Platform integration
How Dexter runs in the platform
When a user clicks "Fix" on a finding in the Cybrium workspace:
- Dexter generates a fix preview (dry-run) showing what will change
- If approval is required, an email is sent to tenant admins
- Once approved, Dexter captures the current resource state
- The fix is applied in an isolated, auditable environment
- Post-fix state is captured and compared
- The finding is re-scanned to verify resolution
- Email notification with result and rollback option
Credential separation
Cybrium enforces strict separation between scan and fix credentials:
| Scope | Access | Purpose |
|---|---|---|
| Scan | Read-only | Reconnaissance, assessment, configuration reads |
| Fix | Write | Applying remediations, modifying cloud resources |
Scan credentials can never be used to apply fixes. Each scope is configured separately in Settings > Cloud Providers.
Approval gates
Dexter supports configurable approval workflows:
- Dry-run first — Dexter generates the fix plan without applying
- Admin review — the fix plan is emailed to tenant admins with a preview of changes
- Explicit approval — an admin approves in the Cybrium console
- Apply + verify — fix is applied and automatically verified
- Rollback window — 24-hour window to reverse any applied fix
With Cymind consciousness level 3 or above, low-severity fixes can be auto-approved — skipping the manual gate while maintaining full audit trail.
CI/CD integration
Dexter can also be triggered from your CI/CD pipeline:
# Scan and auto-fix in one step (dry-run by default)
cybrium scan --target my-aws-account --auto-fix --dry-run
Fix proposals from CI runs appear in your Cybrium workspace for review.