ALPHACONSOLESTRATEGYABOUTCONTACT
  1. Home
  2. //
  3. how it works
SYS_STATUS: OPTIMAL
CTRLSEC PLATFORM — v1.4

One Platform.
Three Products.
One AI Engine.

CtrlSec unifies security training, autonomous SOC + MDM, and compliance advisory on a single agent and a shared AI threat intelligence pipeline — with no external API dependency and no integration overhead.

Alpha
Train
LIVE
Console
Defend
ACTIVE
Strategy
Comply
READY
<1s
response
<100ms
AI score
700+
YARA sigs
LIVE EVENT STREAM5 events
14:22:01.103PROCESSWIN-CS-01powershell.exe -EncodedCommand JABzAD0ATgBlAHcA...
14:22:01.891YARAWIN-CS-01Rule: PowerShell_Obfuscation matched — score +30
14:22:01.903IOCWIN-CS-01cmd string 'invoke-mimikatz' in process args
14:22:02.012SCOREWIN-CS-01threat_score=91 → CRITICAL · 3 factors fired
14:22:02.024ACTIONWIN-CS-01ISOLATE_NETWORK dispatched in 12ms — queued
// THE PROBLEM WITH TODAY'S SECURITY STACKINDUSTRY DATA
8–12
tools
Avg enterprise security stack

SIEM + EDR + MDM + Training + Compliance + Threat Intel — siloed, duplicated alerts, no shared context.

72h
MTTR
Mean time to respond (industry avg)

Manual triage, cross-tool pivoting, and ticket queues let threats persist for days before containment.

>10K
alerts
Daily false positives per analyst

Alert fatigue is the #1 reason real threats are missed. Noise wins when tools don't share context.

60%
gap
Enterprises fail first compliance audit

Compliance tools never see real endpoint state. Gap analysis stays manual, spreadsheet-driven, stale.

// UNIFIED AI ARCHITECTURE — ALL THREE PRODUCTS SHARE ONE ENGINELIVE
telemetry + eventsintel bundlechallenge intelthreat patternsrisk scorescompliance gapsthreats + cmdsendpoint statelive IOC patternscompliance dataAGENT LAYERWindows · Linux · macOSProcess · FIM · Network · YARA · Commands// SHARED AI ENGINEAI ENGINE700+ YARA signatures · IOC Database · Behavioral MLMulti-factor Threat Score · Z-Score AnomalyEntity Isolation · No External API · <100msscore = IOC(35) + YARA(30) + Δbaseline(18) + chain(8) + telem(9)ALPHASecurity Training100+ CTF ChallengesMachine Labs · CertsLeaderboard · VDP⬤ LIVESTRATEGYCompliance AdvisoryDPDP · ISO 27001SOC 2 · NIST CSFRisk Score · Reports⬤ READYCONSOLEAI SOC · MDM · SIEM · YARARemote Shell · Compliance · Audit Trail⬤ ACTIVECTRLSEC PLATFORM v1.4UNIFIED AI ARCHITECTURE
Agent → Platform (telemetry + events)
Platform → Agent (intel bundle + commands)
Alpha ↔ AI Engine (challenge intel)
AI Engine ↔ Console (threats + cmds)
AI Engine ↔ Strategy (risk scores)
// AI THREAT PIPELINE — EVENT TO ACTION IN <1 SECOND
INGEST
TLS · 30s cycle
0ms
NORMALIZE
enrich · dedupe
~5ms
IOC CHECK
domain·ip·hash·cmd
~15ms
YARA SCAN
per-entity rules
~40ms
AI SCORE
multi-factor
~87ms
RESPONSE
auto-dispatch
<1s
INGEST·Agent heartbeat received — telemetry + events batch deserialized
MULTI-FACTOR THREAT SCORE
// AI Engine — multi-factor scoring (<100ms, no external API)

const factors = {
  ioc_match:        35,  // domain/ip/hash/cmd in IOC database
  yara_match:       30,  // one of 700+ YARA signatures fired
  behavioral_delta: 18,  // z-score vs 30-day entity baseline
  parent_anomaly:    8,  // non-standard parent process chain
  telemetry_spike:   9,  // CPU/mem spike during event window
};

// Auto-response thresholds:
// score ≥ 80  →  CRITICAL  →  ISOLATE_NETWORK (auto, <1s)
// score ≥ 60  →  HIGH      →  RUN_SCAN        (auto)
// score ≥ 40  →  MEDIUM    →  analyst queue
// score  < 40 →  LOW       →  log only
ENTITY-SCOPED INTEL BUNDLE · 700+ YARA SIGS
GET /api/agent/intel
X-Agent-ID: agt_8f2a1c3d       // entity resolved from agent_agents

