CyConscious — Graduated Autonomy
Security automation without trust is dangerous. CyConscious implements graduated autonomy -- your platform starts dormant and earns its way to full autonomous response as you build confidence. Each level unlocks more capability. You control the ceiling.
Consciousness Levels
| Level | Name | What happens | When to use |
|---|---|---|---|
| 0 | Dormant | Collect and log only. No analysis, no action. | Initial deployment, audit mode |
| 1 | Aware | Analyze events, recommend actions. Human reviews every suggestion. | New environments, building trust |
| 2 | Reactive | Propose fixes with dry-run preview. One-click approval. | Production with oversight |
| 3 | Adaptive | Auto-remediate below severity threshold. Escalate critical issues. Rollback window on every action. | Trusted environments |
| 4 | Autonomous | Full autonomous response. Auto-fix, auto-learn, auto-generate rules, auto-verify. | Enterprise, full automation |
How It Works
Every security finding in the platform triggers a CymindEvent. The engine evaluates it against your tenant's consciousness policy:
Sensor detects event
|
v
CymindEvent created (via Django signal)
|
v
CymindEngine.evaluate()
|
+-- Check tenant ConsciousnessPolicy (level + scope)
+-- Match CymindResponseRules (event_type + severity)
+-- Check severity threshold (require_approval_above)
+-- Enforce cooldown (no duplicate responses)
|
v
Decision: ignore | recommend | queue_approval | auto_execute
|
v
Execute response (via Dexter / cyguard / WAF API)
|
+-- Capture pre-state
+-- Execute action
+-- Capture post-state
+-- Notify via email + WebSocket
+-- Log to audit trail
Configuration
Each tenant configures their consciousness policy per scope:
| Field | What it controls |
|---|---|
level | Consciousness level (0-4) |
scope | cloud, endpoint, network, ot, or all |
require_approval_above | Severity threshold -- auto-fix below, escalate above |
cooldown_seconds | Minimum gap between duplicate responses (default 300s) |
auto_responses | Map of event_type to allowed actions |
enabled | Kill switch for immediate shutdown |
Response Actions
| Action | What Cymind does | Rollback |
|---|---|---|
quarantine | Network isolation via firewall/ACL | Restore original rules |
block_ip | Add IP to WAF blocklist | Remove from blocklist |
close_port | Modify security group | Reopen with original rules |
revert_config | Roll back cloud resource to compliant state | Reapply reverted config |
kill_process | Terminate suspicious process via cyguard | N/A |
deploy_waf_rule | Push WAF rule to AWS WAF / Cloudflare | Delete WAF rule |
isolate_segment | Apply network ACL to isolate VLAN | Remove isolation ACL |
Every response captures pre-state and post-state for full audit trail and rollback.
Event Sources
| Source | Event types |
|---|---|
| CSPM engine | Cloud misconfiguration, compliance drift |
| SAST / DAST | New vulnerability discovered |
| Adversary engine | Vulnerability exploited during campaign |
| Cysense (network) | Anomalous traffic, protocol violation |
| Cyguard (endpoint) | Suspicious process, unauthorized listener |
| Cywave (wireless) | Rogue access point, unauthorized BLE device |
| NHI scan | Identity anomaly, stale service account |
Architecture Diagram
See the full interactive architecture diagram: Cymind + CyConscious Architecture