컨텐츠로 건너뛰기
KYRA MDR Documentation

Platform Architecture

이 콘텐츠는 아직 해당 언어로 제공되지 않습니다.

Platform Architecture

KYRA AI MDR uses a multi-layered architecture designed for enterprise-grade security operations. Each layer is purpose-built for its function, ensuring high throughput, secure multi-tenant isolation, and intelligent threat analysis.

Architecture Overview

┌──────────────────────────────────────────────────────────────────────┐
│                         CUSTOMER NETWORKS                            │
│  [Collector Agent] ──secure outbound──► [Ingestion Gateway]          │
└──────────────────────────────────────────────────────────────────────┘
                                    
┌──────────────────────────────────▼───────────────────────────────────┐
│  LAYER 1: INGESTION & ROUTING                                        │
│  Secure API Gateway → Tenant Router → Event Stream Processing        │
└──────────────────────────────────┬───────────────────────────────────┘
                                    
┌──────────────────────────────────▼───────────────────────────────────┐
│  LAYER 2: CORE SIEM ENGINE                                           │
│  Detection rules, correlation engine, real-time search, timeline     │
└──────────────────────────────────┬───────────────────────────────────┘
                                    
┌──────────────────────────────────▼───────────────────────────────────┐
│  LAYER 3: AI AGENT PROCESSING                                        │
│  LLM Router → 12 Specialized Security Agents                        │
│  Triage → Investigation → Attribution                                │
└──────────────────────────────────┬───────────────────────────────────┘
                                    
┌──────────────────────────────────▼───────────────────────────────────┐
│  LAYER 4: DATA LAYER                                                 │
│  Tenant-isolated storage + analytics + encrypted raw event archive   │
└──────────────────────────────────┬───────────────────────────────────┘
                                    
┌──────────────────────────────────▼───────────────────────────────────┐
│  LAYER 5: MANAGEMENT CONSOLE                                         │
│  Tenant-isolated dashboard + real-time alerts + PDF/CSV reports      │
└──────────────────────────────────────────────────────────────────────┘

Layer 1: Ingestion & Routing

The ingestion layer receives security events from collector agents deployed in customer networks and cloud environments.

Capabilities:

  • Secure, encrypted event transport from on-premises and cloud collectors
  • Automatic tenant identification and routing
  • Per-tenant rate limiting and quota enforcement
  • Schema validation and event normalization
  • Support for log, EDR, and network traffic data sources

Throughput: Up to 15,000 sustained events per second per tenant (Hunt tier).

Layer 2: Core SIEM Engine

The built-in SIEM engine provides detection, correlation, and search capabilities without requiring external SIEM integration.

Capabilities:

  • Detection rule library with hundreds of pre-built rules
  • Real-time event correlation across multiple data sources
  • Full-text timeline search with configurable date ranges
  • MITRE ATT&CK technique mapping for all detections
  • Custom detection rule builder (Respond and Hunt tiers)

Tenant Isolation: All queries and detections are scoped to the authenticated tenant. No cross-tenant data access is possible.

Layer 3: AI Agent Processing

Twelve specialized AI agents provide automated threat analysis, investigation, and response capabilities.

AgentFunction
Threat HunterIOC pattern recognition, MITRE ATT&CK mapping
OSINT InvestigatorExternal intelligence, domain/IP enrichment
Incident ResponderPlaybook execution, evidence collection
Vulnerability ResearcherExposure scanning, patch prioritization
Forensic AnalystTimeline reconstruction, root cause analysis
Compliance AuditorRegulatory mapping, evidence trails
Malware AnalystStatic/dynamic analysis, sandbox coordination
Dark Web MonitorUnderground forum tracking, breach alerts
Strategic IntelCampaign tracking, APT attribution
Network DetectiveLateral movement detection, C2 pattern identification
Identity InvestigatorUser/entity behavior analytics, privilege escalation detection
Threat Research LeadMulti-agent investigation orchestration

Cost-Optimized AI Routing: The platform automatically routes analysis tasks to the appropriate AI model tier based on complexity — lightweight models handle high-volume triage while advanced models are reserved for complex investigations and attribution.

Layer 4: Data Layer

The data layer provides secure, tenant-isolated storage with tiered retention policies.

Storage TypePurposeRetention
Hot StorageActive alerts, recent events, real-time search7-30 days
Warm StorageHistorical analysis, compliance reportingUp to 2 years
Cold ArchiveLong-term compliance retentionUp to 7 years

All data is encrypted at rest with customer-managed encryption keys. Data residency options support regional compliance requirements.

Layer 5: Management Console

The web-based management console provides a unified interface for security operations.

Features:

  • Real-time alert dashboard with severity-based prioritization
  • Incident lifecycle management with task tracking and collaboration
  • Asset inventory with risk scoring and vulnerability tracking
  • Compliance posture dashboard with automated evidence collection
  • Executive and compliance report generation (PDF/CSV)
  • Real-time notifications via WebSocket push alerts

Multi-Tenant Isolation

Every aspect of the platform enforces strict tenant isolation:

  • Data Isolation: Separate data partitions per tenant with row-level enforcement
  • Authentication: JWT-based authentication with tenant-scoped claims
  • Authorization: Role-based access control (Admin, Analyst, Viewer)
  • Network: Encrypted communications with mutual authentication
  • Storage: Per-tenant encryption with customer-managed keys
  • Search: All queries automatically scoped to the authenticated tenant

Threat Intelligence Integration

The platform integrates with leading threat intelligence feeds:

FeedCapability
VirusTotalMalware hash and URL analysis
ShodanInternet-exposed asset discovery
MISPCommunity IOC sharing
Recorded FutureAPT intelligence and campaign tracking
NVD / ExploitDBCVE data and exploit information
Abuse.chBotnet and ransomware C2 tracking

Event Processing Flow

  1. Collection — Collector agents gather security events from customer networks and cloud environments
  2. Ingestion — Events are validated, normalized, and routed to the appropriate tenant pipeline
  3. Detection — SIEM engine applies detection rules and correlation logic
  4. AI Analysis — Specialized agents analyze alerts for context, enrichment, and prioritization
  5. Response — Automated playbooks execute containment and response actions
  6. Reporting — Results are surfaced in the management console and reports

Data Retention Tiers

TierAlert RetentionRaw Log RetentionAnalytics
Detect90 days30 days1 year
Respond1 year6 months3 years
Hunt5 years2 years7 years