HTTP/1.1 200 OK
{
  "version": "20260321-14",   // increment triggers re-download
  "domains": ["c2.malware.xyz", "exfil.bad-actor.ru"],
  "ips":     ["185.220.101.47"],
  "hashes":  ["d41d8cd98f00b204e9800998ecf8427e"],
  "commands": ["mimikatz", "invoke-mimikatz", "sekurlsa"],
  "yara_rules": {
    "malware_mimikatz_generic.yar":     "<base64>",
    "malware_cobalt_strike_beacon.yar": "<base64>",
    "ransomware_wannacry.yar":          "<base64>",
    // ... 20+ more rules entity-scoped  ...
    "custom_corp_detection.yar":        "<base64>"
  }
}
// 8-STEP PRODUCT WORKFLOWS — TECHNICAL LIFECYCLE
›
01
Deploy Agent

One-line install → self-registers via POST /api/agent/register with agent_id + hostname + OS

TLS 1.3 · self-signed cert · zero firewall rules needed
›
02
Fetch Intel Bundle

GET /api/agent/intel with X-Agent-ID → entity-scoped IOC + 700+ YARA signatures returned

Versioned bundle · diff-only updates · base64 .yar files
›
03
Stream Events

POST /api/agent/heartbeat every 30s carrying telemetry metrics + batched event list

CPU · memory · disk · battery · WiFi · process events · FIM · DNS
04
AI Scores Event

Platform scores each event in <100ms: IOC(35) + YARA(30) + behavioral(18) + chain(8) + telem(9)

No external API · built-in engine · entity-isolated baselines
›
05
Threat Detected

Score > threshold → SSE event broadcast to all console clients → analyst queue updated

text/event-stream · threat_new event · <50ms to console
›
06
Auto-Response

MDM policy conditions met → action queued → agent polls next heartbeat → executes in <1s

ISOLATE · LOCK · KILL · SCAN · SCREENSHOT · REBOOT
›
07
SOC Review

Analyst reviews ranked threat queue → approves / escalates / closes with notes

All analyst actions logged to immutable audit trail
08
✓
Report & Comply

JSON + PDF report export → compliance scores auto-update → Strategy module receives data

DPDP · ISO 27001 · SOC 2 · NIST sync
CONSOLE · AI SOC + MDM
8-step automated lifecycle · fully audited
ACTIVE
// WHAT MAKES CTRLSEC DIFFERENT
One agent. Three products.

A single tamper-protected binary covers SOC telemetry, MDM enforcement, YARA scanning, and command execution. Competitors ship one agent per product — we ship one for all three.

HTTPS/TLS 1.3 · 30s heartbeat · event-driven push · self-registers · zero config
AI built in — zero API cost

The threat engine scores every event in <100ms using multi-factor analysis — no cloud LLM, no API latency, no per-token cost at scale. Built-in, entity-isolated, always deterministic.

score = IOC(35) + YARA(30) + behavioral_delta(18) + parent_chain(8) + telem_z(9)
Real-time SSE — no polling

Console clients receive threat events, endpoint updates, and command results in milliseconds via Server-Sent Events. No poll intervals, no missed alerts, no stale dashboards.

text/event-stream · threat_new · endpoint_update · command_update · telemetry_spike
700+ YARA signatures per entity

Create, test, enable, and distribute YARA rules from the console. Each agent receives only its entity's rules. 700+ built-in detection signatures across 24+ rules out of the box.

Intel bundle: GET /api/agent/intel → X-Agent-ID → entity lookup → scoped yara_rules{}
Training ↔ production data loop

Alpha challenges are built from the same IOC patterns and YARA signatures as Console's production threat database. Analysts trained in Alpha arrive in Console already familiar with real threats.

Shared: IOC DB · YARA rules · event schema · auth · audit trail · entity model
Live compliance — not snapshots

Strategy compliance scores are computed from real Console endpoint data — screen lock, threat score, idle time, software inventory. Scores update on every heartbeat. Never stale.

