What is CyberRunner

The AI SOC analyst your security team has been asking for.

CyberRunner is AI-driven alert triage for security operations centres. It reads every alert your existing security stack — your SIEM, your EDR, your identity provider, your threat-intel feeds — and investigates it the way your senior analyst would: pulls the evidence, weighs the hypothesis against the counterfactuals, returns a clear verdict with the reasoning that produced it.

Concretely: your SIEM fires an alert. CyberRunner reads it, looks up the IPs and the users, queries your threat intel, cross-references the authentication history, forms an attack hypothesis, refutes itself with a devil's-advocate pass, and returns a verdict — Actionable, Grace Period, or No Action — in 10–30 seconds. The result lands in the case tool your team already uses, with the full audit trail attached.

Your analysts open the morning queue and only see the cases that genuinely need their judgement. The 80% that's noise is already closed with a written explanation. The 20% that's signal is prioritised, contextualised, ready to action.

Externally graded. The KANO Cyber Institute scores CyberRunner against your senior analysts on real production incidents — blind, continuously, with no input from us. EU-sovereign. Compute and storage in Azure West Europe or Hetzner Germany; your data never pools with another customer's, never trains anyone else's model. Free for your first 50 alerts a month — long enough to prove it on your own queue before paying anything.

870 / 1000 KANO score.
Your senior analyst typically lands around 950 on the same rubric — and we close the gap every release.

12s Median wall-clock per investigation.
Around the clock, every alert, no shift change, no fatigue.

€0.15 Per alert at volume.
Free under 50/month. The work of an analyst team for a tenth of the bill.

Keep scrolling — see it work

AI-powered security operations

Every alert, investigated like your best analyst — in seconds.

Your security team is drowning in alerts. The dangerous ones hide in the flood. CyberRunner reads every alert the way your best analyst would, decides what matters, and only hands your team the cases that need their judgement. Externally graded by KANO. In production today.

Try the free tier Book a walkthrough

Trusted by 47 security teams across DK · DE · NL · UK

POST /api/v1/ingest

Live demo — looping. Pick an alert to replay:

How it works · Your analyst, multiplied

One alert in. A full investigation out.

CyberRunner does the same job your senior analyst does on every alert — pulls the evidence, weighs what matters, makes the call, writes it up. Anything it can't decide confidently routes to your team with a clear reason why. Every decision is replayable, board-defensible, and audit-ready.

No black box

Every verdict ships with the reasoning that produced it. If a regulator or your board asks "why did you close that?", you have an answer.

Replayable

Re-open any decision and trace exactly how it was reached. Useful in an incident review; essential in a post-breach audit.

Audit-ready

Verdict, evidence, narrative — already in the shape your CISO, auditor and insurer want to see. No analyst rewrite.

Gets better weekly

Quality compounds as it learns from your analysts' corrections and the latest external grading. Nothing decays on the shelf.

Editions · Three ways to buy

Same engine, three product surfaces.

Pick the edition that fits the company you are today. The triage quality is identical across all three — the difference is what we wrap around it.

Edition 01 — Full

CyberRunner / Full

A complete security operations centre, ready to run. Replaces the team and the tooling cost of a 24/7 SOC — without the 18-month hiring cycle. If you don't have one today, you can have one next week.

Best for — Companies 200–5,000 people without a dedicated SOC. Mid-market upgrading from a part-time security team. The "we need to be secure but can't justify five analysts" problem.

Everything an analyst opens daily — cases, queues, investigations
Plugs into your existing SIEM, EDR, ticketing and chat tools
Per-seat + per-investigation pricing — predictable monthly bill

Your team's first day, automated

Cases open themselves. Queues prioritise themselves. SLAs tick automatically. The board sees the metrics; the team handles the work that's actually theirs.

Hunts in one click, not one day

When a verdict turns into a real incident, your analyst pivots into a hunt without redoing the work. Faster mean-time-to-respond — the number your insurer asks about.

Defensible to the board

Every decision logged, every action explained. If an auditor or an insurer asks how a verdict was reached, the trail is one click away. No "we don't know".

See the Full edition

Edition 02 — Middleware

CyberRunner / Middleware

Already have a SOC? Cut its workload 60–80% without ripping anything out. CyberRunner slots in alongside the tools you already paid for — the security team you already pay for, multiplied.

Best for — Enterprises with an existing SIEM, SOAR and case stack. The "we don't want to start over, we want our analysts to go further" problem.

Drops into the tools your team already lives in
Routes verdicts straight to ServiceNow, Jira or PagerDuty
Pay per alert investigated. No rip-and-replace. No new licences.

Live in two weeks, not two quarters

One webhook from your SIEM, one API key, and CyberRunner is grading every alert. Your team feels the relief in the first shift.

