Welcome to CICADA IR

CICADA IR is an AI-powered incident response platform built for security operations teams. It provides guided investigation workflows, automated evidence collection from enterprise data sources, threat intelligence enrichment, and AI-assisted analysis to help your team respond to security incidents faster and more thoroughly.

What CICADA IR does

• Guided IR workflows — Step-by-step investigation phases based on NIST and SANS frameworks, ensuring consistent and thorough incident response regardless of analyst experience level.
• Multi-source evidence collection — Connects to Microsoft Entra ID, Microsoft Defender for Endpoint, Active Directory, and CrowdStrike Falcon to pull user activity, sign-in logs, endpoint telemetry, and detection alerts into a unified timeline.
• Threat intelligence enrichment — Automatically queries VirusTotal, AbuseIPDB, Shodan, URLhaus, ThreatFox, and OTX AlienVault to enrich indicators of compromise found during investigations.
• AI-assisted analysis — Uses local (Ollama) or cloud (Anthropic Claude) LLMs to summarise findings, identify attack patterns, suggest next investigation steps, and draft incident reports.
• Report generation — Produces executive summaries, technical reports, and IOC lists from investigation data.

Deployment model

CICADA IR ships as a hardened virtual machine image. You download the VM, import it into your hypervisor (VMware, VirtualBox, Hyper-V, or Proxmox), boot it up, activate your license, and connect your data sources. The entire platform runs on a single appliance with no external dependencies beyond your configured integrations.

The VM includes:

• Ubuntu 24.04 LTS with security hardening
• Pre-compiled application code
• Self-signed TLS certificate (replaceable with your own)
• systemd services for automatic startup

Quick navigation

System requirements

Support

If you encounter issues not covered in this documentation, contact your CICADA IR support representative or email support@cicada-ir.ai.