Cyphon is a triage, enhancement, and decision-support platform that organizes your alert workflow.

With Cyphon, you can:

  • Aggregate data from numerous sources: email, logs, social media, and APIs
  • Enhance data with automated analyses, like geoip
  • Generate custom alerts with push notifications
  • Throttle alerts and bundle related incidents
  • View alerts by category, priority, and source
  • Investigate alerts and track work performed
Cyphon admin

Cyphon admin dashboard.

Cyclops UI dashboard

Cyclops UI dashboard view.

Cyclops UI alerts

Cyclops UI alerts view.

Use Cases

Incident Management

Many organizations manage post-processed security events as email notifications, which is incredibly inefficient. An inbox flooded with alert notifications creates an environment where critical issues are overlooked and rarely investigated.

Cyphon eliminates this issue by throttling events and prioritizing them based on user-defined rules. Analysts can quickly investigate incidents by correlating other data sets against indicators that matter. They can then annonate alerts with the results of their analysis.

Today, Cyphon supports integrations with Bro, Snort, Nessus, and other popular security products.

Social Media Monitoring

Leveraging publicly available APIs, Cyphon can collect data from streaming sources. Search is based on keywords, geofencing, and adhoc parameters. Cyphon supports the current version of the Twitter Public Streams API.

IoT and Sensor Data Processing

Cyphon can process events from any sensor type, offering a unique way to analyze information from physical environments.


The Cyphon platform is made up of a backend data processing engine (“Cyphon Engine”) and a security operations front end UI for visualization (“Cyclops”). They are maintained in separate projects. The source code for Cyphon Engine can be found here, while the Cyclops project can be found here. This documentation focuses on Cyphon Engine. See the Cyphon Architecture Overview for more details about its design.


Cyphon works with the help of several open source projects. To get Cyphon up and running, you’ll need to install all of its dependencies. We’ve simplified this process by using Docker, which allows you to easily deploy an application as a set of microservices. Additionally, we’ve created a set of files for running Cyphon in both development and production environments. Employing a Docker Compose file enables you to quickly install and run Cyphon and the other services it uses, including:

Our Docker Compose files are available on GitHub as Cyphondock. If you’d like to work with our Docker image directly, you can find it on Docker Hub.

See Getting Started for more info.


Cyphon is free software and available for personal or professional use. The Cyphon Project is maintained by Dunbar Cybersecurity and is distributed under a dual license. The Cyphon Engine is distributed under the GPLv3 License. Cyclops is subject to a non-commercial use license.