6 checks per device → 0–100 score → COMPLIANT / AT_RISK / NON_COMPLIANT · live feed
// WHY CHOOSE CTRLSEC — INVESTOR PERSPECTIVE
Market Timing
›DPDP enforcement live in India — enterprises scrambling
›SME cybersecurity spend crossing $8B in APAC by 2027
›Alert fatigue + MSSP costs driving demand for autonomous SOC
›No Indian-first unified security + training platform exists
Technical Moat
›Unified agent is 2–3 years of platform work to replicate
›Entity-scoped YARA distribution system unique in the space
›SSE event bus + multi-tenant architecture at the data layer
›Built-in AI: no API cost scaling cliff at enterprise volumes
Revenue Architecture
›Alpha: per-seat SaaS — individuals + enterprise cohorts
›Console: per-endpoint SaaS — recurring MDM/SOC licence
›Strategy: advisory retainer + one-time assessments
›Three products, one platform — natural upsell funnel
Platform Velocity
›v1.0: full agent + console + MDM + YARA + SSE on launch
›v1.4: telemetry charts, compliance, YARA manager, AI anomaly
›7-tab MDM console with batch commands and policy engine live
›Audit trail, entity isolation, tamper protection from day one
// FULL FEATURE MATRIX — ALL THREE PRODUCTS
AlphaLIVE
CTF Challenges
100+ real-world vulns — Web · PWN · Crypto · Forensics · OSINT · RE
Machine Labs
Full-stack VMs across 4 difficulty tiers with progressive hints
Learning Paths
PNPT · CEH · OSCP-aligned structured curricula
Live Leaderboard
Real-time SSE ranking — solo + team · seasonal events
Proctored Exams
70% pass → digital badge + industry certificate
VDP Program
Responsible disclosure — report, triage, CVE credit
ConsoleACTIVE
AI SOC
Autonomous threat queue — score, classify, auto-respond
MDM
Fleet management: policies, YARA, compliance, batch cmds
Remote Shell
Encrypted command execution — no VPN, no SSH keys
Native SIEM
FIM · process · network · auth log search + timeline
YARA Manager
700+ signatures · create · test · distribute per entity
Telemetry Charts
CPU · memory · disk time-series + AI anomaly detection
SSE Real-time
Always-on push — no polling, no missed alerts
Auto-Response
Isolate · lock · kill · reboot — policy-driven <1s
Audit Trail
Immutable log: every action, actor, timestamp, result
StrategyREADY
AI Analysis
6 modules scored 0–100 — no external LLM
DPDP Mapping
India's Digital Personal Data Protection Act
ISO 27001
ISMS control implementation + evidence mapping
SOC 2 Ready
TSC — security, availability, confidentiality
NIST CSF
Identify · protect · detect · respond · recover
Supply Chain
Vendor risk + single point of failure identification
Dark Web Intel
Brand impersonation + credential leak monitoring
Risk Scoring
0–100 per module + cross-module weighted aggregate
Audit Report
PDF + JSON executive summary — weeks not months
// WHY WASTE MONEY ON 7 TOOLS? — COST ANALYSISCALCULATE
// TRADITIONAL STACK
$194,900
/year · 100 endpoints · 7 vendors
SIEMEDRMDMSecurity TrainingCompliance / GRCThreat IntelIntegration Ops
// YOU SAVE
$130,583
67% lower TCO with CtrlSec
// CTRLSEC PLATFORM
$64,317
/year · 100 endpoints · 1 platform
✓ Alpha · Console · Strategy✓ AI engine included✓ Zero integration cost
// ENDPOINT COUNT100 endpoints
// TRADITIONAL STACK — ANNUAL COST BREAKDOWN
SIEM
Splunk / QRadar
+ $60,000 base
$60,000
EDR
CrowdStrike / SentinelOne
$50/ep × 100
$5,000
MDM
Microsoft Intune / Jamf
$14/ep × 100
$1,400
Security Training
KnowBe4 / Immersive Labs
$35/ep × 100
$3,500
Compliance / GRC
ServiceNow / Archer
+ $45,000 base
$45,000
Threat Intel
Recorded Future / CrowdStrike TI
+ $50,000 base
$50,000
Integration Ops
Custom glue code / FTEs
+ $30,000 base
$30,000
TOTAL$194,900
// WHY FRAGMENTED STACKS FAIL
8–12 separate vendor contracts
No shared context between tools
Alert fatigue from 3+ queues
Manual pivot between dashboards
40% ops time on integration glue
Training disconnected from prod
Compliance never sees live data
YARA locked per-product, siloed
// HOW CTRLSEC FIXES THIS
One agent covers SOC + MDM + YARA + intel + training feed
AI engine shared across all three products — one cost
Single threat queue — no pivot, no manual correlation
Console data feeds Strategy compliance automatically
Alpha challenges built from live Console IOC patterns
YARA rules distributed to all agents from one console
Zero integration overhead — everything speaks the same schema
One contract, one vendor, one audit trail
// CTRLSEC AGENT vs TRADITIONAL AGENTSONE BINARY. ALL CAPABILITIES.
CAPABILITYCTRLSEC AGENTTRADITIONAL AGENTS
ProtocolHTTPS/TLS 1.3 · single endpointMultiple agents, multiple protocols
OS supportWindows · Linux · macOS — one binaryOften separate binaries per OS
SOC + MDM in one✓ unified — same heartbeat× two separate agents, two queues
YARA scanning✓ 700+ signatures, per-entity× add-on module or separate product
Intel bundle delivery✓ versioned, entity-scoped, 30s TTL× manual push or polling interval
Compliance feed✓ live endpoint state on each heartbeat× snapshot-only or manual import
AI scoring✓ <100ms, no external API, no cost× cloud API, latency, per-event cost
Remote shell✓ encrypted, no VPN, no SSH keys× separate privileged access tool
Tamper protection✓ FIM + self-monitor + lockdown× varies widely by vendor
SSE real-time push✓ always-on, 0 poll delay× polling every 30–60s at best
// AGENT PROTOCOL — ONE BINARY, ALL CAPABILITIES
HEARTBEAT REQUEST + PLATFORM RESPONSE
POST /api/agent/heartbeat
X-Agent-ID: agt_8f2a1c3d

