Platform Architecture
KYRA AI MDR uses a multi-layered architecture designed for enterprise-grade security operations. Each layer is purpose-built for its function, ensuring high throughput, secure multi-tenant isolation, and intelligent threat analysis.
Architecture Overview
flowchart TB
CUST["CUSTOMER NETWORKS\nCollector Agent -- secure outbound --> Ingestion Gateway"]
L1["LAYER 1: INGESTION & ROUTING\nSecure API Gateway → Tenant Router → Event Stream Processing"]
L2["LAYER 2: CORE SIEM ENGINE\nDetection rules, correlation engine, real-time search, timeline"]
L3["LAYER 3: AI AGENT PROCESSING\nLLM Router → 3 Core AI Agents\nTriage → Investigation → Attribution"]
L4["LAYER 4: DATA LAYER\nTenant-isolated storage + analytics + encrypted raw event archive"]
L5["LAYER 5: MANAGEMENT CONSOLE\nTenant-isolated dashboard + real-time alerts + PDF/CSV reports"]
CUST --> L1 --> L2 --> L3 --> L4 --> L5
Layer 1: Ingestion & Routing
The ingestion layer receives security events from collector agents deployed in customer networks and cloud environments.
Capabilities:
- Secure, encrypted event transport from on-premises and cloud collectors
- Automatic tenant identification and routing
- Per-tenant rate limiting and quota enforcement
- Schema validation and event normalization
- Support for log, EDR, and network traffic data sources
Throughput per tier: FREE: 50 EPS | MDR: 500 EPS | PRO: 2,000 EPS | CUSTOM: unlimited.
Layer 2: Core SIEM Engine
The built-in SIEM engine provides detection, correlation, and search capabilities without requiring external SIEM integration.
Capabilities:
- Detection rule library with hundreds of pre-built rules
- Real-time event correlation across multiple data sources
- Full-text timeline search with configurable date ranges
- MITRE ATT&CK technique mapping for all detections
- Custom detection rule builder (PRO and CUSTOM tiers)
Tenant Isolation: All queries and detections are scoped to the authenticated tenant. No cross-tenant data access is possible.
Layer 3: AI Agent Processing
Three core AI agents provide automated threat analysis, investigation, and reporting capabilities. The framework is designed to be extensible — additional specialized agents can be added as the platform matures.
Core Agents
| Agent | Function |
|---|---|
| Alert Triage | AI-powered alert classification with 99% false positive filtering. Automatically prioritizes alerts by severity and business impact. |
| Incident Investigation | Auto-correlation of related events across log sources. Builds incident timelines and identifies root cause. |
| Content Generation | Generates executive reports, incident summaries, and compliance documentation from security data. |
Extensible Framework
The AI agent architecture is built on LangChain4j and supports adding specialized agents for threat hunting, forensic analysis, compliance auditing, and more. The platform routes analysis tasks to the appropriate AI model tier based on complexity — lightweight models handle high-volume triage while advanced models are reserved for complex investigations.
Current state: 3 core agents are operational. The framework supports additional agents as detection capabilities expand.
Layer 4: Data Layer
The data layer provides secure, tenant-isolated storage with tiered retention policies.
| Storage Type | Purpose | Retention |
|---|---|---|
| Hot Storage | Active alerts, recent events, real-time search | 7-30 days |
| Warm Storage | Historical analysis, compliance reporting | Up to 2 years |
| Cold Archive | Long-term compliance retention | Up to 7 years |
All data is encrypted at rest with customer-managed encryption keys. Data residency options support regional compliance requirements.
Layer 5: Management Console
The web-based management console provides a unified interface for security operations.
Features:
- Real-time alert dashboard with severity-based prioritization
- Incident lifecycle management with task tracking and collaboration
- Asset inventory with risk scoring and vulnerability tracking
- Compliance posture dashboard with automated evidence collection
- Executive and compliance report generation (PDF/CSV)
- Real-time notifications via WebSocket push alerts
Multi-Tenant Isolation
Every aspect of the platform enforces strict tenant isolation:
- Data Isolation: Separate data partitions per tenant with row-level enforcement
- Authentication: JWT-based authentication with tenant-scoped claims
- Authorization: Role-based access control (Admin, Analyst, Viewer)
- Network: Encrypted communications with mutual authentication
- Storage: Per-tenant encryption with customer-managed keys
- Search: All queries automatically scoped to the authenticated tenant
Threat Intelligence Integration
The platform integrates with leading threat intelligence feeds:
| Feed | Capability |
|---|---|
| VirusTotal | Malware hash and URL analysis |
| Shodan | Internet-exposed asset discovery |
| MISP | Community IOC sharing |
| Recorded Future | APT intelligence and campaign tracking |
| NVD / ExploitDB | CVE data and exploit information |
| Abuse.ch | Botnet and ransomware C2 tracking |
Event Processing Flow
- Collection — Collector agents gather security events from customer networks and cloud environments
- Ingestion — Events are validated, normalized, and routed to the appropriate tenant pipeline
- Detection — SIEM engine applies detection rules and correlation logic
- AI Analysis — Specialized agents analyze alerts for context, enrichment, and prioritization
- Response — Automated playbooks execute containment and response actions
- Reporting — Results are surfaced in the management console and reports
Data Retention Tiers
| Tier | Log Retention |
|---|---|
| FREE | 7 days |
| MDR | 90 days |
| PRO | 180 days |
| CUSTOM | 365+ days |