Verdicts land in your case tool

ServiceNow incident for the real things, Jira for grey-area, SIEM closure note for the noise. Your analysts open the morning queue and only see what needs their attention.

You stay in control of the AI

Run on your existing OpenAI or Anthropic contract, or on your own hardware — your data never leaves your boundary, your CIO keeps the kill switch.

See the Middleware edition

Edition 03 — MSP

CyberRunner / MSP

Sell security to your customers — at margins that work. One analyst covers 50+ customer organisations at the SLA quality of a dedicated team. Per-tenant billing. Your brand on the customer reports.

Best for — MSPs and MSSPs serving 5+ customer organisations. vCISO firms covering a retainer roster. The "we can't staff the SOC profitably" problem.

One analyst, every customer — the leverage your competitors don't have
Each customer's data ring-fenced from every other customer
Per-tenant pricing — you mark up; your customers see your brand

Every customer ring-fenced

One customer's data never touches another. The kind of separation auditors look for and your customers' procurement teams ask about.

Hire once, sell many

The same analyst covers every customer on your roster — you control which customer they see. The maths of the SOC business finally adds up.

Reports the customer sees as yours

Customer-facing dashboards and incident reports carry your logo — not ours. You're the security provider; we're the engine behind you.

See the MSP edition

Proof · Externally graded

Externally validated. Within ~80 points of a senior analyst on the KANO 0–1000 scale.

Don't take our word for it. The KANO Cyber Institute scores CyberRunner against the same rubric they use to grade human analysts — on real production incidents, blind, continuously, with no input from us. The number moves as we ship; if a release regresses it, we fix it before the next one. Today's score puts CyberRunner one analyst-rank below your senior team.

KANO

Externally validated by KANO Cyber Institute Blind grading on live incidents · same rubric as human analysts · continuous re-scoring

870 / 1000

Senior human analyst 950

CyberRunner — frontier model 870

CyberRunner — local Qwen 650

KANO-validated · re-scored continuously · frontier = Anthropic / OpenAI · Qwen runs locally on a prosumer workstation

Read the methodology

Pricing · Pay for what you triage

Consumption pricing. No per-seat tax.

A team handling 5,000 alerts a month pays around €1,500/month with CyberRunner — versus the €40,000-80,000/month loaded cost of the L1 analysts to triage them by hand. No base fee, no per-seat trap, no minimums. The bill scales down per alert as you scale up. Cancel any time.

Tier	Volume range	€ / investigation	Notes
Free	0 – 50 / month	€0.00	Card required to prevent abuse. Verified email only.
Pay as you go	51 – 500 / month	€0.50	Default tier — no commitment.
Volume 1	501 – 2,000 / month	€0.35	Auto-applied on the investigations above 500.
Volume 2	2,001 – 10,000 / month	€0.25	Auto-applied on the investigations above 2,000.
Volume 3	10,001 + / month	€0.15	Auto-applied on the investigations above 10,000.

Optional add-ons — Deep mode for the hardest calls (+€0.25 / investigation — runs a second opinion). KANO benchmarking dashboard (€99 / month — score your own deployment against the same external rubric).

Start free — 50 alerts a month See the calculator

Security · Built for security buyers

Security you can sign off on.

Built by a security firm, for security buyers. Every claim on this page survives a procurement security questionnaire — we'll send you the pack. EU-resident, tenant-isolated, MFA-enforced, fully audit-logged. SOC 2 Type II in progress; ISO 27001 on the roadmap.

Encrypted end to end

AES-256 at rest, TLS 1.3 in transit. Integration secrets double-enveloped with a per-instance Fernet key — a stolen disk image is not enough.

EU residency

Azure West Europe or Hetzner DE by default. Backups and logs stay in the same region. No EEA transfers without your explicit opt-in.

MFA enforced

Every middleware deployment requires TOTP on every user. First login prompts enrolment before any session token is issued. No opt-out.

Per-tenant isolation

One container app per customer. Separate database, separate filesystem, separate compute. A bad day for one customer never reaches another.

Audit-ready logs

Per-instance trail of user actions, LLM calls, tool invocations and verdict reasoning. Replayable. Defensible at CISO and auditor level.

SOC 2 in progress

Type II readiness underway. ISO 27001 and HIPAA support on the public roadmap. We share our security questionnaire pack on request.

Read the full security profile

Deployment · Island mode

Deploy in a vault.

