Skip to main content

Cyradar -- overview

Cyradar is Cybrium's active discovery probe for AI inference servers. It sweeps a target list and identifies self-hosted AI servers — Ollama, vLLM, TGI, LocalAI, Triton, LM Studio, llama.cpp, generic OpenAI-compatible — by matching against a YAML-driven signature catalogue. The output is a versioned, optionally TPM-signed JSON envelope that flows into the Cybrium platform's AIAsset inventory.

It's part of the five-channel AI inventory (Sprint 67):

ChannelToolWhat it finds
#1 active probecyradarSelf-hosted inference servers reachable over the network
#2 trafficscan-hub collectorsOutbound calls to AI providers (api.openai.com / api.anthropic.com / etc.)
#3 cloud APIsplatform ingestorsBedrock / Azure OpenAI / Vertex / SageMaker managed models
#4 endpointcydevice agentAI tools / IDE extensions / desktop apps installed on workstations
#5 SCM/SASTcyscanSDK imports (import openai / import anthropic / etc.) in code

Cybrium's platform runs the same cyradar binary you can install locally — same probes, same output, same exit codes.

Why it exists

Every AI-governance vendor on the market does at most two of these channels — typically cloud-API + code scanning. Self-hosted inference servers are a blind spot. The "we found four unauthorised vLLM servers in your data center" demo only works if you can probe.

Quick start

# Install via Homebrew tap
brew install cybrium-ai/cli/cyradar

# Sweep your local network for AI servers
cyradar discover --targets 10.0.0.0/24

# Probe a single host
cyradar discover --targets gpu-1.lab:11434

# Output as SARIF for GitHub Code Scanning
cyradar discover --targets 10.0.0.0/24 --format sarif -o report.sarif

# Local-host scan — finds CLIs / desktop apps / IDE extensions
# (channel #4 fallback when cydevice isn't deployed)
cyradar local-scan

--allow-public is required for non-RFC1918 targets — prevents misconfigured agents from sweeping the public internet.

Supported signatures (v1)

ServerDefault portProbe path
Ollama11434/api/tags
vLLM8000/v1/models
TGI (HuggingFace Text Generation Inference)8080/info
LocalAI8080/readyz
Triton8000/v2
LM Studio1234/v1/models
llama.cpp8080/health
OpenAI-compatible (catch-all)8000/v1/models

Signatures are YAML files in rules/. Adding a new server type is a YAML edit, not a code change. PeriDex (Cybrium's self-evolving rules engine) hot-pushes new signatures without binary releases.

Output formats

json / json-pretty / yaml / text (default) / csv / html / sarif 2.1.0.

SARIF rule ids are emitted as CYRADAR-DISC-<PROVIDER> so findings route cleanly into GitHub Code Scanning, IDE plug-ins, and any SARIF-aware viewer.

Production posture

  • rustls only — no OpenSSL or native-tls in the dep graph; cargo deny check enforces this in CI
  • Apple-notarised macOS binaries (Developer ID Application + notarytool)
  • Cosign keyless signing for every release artefact
  • Static musl binary + distroless container (~6 MiB final image)
  • Body capped at 1 MiB per probe — malicious target can't OOM the scanner
  • Per-host token-bucket rate limiter — protects target from probe-storm
  • Default-deny on public IPs without --allow-public flag
  • Identifying User-Agent — blue teams can attribute scans

TPM-bound output signing

--sign produces an envelope with an attestation block:

  • Host TPM detection via OS-native facilities (Linux /dev/tpmrm0 + sysfs, Windows Get-Tpm, macOS Secure Enclave) — no tss-esapi link-time dep, compiles everywhere
  • Ed25519 signature over RFC-8785 canonical JSON
  • Key provisioned at agent enrolment (cydevice agent bootstrap), sealed at rest

The Cybrium platform-side ingestor verifies the signature against the EK enrolled when the agent was provisioned, so receiver can prove the report came from a specific authorised machine.

Repository

github.com/cybrium-ai/cyradar (private). Apache-2.0 licensed. Sister tools: cyprobe (OT/SCADA), cyscan (SAST), cydeep (PLC inspector), cysense, cyguard, cymail, cyweb, cywave, cydevice, cyred.