{
  "hostname": "WIN-CTRLSEC-01", "version": "1.4.2",
  "telemetry": {
    "cpu_percent": 34.2,   "memory_percent": 67.8,
    "disk_percent": 45.1,  "process_count":  187,
    "battery_percent": 82, "wifi_ssid": "CORP-5G"
  },
  "events": [{
    "type": "process_start", "pid": 4821,
    "name": "powershell.exe",
    "args": "-EncodedCommand JABzAD0ATgBlAHcA..."
  }]
}

// ← Platform responds with commands + intel version
{
  "ok": true, "interval": 30,
  "commands": [{ "id": "cmd_9a3b", "action": "RUN_SCAN" }],
  "intel": { "version": "20260321-14", "has_update": false }
}
// AGENT CAPABILITIES — SINGLE BINARY
Protocol
HTTPS · TLS 1.3
Heartbeat
30s + event-driven
YARA Sigs
700+ entity-scoped
Intel TTL
Versioned diff-only
Commands
9 action types
Tamper
FIM + self-monitor
SOC + MDM
Unified in one agent
Remote shell
No VPN, no SSH keys
// WHAT ALL THREE PRODUCTS SHARE — ZERO DUPLICATIONINTEGRATED
SHARED COMPONENTALPHACONSOLESTRATEGYTECHNICAL NOTE
Agent binary—Same heartbeat, same protocol, same intel bundle delivery
IOC database—Domains, IPs, hashes, cmd strings — per-entity versioned
700+ YARA signatures——Per-entity rule sets distributed on every intel fetch
AI threat engine—<100ms multi-factor scoring — IOC + YARA + behavioral + z-score
SSE event bus—text/event-stream: threat_new · endpoint_update · command_update
MongoDB data pipelineagent_events · consolehost · agent_telemetry · console_threats
Telemetry stream—CPU · memory · disk · battery · WiFi · GPS · process count
Compliance scoring—6 per-device checks → 0–100 score → feeds Strategy risk module
Audit trailImmutable: every command, trigger, and analyst interaction
Entity isolationAll queries entity-scoped — zero cross-tenant data leakage
// SECURITY & ARCHITECTURE PRINCIPLES
TLS 1.3 everywhere
›Agent ↔ platform encrypted in transit
›No plaintext credentials on wire
›Certificate pinning on agent binary
Entity isolation
›All queries scoped to entity field
›No cross-tenant joins possible
›YARA rules never cross entity boundary
Immutable audit trail
›Every action: actor + timestamp + result
›Cannot be backdated or deleted
›Available for compliance export
Agent tamper protection
›FIM watches own install directory
›Process monitors for code injection
›Lockdown mode on tamper detected
// SELF-LEARNING THREAT INTELLIGENCE — NO API KEYS

AI Threat Engine.
Zero API Cost.

The CtrlSec Brain is a 50→32→16→20 multi-label MLP trained entirely on your organisation's data. No cloud LLM. No per-token cost. No vendor dependency. Just deterministic, entity-isolated threat intelligence.

See live model performance
50-Dimension Feature Vector

Combines VAPT findings, red team TTPs, dark web credential signals, supply chain risk scores, brand monitoring activity, and live console threat velocity into one unified 50-dimensional representation fed to the MLP on every inference call.

