Your investigation, your data, your VM. We never see it.

The IR platform that lives
inside your boundary.

One VM. Five-stage pipeline. AI that runs on your hardware. CICADA IR replaces the five tools your team is stitching together during an incident — across Microsoft, CrowdStrike, and Active Directory environments.

Get started — free Community Watch 3-min demo

🔒cicada.local — Investigation Dashboard

CICADA IR Investigation Dashboard — KPI rail showing 5 sources, 26 uploads, 266k events, recent activity feed and critical key findings with MITRE ATT&CK technique IDs

The challenge

During an incident, your team is in five tools at once.

Each tool sees a slice. None of them see the kill chain. You're the integration — copying IOCs between consoles, reconciling timelines, drafting the report at 2am. CICADA IR replaces that chaos with one guided workflow.

Without CICADA

×Five consoles open. Five sets of credentials. Five filters.
×Hand-copying IOCs between vendors to enrich them.
×Reconstructing the timeline in a spreadsheet.
×AI tools that send your evidence to someone else's cloud.

With CICADA

✓One VM. One dashboard. One unified timeline.
✓IOCs auto-enriched against six TI sources.
✓Hierarchical incidents grouped by kill chain, not log volume.
✓Local LLM. Evidence never leaves the boundary.

Trust without compromise

Built to be deployed inside your security boundary.

We're a new vendor. We don't expect blind trust. We earn it the same way good IR works: by being explicit about every artefact we publish.

Sovereign by design

Single VM appliance inside your network. No SaaS dependency. Air-gapped activation supported.

Read-only by default

Connections to data sources are read-only. Optional response actions are explicit and audited.

Auditable everywhere

Chain of custody for every piece of evidence. Per-release SBOM. Public changelog.

Sources (read-only)

Entra IDDefenderADCrowdStrikeM365

Your CICADA VM

Inside your network

Investigations · Evidence · Reports

Outbound (opt-in only)Threat-intel lookups you configureNo investigation data. Ever.

Visit the Trust Center →Browse the SBOM

What you get

Four pillars. One platform.

Every screenshot below is the actual product — no mockups.

🔒cicada.local — AI-Assisted Analysis

CICADA IR LLM Assistant — local Ollama provider with qwen3:8b, summarising IOCs by severity

AI-Assisted Analysis

Local LLM. AI Without Leaving the Boundary.

Ollama, LM Studio, llama.cpp, or any OpenAI-compatible local proxy run end-to-end on the VM. Cloud LLMs are opt-in per-provider with PII/credential blocking and an audited "allow sensitive data" toggle.

Local LLM setup guide

🔒cicada.local — Behavioural Detection

CICADA IR Incidents page showing critical privilege-escalation incidents with kill chains and compromised accounts

Behavioural Detection

Four-Tier Scoring Engine That Catches What Your Team Would Miss.

Tier 1 signatures, Tier 2 multi-event sequences (YAML library, no code-release to tune), Tier 3 UEBA baselines, Tier 4 analyst flags. Hierarchical incidents group multi-actor kill chains automatically.

🔒cicada.local — Guided IR Workflow

CICADA IR Sources page showing the 5-stage pipeline with all stages green and 5 connected sources

Guided IR Workflow

Five-Stage Pipeline From Collection to Review.

Collect → Analyze → Correlate → Converge → Review. Configurable collection time window. Read-only API access via the setup wizard for Entra, Defender, AD, CrowdStrike, and M365.

🔒cicada.local — Reports for Every Stakeholder

CICADA IR Reports page showing 15 report types with ready and AI-enhanced variants

Reports for Every Stakeholder

Executive, Technical, Compliance — Generated From Your Data.

15 report types across Investigation, Compliance & Legal, and Stakeholder categories. PDF, DOCX, HTML, JSON, Markdown. NDB Assessment, Legal Hold, Blast Radius, MITRE ATT&CK Mapping, and Attack Path Visualisation included.

Built for the stack you actually run.

Read-only API connections via the setup wizard. No agents to deploy.

Data sources

Microsoft DefenderMicrosoft EntraActive DirectoryCrowdStrike FalconMicrosoft 365Microsoft PurviewSophos TaegisVaronisBigID

Threat-intelligence enrichment (opt-in)

VirusTotalAbuseIPDBShodanURLhausThreatFoxOTX AlienVault

LLM providers

Ollama (local)LM Studio (local)llama.cpp (local)Anthropic ClaudeOpenAIGoogle Gemini

Frequently asked questions

Where does my investigation data go?

Nowhere. All investigation data, evidence, and reports stay on the VM inside your network. CICADA IR does not phone home — licence activation is local and offline activation is supported for air-gapped environments. See the Trust Center.

How is CICADA IR priced?

The Community Edition is free forever and includes core investigation capabilities. Professional and Enterprise plans are per-seat subscriptions — contact sales@cicada-ir.ai for a quote aligned to your team size.

How long does deployment take?

Under 30 minutes from download to first investigation. Import the VM into your hypervisor, boot it, activate your licence in the setup wizard, connect your data sources, and start investigating. See the Getting Started guide.

What support do you offer?

Community users get documentation and community support. Professional includes email support during business hours (AEST). Enterprise includes priority support with defined SLAs.

Can I upgrade from Community to Professional later?

Yes. Upgrading is a licence key swap — your existing investigations, data, and configuration stay intact. No migration, no re-import.

Deploy in under 30 minutes.

One VM, three formats (OVA · QCOW2 · VHDX), agentless connection. Free Community Edition — full step-by-step in the Getting Started guide.

Get started — free Community Edition Talk to sales

The IR platform that lives inside your boundary.