Integrating with the platform
Cyprobe on its own gives you OT asset discovery and posture assessment for a single network segment. The Cybrium platform adds unified topology, historical tracking, compliance evidence, and correlation with cloud and code findings.
The bridge is the cyprobe upload subcommand -- it pushes SARIF or JSON results to the platform over HTTPS.
How the integration works
┌──────────── OT network / sensor ──────────────┐
│ │
│ cyprobe passive ... --format sarif > out.sarif│
│ cyprobe upload out.sarif │
│ │
└──────────────────────────────────┬─────────────┘
│ HTTPS POST
▼
┌──────────── Cybrium platform ─────────────────┐
│ │
│ parses SARIF -> creates/updates Asset records │
│ merges into unified topology graph │
│ evaluates platform-side posture policies │
│ triggers drift alerts if asset state changed │
│ │
└────────────────────────────────────────────────┘
1. Get an API key
Platform UI -> Settings -> API Keys -> Create API key
- Scopes:
scan:uploadandasset:writeat minimum - Expiry: 90 days recommended
The key is tenant-scoped to your organization.
2. Configure cyprobe
export CYBRIUM_API_KEY=sk-...
export CYBRIUM_API_URL=https://app.cybrium.ai
Or pass inline:
cyprobe upload out.sarif --api-key sk-... --api-url https://app.cybrium.ai
3. Upload results
# Passive scan results
sudo cyprobe passive --interface eth0 --duration 300 --format sarif > passive.sarif
cyprobe upload passive.sarif --title "Plant-A passive scan"
# Active probe results
sudo cyprobe active --targets 192.168.1.0/24 --active-confirm --format sarif > active.sarif
cyprobe upload active.sarif --title "Plant-A active probe"
# Posture check results
cyprobe rules check --input assets.json --format sarif > posture.sarif
cyprobe upload posture.sarif --title "Plant-A posture check"
Response:
{
"upload_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"scan_id": "f9e8d7c6-b5a4-3210-fedc-ba0987654321",
"tool": "cyprobe",
"assets_created": 12,
"assets_updated": 3,
"findings_created": 5,
"idempotent": false,
"created_at": "2026-04-16T10:30:00Z"
}
Re-uploading the same file returns "idempotent": true with no changes.
How OT assets appear in the asset graph
Uploaded OT assets are merged into the same unified asset graph as cloud resources, code repositories, and IT infrastructure. Each OT asset gets:
- Asset type:
ot_devicewith protocol-specific subtypes (plc,hmi,rtu,gateway,broker) - Identity fields: IP, MAC, vendor, model, firmware version, protocol
- Edges: network connectivity edges to other assets (IT or OT) observed in the same broadcast domain
- Posture findings: linked directly to the asset node, visible in the topology view
The platform topology view renders OT assets with protocol-specific icons and groups them by network segment. Selecting an OT asset shows its discovery history, probe responses, and any posture violations.
Drift detection
When cyprobe uploads new results, the platform compares them against the previous state:
- New asset: an OT device appeared that was not in the last scan
- Disappeared asset: a previously known device is missing
- Changed firmware: firmware version differs from the last observation
- Changed configuration: security mode, authentication state, or certificate changed
Drift events trigger alerts through the standard notification pipeline (email, Slack, webhook, ticketing).
Air-gapped transfer
For networks with no outbound internet, export results to a file and transfer manually:
sudo cyprobe passive --interface eth0 --duration 300 --format sarif > scan.sarif
# Transfer scan.sarif to an internet-connected machine
cyprobe upload scan.sarif --title "Air-gapped plant scan"
The upload command does not need to run on the same machine as the scan.
Next step
- Deployment models -- passive tap, inline gateway, cloud-connected