Cyber Operations

Cyber as a first-class sensor domain. Coming soon.

Empyrean Cyber Operations (CyOps) will extend the platform with OCSF-native cyber enrichment, anomaly detection, offensive assessment tooling, and cross-domain correlation that joins cyber observables to RF, space, narrative, and geospatial signals already flowing through the fusion architecture. Not a SIEM. Not an EDR. The layer that makes cyber a first-class domain in a platform that already fuses the others.

Coming Soon

Cyber Operations is in active development. The architecture, entity model, and cross-domain correlation design are complete. We are building toward phased delivery starting with OCSF ingestion and enrichment, followed by anomaly detection, offensive assessment tooling, and full cross-domain correlation. Our founding team brings 25 years of combined cyber and security data operations expertise across cloud security, application security, offensive security, enterprise security, and physical security.

We are looking for design partners who want to shape this capability from the ground up. If your organization operates at the intersection of cyber, physical, and electromagnetic security, we want to build with you.

The Problem

Adversary operations are multi-domain. An APT intrusion campaign may coincide with influence operations, targeted RF interference, or reconnaissance satellite passes. No pure-cyber tool surfaces these compound indicators because no pure-cyber tool has access to the RF, space, narrative, and geospatial signals that complete the picture. Meanwhile, security teams run separate tools for IT, OT, and physical security with no correlation layer between them. CyOps is being built to close that gap - OCSF-native ingestion from your existing EDR, SIEM, and identity stack, enriched through a staged pipeline, with anomaly detection and policy-driven response that correlates across every domain Empyrean already covers.

Who Has This Problem

Security operations centers looking for cross-domain correlationOT / ICS defenders bridging IT and operational technologyCritical infrastructure operators with converged threat environmentsCISOs and security leadership seeking unified risk visibilityDesign partners who want to shape the capability from the ground up
Cyber-kinetic correlation with network assets mapped to physical infrastructure

Key Workflows

01OCSF-native ingestion from CrowdStrike, Microsoft Defender, Entra ID, and other security telemetry sources - normalized into the DDE entity model alongside RF, space, narrative, and geospatial data
02Staged enrichment pipeline: GeoIP, reverse DNS, CISA KEV, EPSS, NVD/CVE, GHSA, GreyNoise, ATT&CK mapping, passive DNS, and asset resolution - all running locally with sub-millisecond latency
03Statistical anomaly detection via Z-scoring and Isolation Forest across user and device behavioral baselines - no labeled training data required, just a burn-in period
04Cross-domain correlation: cyber observables joined to EMSO emitter detections, SSA satellite passes, NIW narrative campaigns, and physical sensor tracks through the Policy Engine
05Offensive assessment tooling: headless CALDERA for ATT&CK emulation, ZAP for web application scanning, Nmap/NSE for network discovery - all containerized, all results mapped to OCSF
06Canary and deception layer: honey credentials, canary documents, honeypot services, and canary DNS tokens as deterministic, zero-false-positive policy triggers

Capabilities

OCSF-native ingestion with TOML-based schema mapping DSL
Asset-aware entity model: devices, users, networks, vulnerabilities, and indicators as first-class DDE entities
SSVC-driven vulnerability prioritization (EPSS + CISA KEV + asset criticality)
Peer group deviation detection via Mahalanobis distance
Isolation Forest multivariate anomaly detection with SHAP explainability
Cross-domain compound conditions: cyber + RF + space + narrative
Headless offensive tooling (CALDERA, ZAP, Nmap) with ROE enforcement
Adversary-Validated Coverage Index (AVCI) for quantitative defense measurement
OT/ICS support with Purdue Model asset zones (Phase 6)
Investigation graph for persistent, analyst-driven case management

Platform Integration

CyOps is designed as a seventh domain in the existing DDE architecture. Cyber entities render on the COP alongside physical tracks. Cyber anomalies feed the fusion engine and trigger automated decision rules when correlated with RF, narrative, space, or physical signals. The Policy Engine evaluates compound conditions across all domains - an authentication anomaly coinciding with an EMSO emitter detection and a narrative campaign spike becomes a single correlated alert, not three separate tickets in three separate tools.

