Skip to main content

Platform Components

Cyberhaven collects events from endpoints, browsers, and cloud services. It applies classification and policy and presents the results in the Console.

Components include

  • Endpoint Sensors
  • Connectors
  • Browser Extensions
  • Application Plugins
  • Console
  • Backend services

Endpoint Sensors

Endpoint Sensors run on user machines and record detailed file and user actions to build lineage and enforce policies.

Features and benefits

  • Track data origins and paths for user actions and transform them into auditable events, while keeping endpoint impact low.

  • Correlate events in a scalable graph to stitch end‑to‑end file journeys across silos without tagging or modifying documents or comparing hashes.

  • Collect metadata only (no file content). Examples include file size, hash, path, host and application context, URL and domain, and user attributes. This supports accurate lineage, policy decisions, and faster investigations.

Use cases

  • Endpoint DLP with context. Apply policies based on classification and lineage to block, warn, or monitor sensitive actions such as save, save as, copy, print, and export on monitored machines.

  • Insider risk detection. Surface risky behaviors like mass copying, unusual exports, off‑hours transfers, or attempts to move sensitive data to personal accounts, and provide lineage evidence to assess intent and scope.

  • Removable media governance. Monitor and control transfers to USB drives and other external devices. Enforce policy outcomes and retain auditable records for investigations.

Connectors

Connectors provide visibility of data, datastores, and usage within cloud applications. They track user activities and data movements, including movement within cloud applications and between cloud applications and devices.

Features and benefits

  • Visibility. Provide insight into user actions within cloud apps.

  • Data movement tracking. Monitor how data flows in your cloud environment.

  • Content inspection. Enable Data Security Posture Management (DSPM) use cases.

  • Continuous discovery. Use forward scans to find and classify new files.

  • Complete coverage. Use historical scans to cover files created before configuration.

Use cases

  • Cloud lineage for DLP/IRM. Trace data movements from user devices to cloud destinations to enhance Data Loss Prevention (DLP) and Information Rights Management (IRM) strategies in cloud environments.

  • Shadow IT and BYOD. Detect cloud access from unmanaged or personal devices to help manage Shadow IT and secure Bring Your Own Device (BYOD) environments.

  • Cloud data visibility. Provide deep visibility into data interactions across cloud apps such as OneDrive, SharePoint, and Google Drive for better insight into cloud data.

  • DLP tuning. Supply additional context from Connectors to improve DLP policy design and effectiveness.

  • Compliance. Build a catalog of regulated data so you can protect and handle it to meet compliance requirements.

Browser Extension

Browser extensions provide insight into web-based data movements. They enhance data visibility and control within web browsers.

Features and benefits

  • Web interaction visibility. Observe uploads, downloads, and clipboard operations in the browser.

  • In-browser controls. Warn or block risky uploads at the point of action.

  • Domain and account context. Identify destination domains and cloud app accounts to improve policy precision.

Use cases

  • Control uploads to cloud storage, webmail, and SaaS. Apply policies based on classification, destination, and user context.

  • Prevent copy and paste of sensitive content to high-risk destinations.

  • Distinguish corporate and personal accounts and domains to reduce false positives.

Application Plugins

Application Plugins are installed with the Sensor to trace and block user actions inside supported applications such as Microsoft Office and Outlook. They extend endpoint visibility and apply in‑app controls for high‑value actions. Application Plugins include the Office plugin (Word, Excel, PowerPoint, and Outlook classic on Windows) and the New Outlook plugin for Windows and macOS.

Features and benefits

  • Office plugin. Trace and optionally block common file actions (save, save as/export, printing to a physical printer, embedding). Covers Outlook attachment flows in the classic client.

  • New Outlook plugin. Limited scope focused on Attachment Add and Sent file; does not capture Received File or Saved Email Attachment.

  • Printing controls. Trace and block printing from Word and Excel.

Use cases

  • Prevent sensitive attachments from leaving via Outlook based on classification, recipients, and context.

  • Control exports and save as operations in Office to stop unauthorized copies.

  • Govern embedded content in Office documents to prevent covert movement of sensitive data.

