One platform. Every API threat.
Cyron protects HTTP, WebSocket, and gRPC APIs with machine learning, behavioral analysis, threat intelligence, and AI-powered reasoning. Deploy on our EU cloud or your own servers.
Multi-Protocol
Every protocol, native detection
Most API security tools were built for REST. Cyron detects threats across HTTP, WebSocket, and gRPC with dedicated detection models for each protocol. Traffic is analysed in its native format, not converted to a common structure first. This means higher detection accuracy and fewer false positives.
One platform. Three native detection pipelines.
HTTP
Full request and response analysis including headers, parameters, and body content.
WebSocket
Frame-level analysis with session tracking, transition detection, and connection-state monitoring.
gRPC
Binary message structure analysis with optional schema awareness for uploaded service definitions.
iris
Block threats before they reach your app
The iris eBPF agent attaches to your network interfaces at the kernel layer. It captures traffic across all supported protocols and blocks threats by dropping packets before any application code runs. Before the encryption handshake completes, before server resources are consumed. The attacker sees only connection timeouts.
Kernel capture
Complete traffic visibility at the operating system layer. Automatic environment detection.
Authenticated blocking
Cryptographically verified block commands prevent unauthorized enforcement actions.
Persistent rules
Block rules survive agent restarts. Time-limited blocks expire automatically.
No extra privileges
iris requires only standard network monitoring permissions.
Behavioral
Catches what signatures cannot
Many sophisticated attacks use perfectly valid API calls that pass every signature check. The difference is in the pattern. Cyron behavioral engine learns what normal usage looks like for each endpoint and flags sequences that deviate. Even when every single request in the sequence appears legitimate on its own.
Account enumeration
Sequential probing to discover valid accounts or resources.
Credential stuffing
Distributed login attempts using leaked credentials from other breaches.
Data scraping
Systematic extraction of data through legitimate-looking requests.
Business logic abuse
Checkout fraud, coupon abuse, and webhook replay attacks.
Threat Intelligence
7 feeds. 58,000+ threat IPs. Under 2 milliseconds.
Every API request is cross-referenced against seven continuously updated threat feeds. Known malicious IP addresses, botnet infrastructure, and compromised hosts are flagged instantly. Reputation lookups complete in under 2 milliseconds with no dependency on external services at query time.
Local reputation engine
All feeds synchronised locally. No external API calls during request analysis.
Multi-source correlation
Traffic from anonymisers, IPs flagged across multiple feeds, and known botnet infrastructure.
AI report enrichment
Threat intelligence context is woven into every AI-generated threat report.
Air-gapped support
On-Premise deployments receive feeds via offline transfer scripts.
System 2 Thinking
AI reasoning for ambiguous threats
When machine learning detects something suspicious but cannot make a confident determination, Cyron reasoning engine performs deeper forensic analysis. Each protocol gets its own analysis approach, tuned to that protocol specific characteristics.
Selective invocation
The reasoning engine activates only when needed, keeping operational costs low.
Protocol-aware analysis
Dedicated analysis logic for HTTP, WebSocket, and gRPC threats.
Graceful fallback
If the reasoning engine is temporarily unavailable, Cyron falls back to deterministic analysis. Threat decisions are never delayed.
Deployment
Your choice of deployment
Cyron SaaS runs on EU-based infrastructure. Cyron On-Premise runs entirely on your servers. Both deliver the same detection pipeline. The same behavioral intelligence, the same AI reasoning, the same iris agent, the same dashboard.
EU SaaS
Hosted in the European Union. GDPR-aligned data processing. Configurable retention (30, 90, or 365 days).
On-Premise
Self-hosted deployment for regulated industries. Encrypted models, signed license, air-gapped support.
Same platform
No feature gap between SaaS and On-Premise. You choose the hosting model.
Choose your plan
Pick the detection depth that matches your team's needs. Every plan includes multi-protocol coverage across HTTP, WebSocket, and gRPC.
Plans
Essential
Detect what signatures miss
Best for: Teams whose APIs handle sensitive data or financial transactions, where sophisticated attacks look like legitimate traffic.
What you gain:
- Behavioral intelligence that learns your API traffic patterns
- Detection of credential stuffing, account enumeration, and scraping
- Business-logic abuse identification
- Endpoint exemption management
Standard
Investigate with confidence
Best for: Production environments where security teams need confident, explainable threat assessments, not just alerts.
What you gain:
- AI-powered reasoning for ambiguous threats (System 2 Thinking)
- Forensic threat reports explaining what was detected and why
- Threat intelligence context woven into every report
- Protocol-specific analysis for HTTP, WebSocket, and gRPC
Premium
Protect at scale
Best for: Growing platforms with significant API traffic where detection quality must not degrade as you scale.
What you gain:
- Higher analysis throughput for larger API surfaces
- Same detection depth applied to significantly more traffic
- Priority email support
Premium Plus
Enterprise-grade assurance
Best for: Large-scale deployments and regulated industries where no ambiguous threat should go unexamined.
What you gain:
- Maximum analysis throughput across all protocols
- Widest coverage on ambiguous and edge-case threats
- Designed for multi-service, high-traffic architectures
Ready to secure your APIs?
Start with a free account, or talk to our team about On-Premise deployment.