← All capabilities

Related Resources & Insights

Resource11 min read

What is Intelligence Fusion?

Intelligence fusion explained: JDL/DFIG model, multi-INT disciplines, JADC2, and what fusion means for civilian operators.

Resource11 min read

What is Maritime Intelligence?

Maritime intelligence explained: AIS limits, dark vessels, beneficial ownership, sanctions risk, and multi-INT fusion at sea.

Resource7 min read

What is OPSEC?

OPSEC, UTS, and Digital Force Protection explained: the five-step process, five threat vectors, and signature management.

Resource13 min read

What is ATAK?

ATAK explained: TAK clients, EUDs, data packages, mesh networks, federation, plugins, and the CoT protocol that ties it together.

Resource26 min read

Defense & Intelligence Glossary

Defense & intelligence glossary: acronyms and terms for EMSO, C-UAS, JADC2, sensor fusion, SSA, CTF, entity resolution, and TAK.

Resource13 min read

What is Counter Threat Finance?

Counter Threat Finance (CTF) explained: DoDD 5205.14 doctrine, CTF vs. AML, sanctions, shell companies, TBML, and operational software.

Resource10 min read

What is Entity Resolution?

Entity Resolution explained: deterministic, probabilistic, ML, and graph methods for matching records to real-world identities.

Resource13 min read

What is Narrative Intelligence?

Narrative Intelligence (NARINT) explained: detecting and countering influence operations, DISARM framework, CIB, and OSINT.

Resource13 min read

What is EMSO?

EMSO explained: Electronic Warfare, EMBM, JEMSO, Electronic Order of Battle, CEMA, spectrum management, and operational software.

Resource12 min read

What is a Common Operational Picture?

Common Operational Picture (COP) explained: why most COPs fail, display vs. decision surface, edge deployment, and true fusion.

Resource13 min read

What is Space Situational Awareness?

Space Situational Awareness (SSA) explained: orbital tracking, TLEs, the Space Surveillance Network, and counterspace threats.

Resource12 min read

What is Counter-UAS?

Counter-UAS (C-UAS) explained: sensors, fusion, effectors, legal authorities, and layered drone defense for military and critical sites.

Resource12 min read

What is JADC2?

JADC2 explained: why top-down fails, what sensor-up architecture means, and why edge-deployed fusion survives contact.

Resource11 min read

What is Sensor Fusion?

Sensor fusion explained: state estimation, data association, multi-hypothesis tracking, identity provenance, and edge deployment.

Research43 min read

High-Powered Microwave (HPM): From Hard Kill to Residual Risk

3,400 Monte Carlo runs reveal HPM's service-rate ceiling, residual warhead hazard, and cascade failure against 40-400 drone swarms.

Research48 min read

The Devil Dog and the Dragon: USMC IADS vs. PLARF Cruise Missile Saturation

USMC MRIC vs 60 CJ-10 cruise missiles: 92.7% kill rate, then magazine exhaustion at T+28:37. The Marines need more rounds.

Research34 min read

Quantifying Layered Naval Defense Against Hypersonic Glide Vehicles

DF-17 HGV vs Arleigh Burke: 50 Monte Carlo seeds, SM-6 at 23% kill rate, PAC-3 at zero. The timeline is the constraint.

Insight47 min read

Maritime Domain Awareness: The Complete Field Guide

Maritime domain awareness field guide: spectrum, seabed, ownership, and cyber threats that single-domain tools miss.

Insight25 min read

TAK Server on AWS: From Zero to Operational in Under Ten Minutes

Deploy TAK Server on AWS with CloudFormation: TLS, Docker, hardening, and security best practices in under ten minutes.

Insight8 min read

Release Log Vol. 1: Maritime Intelligence & UAS Traffic Management

Empyrean ships Maritime Intelligence, Air Domain Intelligence, and UAS Traffic Management with 20+ data sources and FAA enrichment.

