IPsum, Blocklist.de, ET Compromised, ThreatFox, and AbuseIPDB. Over 58,000 known threat IPs enriched in under 2 milliseconds with zero external API dependencies at query time.

Additional Improvements

• PII exfiltration detection for server-to-client data leakage (OWASP API3:2023)
• Endpoint exemption from blocking, SIEM alerts, and incident creation
• EU data residency (GDPR, NIS2, DORA)
• Intelligent alert suppression with risk score decay on false positive feedback
• Plan renamed from Essential to Standard

Get Started with Cyron v3.0

SaaS: Subscribe at app.cyron.io/register

On-Premise: Contact office@cyron.io

Live Demo on request: Explore P360 at p-360.cloud

Documentation: app.cyron.io/guide