Request a Demo
Platform Infrastructure

Cybersecurity Operations

Enterprise-grade cybersecurity operations for the Civic platform — threat detection, incident response, vulnerability management, and zero-trust enforcement across all municipal systems.

Request Architecture Brief← All Modules
50K eps

Log Ingestion

≤30s

Alert Latency

99.99%

Availability

Tier 3+

NIST CSF

Purpose-Built for Canadian Municipalities

Ontario Compliant
MFIPPA Ready
AODA Accessible
Bilingual Support
Canadian Hosted
SOC 2 Aligned

How It Works

The identity journey, step by step

From first registration to golden record resolution — how a resident's identity evolves across the platform.

01

Threat Detection & Triage

The SIEM detects suspicious activity and a SOC analyst triages the alert.

How it works

A Sigma rule detects multiple failed login attempts followed by a successful login from an unusual IP. The threat detection engine correlates this with MITRE ATT&CK (Initial Access → Valid Accounts) and generates a P2 High alert. The SOC analyst reviews the alert on the dashboard, confirms it's a true positive, and escalates to incident response.

Step 1 of 5

Purpose & Scope

What this module owns

Clear ownership boundaries prevent duplication and ensure every capability has exactly one authoritative home.

Owns

10

Delegated to

5

User authentication & access control

security-iam

Immutable event logging

audit-trail

Alert delivery (email/SMS/push)

notification-engine

External feed ingestion

integration-bus

AI-based threat classification

ai-ml-engine

These capabilities are handled by dedicated modules and consumed via stable API contracts — keeping boundaries clean and ownership unambiguous.

Core Capabilities

What it does

5 capability groups comprising 8 discrete capabilities — each with API surface, business rules, and data ownership.

Centralized log collection from all platform modules, infrastructure, and endpoints with normalization, enrichment, and tiered retention.

Log Collection

Centralized ingestion from all platform modules, infrastructure, and endpoints.

Normalization & Enrichment

Log normalization, enrichment with threat intelligence context, and correlation across data sources.

Tiered Retention

Hot storage 90 days (searchable), warm 1 year, cold 7 years for compliance.

SIEM Integration

Splunk, Elastic, and Azure Sentinel integration for advanced querying and visualization.

Rule-based detection (Sigma rules), ML anomaly detection, behavioral analytics (UEBA), IoC matching, and kill chain correlation with alert scoring.

Sigma Rules

Rule-based detection using Sigma rule format for cross-platform threat detection.

ML Anomaly Detection

Machine learning models for behavioral analytics (UEBA) and anomaly identification.

IoC Matching

Indicator of Compromise matching against threat intelligence feeds in real-time.

Kill Chain Correlation

Alert correlation across the kill chain with severity scoring and prioritization.

Real-World Scenarios

Who uses this, and how

4 persona-driven scenarios showing how Cybersecurity Operations works in practice — from resident registration to privacy compliance.

SOC Analyst

Ransomware Attack Response

The SIEM detects indicators of a ransomware attack — unusual file encryption activity across multiple endpoints.

Steps

  1. 1ML anomaly detection flags unusual file system activity on three endpoints — rapid file renaming and encryption
  2. 2Threat detection engine correlates with known ransomware IoCs from CISA threat feed and classifies as P1 Critical
  3. 3SOAR playbook auto-triggers: isolates affected endpoints from the network via zero-trust microsegmentation
  4. 4Compromised user accounts are disabled via security-iam integration
  5. 5Forensic evidence is preserved — memory dumps, file system snapshots, network logs
  6. 6Incident commander is notified via notification-engine; incident bridge is established
  7. 7Eradication: malware samples analyzed, attack vector identified (phishing email), all instances removed
  8. 8Recovery: endpoints restored from clean backups, user accounts re-enabled with forced password reset

Outcome

Ransomware contained within 12 minutes of detection. Zero data loss due to rapid containment. Root cause (phishing) identified and new detection rule deployed. Post-incident review completed within 48 hours.

View scenario

Security Manager

Insider Threat Detection

UEBA detects anomalous data access patterns from a staff member who has submitted their resignation.

