CICADA IR

CICADA IR

Cybersecurity Investigation & Continuous Attack Detection Agent

Most IR teams are stitching together five tools during an incident. CICADA IR replaces that chaos with a single guided workflow — one VM that collects evidence, enriches IOCs, and uses AI to surface what your team would miss.

Your investigation, your data, your VM. Nothing leaves. We never see it.

For security operations teams investigating breaches across Microsoft, CrowdStrike, and Active Directory environments.

View Pricing
Live Demo

See CICADA IR in action

Watch how CICADA IR accelerates incident response — from evidence collection to AI-assisted analysis and report generation — all within a single platform.

How it deploys

A single VM appliance that runs inside your network. No cloud dependency, no agents to install.

1

Import the VM

Download the OVA, QCOW2, or VHDX image and import it into your hypervisor. Boot and open the web UI.

2

Connect your sources

Authenticate to Entra ID, Defender, CrowdStrike, or Active Directory through the setup wizard. Read-only API access.

3

Investigate

Create an investigation, select a scope, and let CICADA collect evidence, enrich IOCs, and surface findings.

Runs on your network

  • Agentless — connects via APIs, no endpoint software
  • Full data sovereignty — all investigation data stays on-premises in your VM, never sent to us
  • No phone-home required — works fully offline with air-gapped activation

System requirements

  • 2 vCPU (4 recommended)
  • 4 GB RAM (8 GB recommended)
  • 32 GB disk (expandable)
  • VMware ESXi/Workstation, Proxmox/KVM, Hyper-V, or VMware Fusion (ARM)
  • Ubuntu 24.04 LTS base (pre-configured)

What CICADA IR does

A single appliance that connects to your existing security stack and turns raw telemetry into actionable intelligence.

AI-assisted analysis

Uses local or cloud LLMs to summarise findings, identify attack patterns, suggest next steps, and draft incident reports.

Guided IR workflows

Step-by-step investigation phases based on NIST and SANS frameworks for consistent incident response.

Multi-source evidence collection

Connects to Entra ID, Defender for Endpoint, Active Directory, and CrowdStrike to unify logs, telemetry, and alerts.

Report generation

Produces executive summaries, technical reports, and IOC lists from investigation data.

Threat intelligence enrichment

Automatically queries VirusTotal, AbuseIPDB, Shodan, URLhaus, ThreatFox, and OTX AlienVault to enrich IOCs.

Ready to accelerate your IR workflow?

Start with the free Community tier or contact us for Professional and Enterprise plans.

Get Started