Cymind + CyConscious — Self-Evolving Security Intelligence

CyConscious — Graduated Autonomy

Security automation without trust is dangerous. CyConscious implements graduated autonomy — your platform starts dormant and earns its way to full autonomous response as you build confidence. Each level unlocks more capability. You control the ceiling.

0

Dormant

Collect and log only. No analysis, no action. Audit mode for initial deployment.

1

Aware

Analyze events and recommend actions. Human reviews every suggestion before execution.

2

Reactive

Propose fixes with dry-run preview. One-click approval. Human stays in the loop.

3

Adaptive

Auto-remediate below severity threshold. Escalate critical issues. Rollback window on every action.

4

Autonomous

Full autonomous response. Auto-fix, auto-learn, auto-generate rules, auto-verify. The platform runs itself.

Architecture — The Learning Loop

Cymind is the brain. PeriDex is the memory. Together they form a closed-loop system where every threat detected becomes a rule that prevents the next one.

DETECTION SOURCES

CVE Feeds
NVD / OSV / GHSA

CSPM Scan
AWS / Azure / GCP

K8s Scan
cyscan k8s

SAST / DAST
Code + Web

User Feedback
Rule Ratings

↓

Every finding triggers a CymindEvent via Django signal

Cymind Engine
evaluate() → match rules → check consciousness level → decide

↓

Threat / Anomaly

Auto-Remediate
Block / Quarantine / Revert

↓

Misconfiguration (critical/high)

PeriDex Generator
generate_iac_rule()

↓

CVE Advisory

PeriDex Generator
generate_from_cve()

↓

AI generates YAML detection rule (Claude LLM + cloud resource context)

Validate
Precision / Recall / F1

→

Confidence ≥ 0.9?

→

Auto-Publish
GitHub PR → Release

↓

cyscan rules/auto/*.yml
Bundled in next release → Homebrew update → All users get the new rule

↓

Catches the same misconfiguration in code review before it reaches production

Feedback Loop
User rates rule → adjust confidence → improve next generation

How Each Layer Works

⚙

Cymind — Decision Engine

Every security finding triggers a CymindEvent via Django post_save signal. The engine evaluates the event against tenant-specific ConsciousnessPolicy and CymindResponseRules. Based on the consciousness level, it either logs, recommends, queues for approval, or auto-executes a response action.

Actions execute through Dexter (cloud APIs), cyguard (endpoint agents), or direct infrastructure APIs. Every action captures pre-state and post-state for audit trail and rollback.

✎

PeriDex — Rule Generation

AI-powered rule generation using Claude LLM with domain-specific prompts. Three generation paths: from CVE advisories (NVD/OSV/GHSA feeds every 6h), from scan findings (misconfigurations detected in production), and from IaC misconfiguration events (Cymind-driven learning).

IaC rules include cloud resource context for 50+ AWS/Azure/GCP Terraform resources, Kubernetes manifest fields, and Dockerfile instructions. Each rule is validated against a test corpus (precision/recall) before publishing.

👁

CyConscious — Graduated Trust

The consciousness level is a per-tenant, per-scope configuration that controls how much autonomy the platform has. Scope can be cloud, endpoint, network, OT, or all. The require_approval_above field sets the severity threshold — e.g., auto-fix medium and below, escalate high and critical.

Cooldown periods prevent duplicate responses. The system respects a kill switch (enabled: false) for immediate shutdown of autonomous behavior.

🔁

Learning Loop — Self-Improvement

When users rate generated rules as useful or not useful, the feedback adjusts confidence scores: +0.05 for positive, -0.15 for negative. Rules dropping below 0.3 confidence are auto-rejected. High-confidence rules (≥0.9) are auto-published.

The learn_from_cymind_events task runs daily, scanning the last 24h of misconfiguration events for patterns not yet covered by existing rules. Every cloud misconfig your customers hit becomes a cyscan rule that catches it in code review.

Response Actions

Cymind doesn't just detect — it acts. Each action is reversible with full audit trail.

Action	What Happens	Executed Via	Rollback
`quarantine`	Network isolation — drop all traffic except management	Dexter (firewall / ACL)	Restore original rules
`block_ip`	Add attacker IP to WAF blocklist	Dexter (AWS WAF / Cloudflare)	Remove IP from blocklist
`close_port`	Modify security group to close exposed port	Dexter (cloud API)	Reopen port with original rules
`revert_config`	Roll back cloud resource to last compliant state	CSPM Fix Engine	Reapply reverted config
`kill_process`	Terminate suspicious process on endpoint	Cyguard agent	N/A (process killed)
`deploy_waf_rule`	Push custom WAF rule to block attack pattern	Dexter (WAF API)	Delete WAF rule
`isolate_segment`	Apply network ACL to isolate a VLAN segment	Dexter (ACL changes)	Remove isolation ACL

Automated Pipeline Schedule

Five Celery Beat tasks keep the learning loop running 24/7 without human intervention.

Task	Schedule	What It Does
`ingest_cve_feed`	Every 6 hours	Fetch NVD + OSV + GHSA advisories, generate detection rules for new CVEs
`periodic_rule_generation`	Every 12 hours	Find HIGH/CRITICAL findings without rules, generate for up to 50 per cycle
`auto_publish_validated_rules`	Daily 3:30 AM	Auto-publish rules with confidence ≥ 0.9 as GitHub PRs
`learn_from_cymind_events`	Daily 4:00 AM	Scan 24h of misconfiguration events, generate IaC rules for uncovered patterns
`learn_from_feedback`	Daily 5:00 AM	Process user feedback, adjust confidence scores, auto-reject low-confidence rules

Why This Is a Moat

Shift-Left from Production

Every cloud misconfiguration detected in production automatically becomes a cyscan rule that catches the same issue in code review. Your IaC rules grow organically from real-world findings.

Cross-Tenant Intelligence

Anonymized misconfiguration patterns from all tenants improve the shared rule set. A vulnerability found at one customer protects every customer. Network effects compound.

Zero-Day Coverage

CVE feeds are ingested every 6 hours. New vulnerabilities get detection rules within hours of publication — no waiting for vendor updates or signature releases.