Insight20 min read

The Environment Is Trying to Kill Your Mission. We Want to Mitigate It.

Weather & environmental intelligence that modifies sensor confidence, route feasibility, and UAS BVLOS risk in real time.

Insight73 min read

EMSO Is Everyone's Problem. Let's Do Something About It.

EMSO deep dive: EW history, doctrinal evolution to CEMA, cross-domain effects, and what operators can do about it today.

Insight23 min read

Would the Real Common Operating Picture (COP) Please Stand Up

Most COPs are PowerPoint and uncorrelated feeds. What a real COP requires: fusion, policy, edge deployment, and echelon logic.

Insight7 min read

Building Physics-Backed, Unclassified, Open-Source Defense Research

Introducing Empyrean Defense Research: unclassified, physics-backed wargaming. First drop: 1,500 Monte Carlo sims of DF-17 vs DDG.

Insight37 min read

How the Space Domain Impacts Your Operations

Space domain impacts on EW, ground, maritime, air, and information ops — and what you can do to counter them.

Insight74 min read

Sense, Make Sense, Act: How to Conduct Counter-UAS From Sensors to Deployments

Counter-UAS playbook: 8 sensor types, fusion methods, jam vs. shoot decisions, and layered drone defense for DDIL environments.

Insight12 min read

Why JADC2 Needs Sensor Fusion at the Edge

JADC2 assumes persistent cloud and top-down authority. Operators have neither. Why sensor fusion must live at the edge.

Resource11 min read

What is Intelligence Fusion?

Intelligence fusion explained: JDL/DFIG model, multi-INT disciplines, JADC2, and what fusion means for civilian operators.

Resource11 min read

What is Maritime Intelligence?

Maritime intelligence explained: AIS limits, dark vessels, beneficial ownership, sanctions risk, and multi-INT fusion at sea.

Resource7 min read

What is OPSEC?

OPSEC, UTS, and Digital Force Protection explained: the five-step process, five threat vectors, and signature management.

Resource13 min read

What is ATAK?

ATAK explained: TAK clients, EUDs, data packages, mesh networks, federation, plugins, and the CoT protocol that ties it together.

Resource26 min read

Defense & Intelligence Glossary

Defense & intelligence glossary: acronyms and terms for EMSO, C-UAS, JADC2, sensor fusion, SSA, CTF, entity resolution, and TAK.

Resource13 min read

What is Counter Threat Finance?

Counter Threat Finance (CTF) explained: DoDD 5205.14 doctrine, CTF vs. AML, sanctions, shell companies, TBML, and operational software.

Resource10 min read

What is Entity Resolution?

Entity Resolution explained: deterministic, probabilistic, ML, and graph methods for matching records to real-world identities.

Resource13 min read

What is Narrative Intelligence?

Narrative Intelligence (NARINT) explained: detecting and countering influence operations, DISARM framework, CIB, and OSINT.

Resource13 min read

What is EMSO?

EMSO explained: Electronic Warfare, EMBM, JEMSO, Electronic Order of Battle, CEMA, spectrum management, and operational software.

Resource12 min read

What is a Common Operational Picture?

Common Operational Picture (COP) explained: why most COPs fail, display vs. decision surface, edge deployment, and true fusion.

Resource13 min read

What is Space Situational Awareness?

Space Situational Awareness (SSA) explained: orbital tracking, TLEs, the Space Surveillance Network, and counterspace threats.

Resource12 min read

What is Counter-UAS?

Counter-UAS (C-UAS) explained: sensors, fusion, effectors, legal authorities, and layered drone defense for military and critical sites.

Resource12 min read

What is JADC2?

JADC2 explained: why top-down fails, what sensor-up architecture means, and why edge-deployed fusion survives contact.

Resource11 min read

What is Sensor Fusion?

Sensor fusion explained: state estimation, data association, multi-hypothesis tracking, identity provenance, and edge deployment.