  • Enforce printing controls for regulated documents and retain audit trails.

Cyberhaven Console (User Interface)

The Console serves as the central web-based interface for Cyberhaven administrators. It is where users interact with the platform to define data protection policies, monitor data activity, investigate incidents, and manage various aspects of their Cyberhaven deployment. The Console is organized into the following sections:

  • Dashboards: Provides high-level dashboards and analytics on data usage and risk. This includes two sets of dashboards:
    • Insights 360 Dashboards: Focus on general data usage and risk insights.
    • Security for AI Dashboards: Specialized views for GenAI usage and related risk insights.
  • Risks Overview: The central hub for viewing and investigating events, and understanding the detailed data lineage.
  • Visual Analytics: Offers advanced tools for exploring data, creating dashboards, identifying trends, and creating custom reports.
  • Insider Risk: Provides specific insights and tools for detecting and managing insider threats.
  • Incidents: Provides tools for investigating security incidents, responding to alerts, and leveraging Linea AI capabilities for enhanced analysis and context.
  • Object Management: Where administrators define and manage core security objects such as Datasets, Policies (Protection and Inspection), and Lists.
  • Endpoint Sensors: For managing sensor deployments, updates, and configurations across Windows, macOS, and Linux endpoints.
  • Connectors: For configuring and monitoring integrations with various cloud applications (e.g., Microsoft 365, Google Workspace, OneDrive).
  • Administration: Space to view audit logs and APIs. This includes:
    • Audit Logs: Provides a record of administrative and user activities within the Console.
    • API Specifications: Offers documentation and tools for interacting with Cyberhaven's APIs.
  • Preferences: Configure various system-wide settings and advanced options:
    • Users and API Keys: Manage user accounts, user authentication, and API key access.
    • Roles and Scopes: Define and assign user roles and their associated permissions and scope.
    • Directories and User Mapping: Configure integration with cloud-based user directories and map users with Cyberhaven.
    • Linea AI Configuration: Configure the sources or destinations you want to exclude from Linea AI analysis.
    • Content Matching: Define the sensitive data you want Cyberhaven to inspect. This includes:
      • Content Identifiers: Define patterns for sensitive data.
      • Exact Data Matching (EDM): For highly precise identification of specific structured data.
      • Document Tags: For classifying documents with custom labels.
    • Logo Settings: Customize the logo displayed in user-facing notification messages.
    • Authentication Providers: Set up and manage authentication methods.
    • API Token Management (Legacy): Manage API tokens for securely sending data to Cyberhaven for Exact Data Matching.
    • Automatic Logout: Configure automatic logout settings.
    • External Storage: Configure external storage destinations for content capture.
    • Integrations: Set up outbound integrations to external systems.

Use cases

  • Monitor risk posture and program health on dashboards.

  • Investigate suspicious activity and confirm intent using lineage and incidents.

  • Build and tune policies and datasets to improve enforcement and reduce noise.

  • Export or integrate with downstream tools using APIs and configured integrations.

  • Review changes and access via audit logs.

Backend Services

These services operate in the cloud (SaaS platform) and provide the core intelligence behind the Cyberhaven platform. They are responsible for processing collected telemetry and content received from the endpoint, performing advanced analytics, and enforcing policies.

Features and benefits

  • Data Ingestion & Processing: Receives telemetry and content from sensors and components.
  • Data Lineage: Analyzes and connects disparate events in a scalable graph database to stitch together complete data journeys.
  • Content Inspection Engine: Processes content using Content Identifiers, EDM, and Document Tags to classify sensitive data.
  • Policy Engine: Applies defined policies (Monitor, Warn, Block) based on detected data activity and content matches.
  • Incident Management: Processes and correlates events into incidents for security teams.
  • API Services (v1.0 & v2.0): Exposes programmatic interfaces for querying data (events, incidents, audit logs) and managing platform configurations.

Use cases

  • Send events and incidents to SIEM/SOAR and data lakes for centralized analytics.

  • Automate configuration and policy management through documented APIs.

  • Power dashboards and reports by querying events, incidents, and audit logs programmatically.