Centeye
Talk to us Get a demo
Product · Features

One platform across every surface — and the intelligence to connect them.

Centeye watches email, endpoint EDR/MDR, identity, dark-web exposure, web, DNS and the AI tools your team adopts — 24/7 endpoint detection & response and ransomware containment included — then correlates them into single incidents. The breadth is the table stakes; the intelligence that links it all is the difference. Jump to a surface or read straight through.

The differentiator

The intelligence is the product.

Anyone can list sensors. What sets Centeye apart is what happens after the signal lands: it correlates across surfaces, reasons about it in plain English, and follows the whole attack chain — so you respond to one incident, not a wall of disconnected alerts.

Cross-surface correlation

Every signal is keyed to an entity — a user, a host, an identity — and stitched across surfaces. A leaked credential, a suspicious login and an encryption attempt read as one incident, not three disconnected alerts.

AI reasoning

Kavach investigates and contains; Argus explains every incident in plain English — what happened, what was done, what to do next. No CVSS jargon, built for the owner as much as the analyst.

Attack chaining

Centeye sees the whole chain across surfaces, not one isolated step — so the multi-stage attack a single-surface tool would wave through becomes one contained incident.

The team that runs it

Kavach and Argus.

Kavach

Virtual SOC analyst

Triages, correlates and remediates across all seven surfaces, 24×7 — automatically, with a human in the loop and you in control. You set the dial from Watch through Auto-contain per action and per client. Every step is reversible and written to a tamper-evident audit log.

  • Works 24×7 and triages without an analyst on shift
  • Correlates signals across surfaces into one entity-keyed kill-chain
  • Remediates threats in seconds — isolate, kill, quarantine, revoke — at the autonomy you set

Argus

Virtual CSO · plain-English advisor

Translates posture and incidents into owner-readable language, drives insurance-readiness reporting, and runs live runbooks during active incidents — in-app or over email, Slack, Teams and SMS.

  • Answers “was that safe?” in plain English, in the channel you use
  • Writes the board-ready cyber-insurance readiness report
  • Drives step-by-step IR runbooks during a live incident
Surface by surface

Every surface, one platform.

01

Email & BEC

Mailbox protection · phishing · account takeover

AI-grade mailbox protection across Microsoft 365 and Google Workspace — catching business-email-compromise, AI-generated phishing and account takeover, then quarantining and clawing it back across every inbox.

  • Microsoft 365 + Google Workspace One install protects both clouds — Centeye ingests mailbox activity in real time, no inbox migration required.
  • AI phishing & BEC detection A layered AI pipeline reads intent — financial BEC, credential phishing, social engineering — and catches the near-perfect, AI-written messages legacy filters wave through.
  • Authentication & impersonation signals SPF / DKIM / DMARC checks, sender-domain age, reply-to mismatch, display-name spoofing, lookalike domains and malicious-URL scoring combine into one verdict.
  • Account-takeover detection Catches the tell-tale moves of a hijacked mailbox — new external forwarding rules, outbound replies to the attacker — and flags the campaign across every recipient at once.
  • Remediation across every inbox Quarantine, pull a message from all mailboxes, block the sending domain / URL / IP / attachment, disable malicious inbox rules, revoke tokens and force MFA — in seconds.
02

Endpoint EDR / MDR & Ransomware

24/7 endpoint detection & response · ransomware containment · managed response

Endpoint Detection & Response, delivered as Managed Detection & Response: a lightweight cross-platform agent plus agentless ingestion of the tools you already run, 24/7 — purpose-built ransomware detection and containment, broad MITRE ATT&CK coverage, real response actions and an AI-driven managed incident-response layer.