                \\\   |   ///
              ___\\\  |  ///___
             '   \\\\ | ////   '
                  \\\\|////
                   \\\|///
                    \\|//
                     \|/
                      |
                      |  ●
                      |
                      |
                     _|_
                ___/     \___
           ___-               -___
      ____-                       -____

~ ~~~ ~ ~~ ~~ ~~~ ~ ~~ ~~~ ~ ~~ ~ ~~~~ ~~ ~ ~~~ ~~ ~~~ ~ ~~ ~~~ ~ ~~ ~ ~~~ ~~ ~ ~ ~~~ ~ ~~~ ~ ~~ ~~ ~~~ ~ ~~ ~~~ ~ ~~ ~ ~~~~ ~~ ~ ~~~ ~~ ~~~ ~ ~~ ~~~ ~ ~~ ~ ~~~ ~~ ~ ~ ~~~

∼∼ ∼∼∼ ∼ ∼∼∼ ∼∼ ∼ ∼∼∼∼ ∼ ∼∼ ∼∼∼ ∼∼ ∼∼ ∼ ∼∼∼∼ ∼∼ ∼ ∼∼∼ ∼∼ ∼ ∼∼ ∼∼∼ ∼ ∼∼∼ ∼ ∼∼ ∼∼∼ ∼ ∼∼∼ ∼∼ ∼ ∼∼∼∼ ∼ ∼∼ ∼∼∼ ∼∼ ∼∼ ∼ ∼∼∼∼ ∼∼ ∼ ∼∼∼ ∼∼ ∼ ∼∼ ∼∼∼ ∼ ∼∼∼ ∼

≈ ≈≈ ≈≈≈ ≈≈ ≈≈≈≈ ≈ ≈≈≈ ≈≈ ≈ ≈≈≈ ≈≈≈ ≈ ≈≈ ≈≈≈≈ ≈ ≈≈ ≈≈≈ ≈ ≈≈≈≈ ≈≈ ≈ ≈≈ ≈ ≈≈≈ ≈ ≈≈ ≈≈≈ ≈≈ ≈≈≈≈ ≈ ≈≈≈ ≈≈ ≈ ≈≈≈ ≈≈≈ ≈ ≈≈ ≈≈≈≈ ≈ ≈≈ ≈≈≈ ≈ ≈≈≈≈ ≈≈ ≈ ≈≈ ≈ ≈≈≈

A node on its own water.

Some environments cannot phone home — classified networks, sovereign clouds, contractually walled tenancies, ministry-of-defence intranets. CyberRunner runs there too. Same triage engine, same agent pipeline, no outbound connectivity required, no vendor in the loop at runtime.

Procurement and accreditation officers: we work case-by-case at this tier. The blocks below describe the standing architecture — the rest is your network, your accreditation level, your model-hosting preferences.

Air-gapped operation

Outbound connectivity is optional, not required. Models served from your hardware — vLLM, llama.cpp, or your own Azure OpenAI tenant behind a Private Endpoint. Threat-intelligence feeds delivered as signed offline bundles. There is no “phone home” channel to disable, because we never built one.

NATO & classified-cleared architecture

Built to drop into networks accredited up to NATO SECRET and (with the right packaging) COSMIC TOP SECRET. No SaaS dependency at runtime. No vendor backdoor. Crypto profiles align with national catalogues (BSI, ANSSI, NSM); key material stays in your HSM. Update bundles are signed and verified inside your perimeter.

Sovereign cloud or on-prem

Customer-managed Azure (incl. regulated tenants), AWS GovCloud, OVH Sovereign, IBM Cloud for Financial Services, or fully on-prem — Kubernetes, OpenShift, VMware, bare metal. Same container we ship to commercial customers; your perimeter, your jurisdiction, your operations team. Backups stay in your storage.

No vendor in the loop at runtime

We do not see your alerts, your verdicts, your data, or your operational tempo. Updates are signed bundles you choose to apply on your schedule. Support is initiated by you, never by an inbound channel from us. The triage engine is yours to operate — independent of EQUA's continuity, independent of our cloud.

Island-mode deployments include a tailored architecture review, network-topology mapping against your accreditation profile, signed-bundle delivery procedure, and an offline runbook for upgrades. A standard commercial trial does not gate this conversation — classified-environment buyers should start with the briefing.

Book an Island-mode briefing

Bonus · Live threat intelligence

See what's hitting Europe right now.

Free for everyone — customer or not. The CyberRunner ThreatFeed pulls from ten of the most-trusted public intelligence sources and shows you what's actually happening: ransomware disclosures, exploited CVEs, live malware infrastructure, phishing, mass scanning. One de-duplicated stream, one screen, the last 24 hours. Put it on a monitor in your SOC; share the link in your board pack.

Why we ship it free — situational awareness shouldn't be paywalled. If you become a customer, the same map runs against your tenant: same surface, your incidents, your sources. Open the feed full-screen ↗

For your engineers · Try the API

Send a real alert. See the real response.

For the developers reading this on behalf of the CISO: pick a scenario, hit Send, see the exact response shape your stack would receive. Same payload your API key would return on a live instance — only the network hop is mocked. IDs, votes, risk factors, remediation plans — all real production output.