The architecture diagram and tables presented in this topic describe the components of the Cybereason On-Prem offering.

Architecture diagram

PIP Architecture


Cybereason Next-Generation Antivirus (NGAV) is a Cybereason component that detects and prevents a broad spectrum of malware on the endpoint. NGAV works together with Cybereason’s EDR component to provide a full security solution. NGAV can replace or run alongside third-party antivirus products. If you have purchased the NGAV package, to enable NGAV in a Cybereason On-Prem (on-premises) environment, you must install an NGAV Local update server.

List of components



Endpoint sensors

A sensor is a Cybereason software component installed on the endpoint. Sensors collect data about the events and operations occurring on each endpoint throughout your organization. Sensors send the collected data to Detection servers for analysis.

Configuration management server

The configuration management server applies predefined system configuration to all Cybereason servers, applies day 2 operations such as backup procedures and monitors each of the servers.

Registration server

The Registration server automatically assigns sensors to specific Detection servers.

Detection servers

All Cybereason deployments include one or more Detection servers. Detection servers analyze data from the sensors using a built-in Cross Machine Correlation (CMC) Engine together with data from threat intelligence sources. Detection servers send detection data to the WebApp server for display in the Cybereason UI.

Private Threat Intel server

The Private Threat Intel server supplements the Global Threat Intel server and is specific to your environment. This server hosts your organization’s custom reputation information such as allowlists and blocklists and communicates that information to the Detection server.

Global Threat Intel server

Cybereason uses a shared Global Threat Intel server to compare data in your in-memory graph to globally recognized threat sources to determine the reputation of a given file, IP address, or domain. The Global Threat Intel server is updated daily, ensuring your data is checked against the most recent threat information in the cybersecurity industry.

WebApp server

The WebApp server hosts the following:

  • Cybereason UI: provides analysts and administrators with a single access point for investigating potential threats, remediating Malops, configuring the system, modifying security options, and managing users.

  • Database

  • Private Threat Intel server

  • Web service layer

Microservices server

The microservices image includes several microservices.

Microservices included in the Microservices server

The Microservices server includes the following microservices and servers:

Microservice/server name


RabbitMQ microservice

Transfers messages between the Detection servers and MDS.

Management microservice

Applies user changes to system policies.

Arbiter microservice

Synchronizes system policy configuration with the sensors.

PostgreSQL server

Serves as the database for the Scribe, Management, and Arbiter microservices.

Behavioral Allowlisting microservice

Controls the Behavioral allowlisting feature, which allows users to specify behaviors that are benign in their environment.


Manages the sensor metadata.

MalOp Decision Service (MDS)

Controls MalOp creation and grouping.

SM-OPS microservice

Includes the containers that manage the sensor environment.


Local threat intel database


Container of the Local threat intel which communicates with the Webapp server for classification info.


Cybereason provides software patches for updating all components.