  • 24/7 EDR / MDR coverage Round-the-clock endpoint detection and response — Kavach watches every endpoint, triages and contains at AI speed, so you get managed detection & response without staffing a 24/7 SOC.
  • Native cross-platform agent A lightweight Windows / macOS / Linux agent — file-integrity monitoring, process visibility and a secure, mutually-authenticated command channel.
  • Agentless ingestion Already run Wazuh, Falco, osquery or Elastic? Centeye normalizes those into one unified endpoint picture — no rip-and-replace.
  • Ransomware detection & containment Canary honey-tokens, encryption-entropy and burst detection, and shadow-copy-deletion monitoring catch ransomware in the act — then isolate the host and kill the encrypting process before the files are gone.
  • Broad MITRE ATT&CK coverage A deep rule library across the techniques attackers actually use — credential theft, execution, defense evasion, impact — tuned server-side without redeploying the agent.
  • Real containment Kill a process, isolate an endpoint, quarantine a file, block a hash fleet-wide, remove persistence and roll files back — reversible, on your dial.
  • AI-managed incident response Plain-English incident narratives plus the Argus live ransomware runbook — isolate, kill, freeze, check backups — guiding the managed response step by step.
03

Identity / ITDR

IdP detection · graduated response · MFA posture

Identity-threat detection and response across Microsoft Entra, Google Workspace and JumpCloud — catching the takeover the moment it starts and acting on your terms to revoke, lock down and reset.

  • Detection across your identity providers Microsoft Entra, Google Workspace and JumpCloud sign-in, audit and risk telemetry, unified into one identity-threat picture.
  • The attacks that matter Impossible-travel logins, MFA-fatigue push-bombing, dormant-account reactivation, privilege escalation and stolen-session reuse — scored, not just logged.
  • Risky-app (OAuth) scoring Every connected app is scored on its granted scopes, age and reputation, so over-privileged and unsanctioned apps surface before they are abused.
  • Daily MFA posture auditing Enrollment coverage, admin protection and domain enforcement audited every day — and rolled straight into the Insurance Readiness Report.
  • Response on your dial Revoke sessions, disable a user, force a password reset, remove a risky app grant, reset MFA, tighten conditional access or pull an admin role — every action reversible.
04

Dark Web & Exposure

Leaked credentials · infostealer · exposure score

Continuous dark-web monitoring for every user — leaked passwords, breached accounts and infostealer-harvested sessions — scored into one exposure rating and wired to act before stolen credentials are used.

  • Continuous credential monitoring Every monitored user and email watched for leaked passwords and breached accounts across the dark web, around the clock.
  • Infostealer exposure Surfaces stolen session cookies and credentials harvested by infostealer malware and traded in dumps and logs.
  • Per-user exposure score A single composite exposure rating per user, refreshed daily, that tags the accounts most likely to be the next way in.
  • Act before credentials are used A confirmed exposure can trigger a forced password reset, MFA step-up or session revoke through the Identity surface — closing the door before the attacker walks through it.
05

WAF / Web

Cloud WAF orchestration · OWASP CRS · CVE insight

Web-application protection that orchestrates the cloud WAFs you already run — classifying OWASP attacks, driving real response actions, and flagging the unpatched CVEs in your web stack.

  • Multi-cloud WAF orchestration Drives Azure Front Door and GCP Cloud Armor from one place, classifying OWASP attacks — SQLi, XSS, RCE, LFI, SSRF — plus bot and DDoS traffic.
  • Real response actions Block an IP or country, challenge suspect traffic, rate-limit aggressively, fight bots, tighten paranoia level and push custom path / header / API rules.
  • CVE exposure insight A review agent matches known CVEs against the dependencies and plugins in your web apps, so the gap an attacker would target is surfaced first.
06

DNS / C2 & Exfil

Cloud-DNS visibility · C2 / DGA / tunnel detect · resolver response

DNS-layer detection of the traffic attackers hide in — command-and-control beacons, domain-generation algorithms, tunneling and data exfiltration — with reversible response across the major resolvers.

