CyTriad — CIA Posture Scoring

CyTriad is Cybrium's CIA triad scoring engine. Every finding maps to its impact on Confidentiality, Integrity, and Availability. cyscan scan --cia produces a posture summary that CISOs, compliance teams, and board presentations can use directly.

Quick Start

cyscan scan . --cia                    # text summary
cyscan scan . --cia --format json      # JSON for dashboards

Output

CIA Posture Summary

  Confidentiality:  72/100  [FAIR]   12 finding(s) with impact
  Integrity:        85/100  [GOOD]   5 finding(s) with impact
  Availability:     91/100  [GOOD]   2 finding(s) with impact

Top Confidentiality Risks:
  [CRIT] CBR-SEC-AWS-ACCESS-KEY-ID — AWS Access Key ID
  [HIGH] CBR-TERR-S3-NO-ENCRYPTION — S3 bucket without encryption
  [HIGH] CBR-SEC-GENERIC-PASSWORD-ASSIGN — Password in source code

Top Integrity Risks:
  [CRIT] CBR-PY-SQLI-STRING-CONCAT — SQL injection
  [HIGH] CBR-K8S-WILDCARD-VERB — RBAC wildcard permissions

Top Availability Risks:
  [HIGH] CBR-CFN-RDS-NO-BACKUP — RDS without backup
  [MED]  CBR-K8S-MEMORY-LIMIT — No memory limit

How Findings Map to CIA

Finding type	C	I	A
Hardcoded secrets / credentials	High	Medium	Low
Missing encryption (at rest / in transit)	High	Low	Low
SQL injection / code injection / RCE	High	High	High
RBAC wildcards / privilege escalation	High	High	Medium
Public access / open ingress	High	Medium	Low
Missing backup / no disaster recovery	Low	Low	High
No rate limiting / DoS vulnerability	Low	Low	High
Missing code signing / integrity checks	Low	High	Low
Missing audit logging	Medium	Medium	Low
License compliance (GPL/AGPL)	None	None	None

Auto-Classification

Rules without explicit CIA tags are automatically classified by heuristic:

CWE-798 (hardcoded credentials) -> C:high, I:medium, A:low
CWE-89 (SQL injection) -> C:high, I:high, A:high
CWE-311 (missing encryption) -> C:high, I:low, A:low
CWE-269 (privilege management) -> C:high, I:high, A:medium
CWE-693 (protection mechanism failure) -> C:low, I:low, A:high

Explicit CIA Tags in Rules

Rules can declare explicit CIA impact:

id: CBR-TERR-S3-NO-ENCRYPTION
title: "S3 bucket without encryption"
severity: high
languages: ['terraform']
cwe: ['CWE-311']
cia:
  confidentiality: high
  integrity: low
  availability: low
pattern: |
  encrypted\s*=\s*false

Scoring Algorithm

Score per dimension = 100 minus weighted penalties:

Finding penalty = severity_weight x CIA_impact_level
Severity weights: Critical=5, High=3, Medium=1.5, Low=0.5, Info=0.1
CIA impact levels: High=3, Medium=2, Low=1, None=0
Score capped at 0 minimum

Quick Start​

Output​

How Findings Map to CIA​

Auto-Classification​

Explicit CIA Tags in Rules​

Scoring Algorithm​