ML Anomaly Detection
Isolation Forest & Random Forest models learn your network baseline and flag deviations that rule-based systems miss.
v1.1 · Self-Hosted SOC Platform
Enterprise Security.
No Cloud.
No Fees.
CyberRemedy delivers the full capability of a Security Operations Centre — ML threat detection, MITRE ATT&CK mapping, SOAR automation and real-time monitoring — on a single machine you own.
09:14:02CRITICAL Port scan — 192.168.1.45 → 10.0.0.0/24
09:14:03MITRE T1046 — Network Service Discovery
09:14:05BLOCKED 192.168.1.45 added to firewall deny list
09:14:08HONEYPOT SSH trap — 203.0.113.77 (CN)
09:14:11ALERT Brute-force — 5 failed logins / 3 s
09:14:12SOAR Playbook → auto-blocked + notified
14
Threats
24/7
Blocked
99.1%
Uptime
Platform Capabilities
Everything a SOC needs.
Everything a SOC needs.
On one machine.
Built to give small and medium teams the same power used by large security operations centres — without vendor lock-in or subscription costs.
MITRE ATT&CK Mapping
Every alert is automatically tagged with tactics and techniques from the MITRE ATT&CK framework for rapid triage.
Attack Chain Correlation
Links related alerts into multi-step chains — Recon → Exploit → C2 → Exfil — so you see the full attack story.
SOAR Playbooks
Automated response workflows that block, notify, escalate and run scripts without analyst intervention.
Six Honeypot Services
Fake SSH, HTTP, FTP, Telnet, SMB and MySQL services that trigger instant alerts on any unauthorized connection.
Case Management
Full ticket lifecycle with SLA tracking and automatic case creation tied to correlated alert chains.
YARA & Sigma Rules
Scan packet payloads with built-in or custom YARA rules. Evaluate Sigma rules against live log streams in real time.
UEBA
Per-entity behavioral baselines detect insider threats and compromised accounts through deviation scoring.
GeoIP Threat Map
Visual global map showing inbound alert origins by country. Understand your threat geography at a glance.
Architecture
From raw packets
From raw packets
to remediation.
A single Python process handles the full pipeline — no agents, no microservices, no cloud dependencies.
01
Ingest Everything
Collects network packets, syslog (RFC 3164/5424 on port 5514) and Windows Event Logs via the bundled agent on port 5515.
02
Detect & Correlate
Signatures catch known patterns. ML models flag unknowns. The correlation engine chains related events into attack narratives with MITRE tags.
03
Respond Automatically
SOAR playbooks fire when a threat confirms — blocking IPs via iptables, ufw, nftables or Windows Firewall and alerting your team.
04
Investigate & Report
Forensic timelines, case management and daily PDF reports give analysts everything needed to close the loop.
Data Flow
Ingestion Layer
Packet sniffer · Syslog · Windows Agent
Data Lake
Hot / warm / cold event storage
Detection Engine
Signatures · ML · YARA · Sigma · UEBA
Response Layer
SOAR Playbooks · Firewall · Case Mgmt
Dashboard & Reports
Real-time web UI · Email alerts · PDF reports
Full Capability Matrix
What's included,
What's included,
out of the box.
| Capability | Description | Category |
|---|---|---|
| Signature-Based Detection | Port scans, brute-force, C2 beaconing, DNS tunneling, SQL injection — detected in real time. | Detection |
| ML Anomaly Detection | Isolation Forest + Random Forest models learn your network baseline and flag deviations. | Detection |
| Attack Chain Correlation | Links related alerts into multi-step attack chains: Recon → Exploit → C2 → Exfil. | Detection |
| MITRE ATT&CK Mapping | Automatically tags all alerts with techniques and tactics from the MITRE ATT&CK framework. | Intelligence |
| YARA Scanning | Scans packet payloads with built-in or fully custom YARA rules in real time. | Detection |
| Sigma Rules | Evaluates structured detection rules against live log streams for broad platform coverage. | Detection |
| UEBA | Tracks per-entity behavioral baselines and raises anomaly alerts on statistically significant deviations. | Analytics |
| Honeypots | Six fake services — SSH, HTTP, FTP, Telnet, SMB, MySQL — that trigger instant alerts on any connection. | Deception |
| SOAR Playbooks | Automated response workflows: block, notify, escalate, run custom scripts on alert trigger. | Response |
| Case Management | Full ticket lifecycle with SLA tracking and automatic case creation from correlated alert chains. | Operations |
| Asset Discovery | ARP + ping sweep finds all LAN devices; rogue device alerts fire on first-time detection. | Inventory |
| GeoIP Mapping | Visual global map showing inbound alert origins by country with high-risk heat overlay. | Intelligence |
| Syslog Ingestion | Receives RFC 3164/5424 syslog via UDP/TCP on port 5514. Compatible with rsyslog and syslog-ng. | Ingestion |
| Windows Event Log | Collects Windows Event Logs via the bundled lightweight agent over port 5515. | Ingestion |
| Email Alerting & Reporting | Sends CRITICAL/HIGH alerts and daily PDF reports via SMTP — configurable from the dashboard. | Reporting |
| Firewall Automation | Blocks attacker IPs automatically via iptables, ufw, nftables or Windows Firewall on detection. | Response |
| Packet Analysis | Wireshark-style flow table with ML classification, protocol distribution, and top talker analysis. | Analytics |
| Traffic Heatmap | Hour-of-day vs day-of-week heatmap showing traffic density and malicious event concentration. | Analytics |
Why Self-Hosted
Your data never
Your data never
leaves your network.
No telemetry. No vendor access. No subscription. CyberRemedy is open-source and runs entirely on infrastructure you control.
Data Sovereignty
All logs, alerts and events stay on your machine. Zero data sent to external servers — ever.
Zero Licence Fees
Open-source and free forever. No per-seat pricing, no tiered plans, no surprise invoices.
Full Control
Modify rules, playbooks and models to fit your environment. No black-box vendor restrictions.
SME Ready
Enterprise-grade capability sized for small and medium teams — single-machine deployment in minutes.
Quick Start
Up and running
Up and running
in 5 minutes.
Clone, install, run. No wizard, no cloud account, no API key required to get started.
Optional but recommended
sudo apt install arp-scan nmapFaster asset discoverypip install yara-python==4.5.1Native YARA scanningpip install netifaces==0.11.0Accurate interface detection
bash
# Clone and enter the directory git clone https://github.com/moon0deva/CyberRemedy.git cd CyberRemedy # Create and activate virtual environment python3 -m venv venv source venv/bin/activate # Install dependencies pip install -r requirements.txt # Launch the platform python main.py # → http://127.0.0.1:8000
Background mode: nohup python3 main.py > cyberremedy.log 2>&1 &
Open Source · MIT Licensed · Free Forever
Start protecting your
Start protecting your
network today.
Community-driven and free for any team — from a solo home-lab to a full enterprise SOC. No strings attached.