  • Cloud-DNS visibility Reads DNS logs from Route 53, GCP Cloud DNS, Azure DNS and Cloudflare Gateway — no extra appliance to deploy.
  • C2, DGA, tunneling & exfil Detects beaconing, domain-generation algorithms, DNS tunneling and high-volume exfiltration — the channels malware uses to phone home and steal data (MITRE T1071 / T1568 / T1041 / T1572).
  • AI scoring + kill-chain correlation Ties signals together — a DNS tunnel and a WAF block from the same IP within an hour read as one critical incident, not two ignored alerts.
  • Response across major resolvers Block egress, sinkhole to a honeypot or filter newly-registered domains via Cloudflare Gateway, Cisco Umbrella, NextDNS, Quad9 and DNSFilter — reversible and verified.
07

Shield-AI / AI DLP & NHI

Shadow AI · NHI governance · content DLP · fleet AI risk

Governance for the AI tools your team adopts — finding shadow AI, scoring the non-human identities AI apps create, and stopping sensitive data from leaving in an outbound message.

  • Non-human identity inventory Every connected AI and SaaS app across Google Workspace and Microsoft 365 inventoried as a non-human identity, with its vendor, access scopes and grant date.
  • Scope-first risk scoring Each app is scored on what it can actually do — read, write, delete, admin — plus first-seen, vendor reputation and the granting user’s MFA state.
  • Shadow-AI discovery When a grant resolves to a vendor outside the sanctioned catalog, Centeye raises it — surfacing the unsanctioned AI tool before company data flows into it.
  • Re-attestation workflow A recurring attestation cadence makes owners re-confirm every AI app on a schedule; lapses auto-escalate into a tracked action in your MSP tooling.
  • Content-first data-loss prevention Outbound email is classified on what is inside it — PII, source code, bulk data — regardless of destination, so a leak to an AI tool is caught on content, not guesswork.
  • Behavioral AI-traffic detection DNS behavior catches employees hitting AI APIs directly, including direct API-key use that bypasses the browser. Enterprise tier.
  • Microsoft Copilot oversight SharePoint and OneDrive file access and Microsoft Copilot interactions attributed to the AI app behind them. Enterprise tier.
  • MSP fleet AI-risk panel One cross-client view of AI exposure — total apps, lapsed attestations, high-scope grants and a per-client AI-risk score — in the MSP canvas.
  • Compliance-aware flagging AI vendors are tagged for HIPAA / PCI / GDPR handling; a grant that conflicts with a client’s regulatory profile auto-elevates to critical.
Response

Graduated, reversible response — you set the dial.

The AI does the work; you stay in control. Choose how far Centeye goes on its own — from just alerting you, through one-click approval, to auto-containing clear threats — per action and per client. Higher-impact moves carry approval gates, and every action is reversible and written to a tamper-evident audit log.

  1. 0

    Watch

    Centeye detects and narrates. You stay informed — observe-only.

  2. 1

    Recommend

    Centeye surfaces the exact suggested action. You or your MSP decide.

  3. 2

    1-click Approve

    Centeye prepares the action; a human confirms with one tap and Centeye executes.

  4. 3

    Auto-contain

    For clear, dangerous, time-critical threats, Centeye acts in seconds — then reports.

The platform layer

The shared layer that makes seven surfaces behave as one product.

AI that stays economical

  • Routes each task to the right model — fast and cheap where it can, top-tier where it must
  • A per-MSP cost guardrail keeps AI spend predictable, so margins stay healthy
  • Plain-English narration on every incident — built for the owner, not just the analyst

Response governance

  • A deep library of response actions across every surface, gated by impact
  • Graduated control: Watch → Recommend → 1-click Approve → Auto-contain, per action and client
  • Every action is reversible and written to a tamper-evident audit log

Cross-surface correlation

  • One entity-keyed incident across every surface, instead of a wall of siloed alerts
  • A built-in security data layer with long-retention search for fast investigation
  • Broad detection content kept tuned server-side — no agent redeploy to adapt

MSP & ecosystem

  • Multi-tenant canvas by default — one pane across every client you manage
  • Cloud-first — Centeye drops into your existing MSP tooling ecosystem, interfacing with the tools you already run
  • Plain-English client reports and an audited, dual-consent operator proxy for takeover
See integrations Security & trust

See your whole fleet, contained.

Get a guided demo of Centeye across your client tenants — and a plain-English read on where you stand today.

Get a demo Talk to us