F0–F19: strategy · F20–F23: kill-chain · F24–F39: velocity · F40–F49: trends
Multi-Pattern MLP (50→32→16→20)

20 simultaneous attack pattern predictions in a single forward pass. Focal loss (γ=2) with POS_WEIGHT=8 prevents class collapse at ~5% positive rate per output. AdaGrad per-weight adaptive learning rate. 78%+ Macro F1 out of the box.

Focal loss γ=2 · POS_WEIGHT=8 · threshold=0.50 · AdaGrad
Continuous Self-Improvement

Every analyst action, new VAPT finding, dark web alert, console threat, and red team event is a training signal. emitTrainingEvent fires non-blocking after every record. The model gets smarter with your data — never with your API calls.

emitTrainingEvent · auto-supervised labeling · online gradient update
3
Products
one platform
700+
YARA Sigs
entity-scoped
<100ms
AI Score
no external API
<1s
Response
detection to action
67%
Cost Saving
vs traditional stack
// LIVE EVENT STREAM
HOVER TO PAUSE
NETWORKCRITICALSRV-PROD-01·C2 beacon — 185.220.101.x:443BLOCK
PROCESSHIGHWIN-PC-042·cmd.exe spawned from winword.exeBLOCK
AUTHHIGHDC-CORP-01·47 failed logins in 60s (brute-force)BLOCK
FILEMEDIUMLAPTOP-07·Hosts file modified by unknown processALLOW
DLPMEDIUMHR-PC-03·2.4 GB upload to external endpointBLOCK
USBLOWMAC-DEV-01·USB mass storage device insertedALLOW
TAMPERCRITICALWIN-PC-011·Agent binary modified — tamper alertBLOCK
FIMHIGHSRV-BACKUP·/etc/sudoers changed — privilege riskBLOCK
REGISTRYMEDIUMWIN-DEV-05·Run key added: HKCU\Software\RunBLOCK
TELEMETRYLOWMAC-HR-02·Battery critical: 8% — scan triggeredALLOW
NETWORKHIGHKIOSK-01·DNS query to known malware domainBLOCK
PROCESSMEDIUMLAPTOP-14·mimikatz.exe hash dump attemptBLOCK
CTFSOLVEuser@alpha·flag{r00t3d_4nd_pr0ud} — PWN-042 solved+500FIRST_BLOOD
CTFSOLVEuser@alpha·SQL injection — WEB-019 solved+250SOLVE
EXAMSOLVEuser@alpha·CySec Foundation exam — PASSED 91%+1000CERTIFIED
NETWORKCRITICALSRV-PROD-01·C2 beacon — 185.220.101.x:443BLOCK
PROCESSHIGHWIN-PC-042·cmd.exe spawned from winword.exeBLOCK
AUTHHIGHDC-CORP-01·47 failed logins in 60s (brute-force)BLOCK
FILEMEDIUMLAPTOP-07·Hosts file modified by unknown processALLOW
DLPMEDIUMHR-PC-03·2.4 GB upload to external endpointBLOCK
USBLOWMAC-DEV-01·USB mass storage device insertedALLOW
TAMPERCRITICALWIN-PC-011·Agent binary modified — tamper alertBLOCK
FIMHIGHSRV-BACKUP·/etc/sudoers changed — privilege riskBLOCK
REGISTRYMEDIUMWIN-DEV-05·Run key added: HKCU\Software\RunBLOCK
TELEMETRYLOWMAC-HR-02·Battery critical: 8% — scan triggeredALLOW
NETWORKHIGHKIOSK-01·DNS query to known malware domainBLOCK
PROCESSMEDIUMLAPTOP-14·mimikatz.exe hash dump attemptBLOCK
CTFSOLVEuser@alpha·flag{r00t3d_4nd_pr0ud} — PWN-042 solved+500FIRST_BLOOD
CTFSOLVEuser@alpha·SQL injection — WEB-019 solved+250SOLVE
EXAMSOLVEuser@alpha·CySec Foundation exam — PASSED 91%+1000CERTIFIED
LAT: 28.4107786 N
LON: 77.2862497 E
EOF // END_OF_FILE
STATUS: SYSTEM_STABLE
LAST_CHECK: 06:26:01 UTC
SITEMAP
HomeAlphaConsoleStrategyAI Status
SOCIALS
LinkedInGitHub
LEGAL
PrivacyTermsDisclosure
FOUNDERS
founders@ctrlsec.io
HARYANA, IN
28.411° N, 77.286° E
© 2026 CTRLSEC. ALL RIGHTS RESERVED.
NETWORK: ONLINE