How it works · the extended story

One attack, end to end — watch the chain become one incident.

Behind the headline is a real pipeline. Every signal from every surface flows into one correlation engine, gets linked into a single attack chain, and is acted on within the limits you set — then explained in plain English. The animation below runs one real attack the whole way through: threat fires, surface hit, AI classifies and correlates, response executes, you’re told exactly what happened.

Get a demo See every surface

The animation

Every surface in. One contained incident out.

One real attack, animated end to end. Every signal flows into one correlation engine; Centeye runs quietly, auto-contains the clear-cut threats, and only ever asks a human to approve what matters — in plain English.

01 Threat actors

BEC / wire fraud
Ransomware (Akira / Qilin)
AI phishing
Infostealer markets
Magecart
RMM abuse

02 Attack surfaces

Endpoint EDR / MDR
Email & BEC
Identity / ITDR
WAF / DDoS
DNS / C2
Checkout / SIEM

03 Centeye AI

Ingest + Normalise All seven surfaces → one stream

Classify + Score AI classifier · Sigma rules · exposure lookup · entropy · confidence

Correlate + Decide Cross-surface SIEM correlation · campaign pattern · policy engine · Argus narrative · IR runbook

Correlation

Cross-surface reasoning appears here as the engine decides…

04 AI response · you set the dial

Quarantine
Account lockdown
Isolate host
Process kill
WAF escalate
Verify backup

05 MSP multi-tenant

Beta Corp
Gamma LLC
Northwind
Acme Retail

Drops into your MSP tooling
Per-client risk
Plain-English client report
Insurance-readiness QBR

06 Owner outcomes

Your plain-English digest lands here — what happened, what we did, what you do next.

Plain-English daily digest
Insurance-readiness PDF
One-click approval
“Argus: was that safe?”

The intelligence behind it

The reasoning is the product.

Anyone can collect alerts. The hard part — the part a stack of point tools structurally can’t do — is connecting them, reasoning about them, and reading the whole attack chain as one story.

CORRELATION

Every signal lands in one engine

Email, identity, endpoints, web, DNS and the AI tools your team adopts all feed a single correlation engine. Signals are keyed to the same entities — a user, a host, an IP — so they can be connected instead of scattered across a dozen consoles nobody is watching at once.

AI REASONING

Kavach acts, Argus explains

Kavach investigates and contains in seconds. Argus turns the incident into plain English — what happened, what was done, what to do next — with no CVSS scores or jargon. The reasoning is the product: it’s what lets a business with no analyst still act with confidence.

CHAINING

It sees the whole attack chain

A leaked credential, an impossible-travel login, a C2 beacon and a mass-encryption attempt aren’t four alerts — they’re one attack moving across surfaces. Centeye links them into a single incident and reads the whole chain, not one isolated step.

The team that runs it

Two virtual security employees, on shift around the clock.

Instead of a dozen consoles and the analyst you can’t afford, you get Kavach, your SOC engineer, and Argus, your plain-English security advisor. They operate the platform 24×7 and remediate automatically with a human in the loop — so no human has to be on shift to keep the lights green.

Kavach

Virtual SOC analyst

Triages, correlates and remediates across all seven surfaces, 24×7 — automatically, with a human in the loop and you in control. You set the dial from Watch through Auto-contain per action and per client. Every step is reversible and written to a tamper-evident audit log.

Works 24×7 and triages without an analyst on shift
Correlates signals across surfaces into one entity-keyed kill-chain
Remediates threats in seconds — isolate, kill, quarantine, revoke — at the autonomy you set

Argus

Virtual CSO · plain-English advisor

Translates posture and incidents into owner-readable language, drives insurance-readiness reporting, and runs live runbooks during active incidents — in-app or over email, Slack, Teams and SMS.

Answers “was that safe?” in plain English, in the channel you use
Writes the board-ready cyber-insurance readiness report
Drives step-by-step IR runbooks during a live incident

You stay in control

Your virtual security team does the work. You set the dial.

Centeye is never a black box that acts behind your back. For every action — and for every client — you choose how far it goes, from “just alert me” to “auto-contain.” Low-risk containment like quarantine, block-IP or force-MFA can run on its own; high-impact moves like isolating a device or locking an account wait for a one-tap approval.

Every step is reversible and written to a SHA-256 hash-chained, immutable audit log. The human stays in the loop on everything that matters — that’s the reassurance, not an afterthought.

You set the dial per action · per client

Watch Centeye detects and narrates. You stay informed — observe-only.
Recommend Centeye surfaces the exact suggested action. You or your MSP decide.
1-click Approve Centeye prepares the action; a human confirms with one tap and Centeye executes. Set here
Auto-contain For clear, dangerous, time-critical threats, Centeye acts in seconds — then reports.

Human-in-the-loop on everything high-impact — every action reversible and written to an immutable audit log.

Why a stack of tools can’t match it

The advantage falls out of the architecture.

These aren’t features bolted on — they’re consequences of building one platform across every surface instead of stitching a dozen tools together after the fact.

CROSS-SURFACE

The seam attackers move through

Real attacks chain across several surfaces; a single-point tool sees only one. One engine across all of them closes the blind spots between consoles — Verizon DBIR 2025.

PLAIN ENGLISH

No CVSS scores, ever

Every incident is narrated as “what happened / what we did / what you do next,” so the owner who isn’t a security expert — 61% of businesses — can actually act on it — ConnectWise 2025.

AUDITED · REVERSIBLE

Autonomy you can trust

Low-risk containment runs on your dial; high-impact actions wait in an approval queue. Every action is reversible and hash-chained into an immutable log — control you can prove.

See the console

The same intelligence, the way you actually see it

One place for every client, every surface, and every AI action — audited, reversible, and human-in-the-loop. No login required; the animation above is the live walkthrough.

One cockpit Every client and surface in a single view
Every AI action, audited Hash-chained, reversible, human-in-the-loop

What it adds up to

Protection you can prove — without a SOC to staff.

One platform watching every surface, an AI team running it on your terms, and the whole attack chain read as a single plain-English incident. That’s 24/7 endpoint EDR / MDR with ransomware containment, a watch you couldn’t hire, fleet-wide oversight for an MSP, and the controls carriers weight most — proven continuously, not assembled before each renewal.

Continuous monitoring All solutions

43%

of all cyberattacks target small business

— Verizon DBIR 2025

61%

have no in-house security expertise of any kind

— ConnectWise 2025

$3.31M

average breach cost for orgs under 500 employees

— IBM Cost of a Breach 2025

Watch it catch a real attack.

Get a guided demo — one plain-English read on every surface, and a live walk-through of how Centeye links the chain and contains an incident end-to-end.

Get a demo Talk to us