Steps

  1. 1Behavioral analytics (UEBA) detects the user downloading significantly more records than their historical baseline
  2. 2DLP engine flags multiple attempts to copy Confidential-classified data to a USB drive
  3. 3System correlates the user's HR status (resignation submitted) with the access anomaly
  4. 4P2 High alert generated with MITRE mapping (Exfiltration → Exfiltration Over Physical Medium)
  5. 5SOC analyst reviews the alert, confirms legitimate concern, and escalates to HR and Legal
  6. 6USB ports are disabled for the user's device; data access is restricted to read-only pending investigation

Outcome

Potential data exfiltration prevented. Investigation determines the user was downloading personal files mixed with some work documents. Policy reminders issued and access appropriately scoped for notice period.

View scenario

Infrastructure Team Lead

Zero-Day Vulnerability Response

CISA issues an emergency directive for a critical zero-day vulnerability affecting a widely-used library in the platform.

Steps

  1. 1Threat intelligence feed receives the CISA advisory with CVE details and CVSS 10.0 rating
  2. 2Vulnerability management module immediately scans all assets for the affected library version
  3. 3Scan identifies 14 servers running the vulnerable version — SLA set to 24 hours (emergency override)
  4. 4Zero-trust enforcement tightens microsegmentation around affected servers, limiting blast radius
  5. 5Detection rules are deployed to identify exploitation attempts targeting the vulnerability
  6. 6Infrastructure team applies emergency patches; rescan confirms 12 of 14 remediated within 8 hours
  7. 7Two remaining servers require application testing — exception filed with compensating controls documented

Outcome

14 vulnerable assets identified within 1 hour of advisory. 12 patched within 8 hours. Remaining 2 protected by compensating controls while application testing completes. Zero exploitation detected.

View scenario

CISO

NIST CSF Gap Remediation

Annual NIST CSF assessment reveals the municipality has dropped below Tier 3 in the 'Respond' function.

Steps

  1. 1Compliance module runs automated NIST CSF assessment and identifies gaps in Respond function subcategories
  2. 2Gap analysis identifies missing playbooks for two incident categories and incomplete post-incident review documentation
  3. 3CISO creates remediation plan with prioritized tasks, owners, and deadlines
  4. 4New response playbooks are developed and tested through tabletop exercises
  5. 5Post-incident review process is standardized and automated evidence collection is configured
  6. 6Re-assessment confirms Tier 3 compliance across all five NIST CSF functions

Outcome

NIST CSF compliance restored to Tier 3 across all functions within 60 days. New playbooks reduce mean-time-to-contain by 35%. Automated evidence collection eliminates manual audit preparation effort.

View scenario

Internal Architecture

How it's built

4 architectural layers comprising 25 components — from API gateway to data quality engine.

4 layers · 25 total components

Cybersecurity Operations

Every module owns a single bounded context, exposes stable APIs, and can be composed into any Civic product — that's the architecture that scales.

Krutik Parikh

Creator of Civic

Data Model

Entity Architecture

5 entities with 5 relationships — the authoritative schema for this bounded context.

Entities

Select an entity to explore its fields and relationships

API Surface

Integration Endpoints

12 RESTful endpoints across 7 resource groups — plus 6 domain events for async integration.

|
GET

/api/v1/security/incidents

List incidents with filters (severity, status, date range)

POST

/api/v1/security/incidents

Create a new security incident

PATCH

/api/v1/security/incidents/{id}

Update incident status/assignment

POST

/api/v1/security/incidents/{id}/contain

Execute containment playbook

Ecosystem

Products that depend on this module

2 Civic products consume Cybersecurity Operations — making it one of the most critical platform services in the ecosystem.

Cybersecurity Platform

Primary — this module IS the cybersecurity product

View product →

All Platform Modules

Infrastructure — all 55 modules are protected by cybersecurity-ops monitoring, threat detection, and incident response

View product →

Technical Specifications

Performance, Compliance & Configuration

Log Ingestion Throughput

Target≥ 50,000 events/second sustained ingestion

Detection Alert Latency

Target≤ 30 seconds from event to alert

Incident Response SLA (P1)

Target≤ 15 minutes to triage

SIEM Query Response (Hot)

Target≤ 5 seconds for 90-day range queries

Vulnerability Scan Coverage

Target100% of assets scanned weekly

Availability

Target99.99% uptime (SOC systems are critical infrastructure)

NIST CSF Compliance

TargetTier 3 (Repeatable) minimum across all functions

FAQ

Frequently Asked Questions

Ready to Integrate

Build on Cybersecurity Operations

Request an architecture brief, integration guide, or live demo environment for your team.

Request Architecture BriefBrowse All Modules