Research43 min read

High-Powered Microwave (HPM): From Hard Kill to Residual Risk

3,400 Monte Carlo runs reveal HPM's service-rate ceiling, residual warhead hazard, and cascade failure against 40-400 drone swarms.

Research48 min read

The Devil Dog and the Dragon: USMC IADS vs. PLARF Cruise Missile Saturation

USMC MRIC vs 60 CJ-10 cruise missiles: 92.7% kill rate, then magazine exhaustion at T+28:37. The Marines need more rounds.

Research34 min read

Quantifying Layered Naval Defense Against Hypersonic Glide Vehicles

DF-17 HGV vs Arleigh Burke: 50 Monte Carlo seeds, SM-6 at 23% kill rate, PAC-3 at zero. The timeline is the constraint.

Insight47 min read

Maritime Domain Awareness: The Complete Field Guide

Maritime domain awareness field guide: spectrum, seabed, ownership, and cyber threats that single-domain tools miss.

Insight25 min read

TAK Server on AWS: From Zero to Operational in Under Ten Minutes

Deploy TAK Server on AWS with CloudFormation: TLS, Docker, hardening, and security best practices in under ten minutes.

Insight8 min read

Release Log Vol. 1: Maritime Intelligence & UAS Traffic Management

Empyrean ships Maritime Intelligence, Air Domain Intelligence, and UAS Traffic Management with 20+ data sources and FAA enrichment.

Insight20 min read

The Environment Is Trying to Kill Your Mission. We Want to Mitigate It.

Weather & environmental intelligence that modifies sensor confidence, route feasibility, and UAS BVLOS risk in real time.

Insight73 min read

EMSO Is Everyone's Problem. Let's Do Something About It.

EMSO deep dive: EW history, doctrinal evolution to CEMA, cross-domain effects, and what operators can do about it today.

Insight23 min read

Would the Real Common Operating Picture (COP) Please Stand Up

Most COPs are PowerPoint and uncorrelated feeds. What a real COP requires: fusion, policy, edge deployment, and echelon logic.

Insight7 min read

Building Physics-Backed, Unclassified, Open-Source Defense Research

Introducing Empyrean Defense Research: unclassified, physics-backed wargaming. First drop: 1,500 Monte Carlo sims of DF-17 vs DDG.

Insight37 min read

How the Space Domain Impacts Your Operations

Space domain impacts on EW, ground, maritime, air, and information ops — and what you can do to counter them.

Insight74 min read

Sense, Make Sense, Act: How to Conduct Counter-UAS From Sensors to Deployments

Counter-UAS playbook: 8 sensor types, fusion methods, jam vs. shoot decisions, and layered drone defense for DDIL environments.

Insight12 min read

Why JADC2 Needs Sensor Fusion at the Edge

JADC2 assumes persistent cloud and top-down authority. Operators have neither. Why sensor fusion must live at the edge.

Resource11 min read

What is Intelligence Fusion?

Intelligence fusion explained: JDL/DFIG model, multi-INT disciplines, JADC2, and what fusion means for civilian operators.

Resource11 min read

What is Maritime Intelligence?

Maritime intelligence explained: AIS limits, dark vessels, beneficial ownership, sanctions risk, and multi-INT fusion at sea.

Resource7 min read

What is OPSEC?

OPSEC, UTS, and Digital Force Protection explained: the five-step process, five threat vectors, and signature management.

Resource13 min read

What is ATAK?

ATAK explained: TAK clients, EUDs, data packages, mesh networks, federation, plugins, and the CoT protocol that ties it together.

Resource26 min read

Defense & Intelligence Glossary

Defense & intelligence glossary: acronyms and terms for EMSO, C-UAS, JADC2, sensor fusion, SSA, CTF, entity resolution, and TAK.

Resource13 min read

What is Counter Threat Finance?

Counter Threat Finance (CTF) explained: DoDD 5205.14 doctrine, CTF vs. AML, sanctions, shell companies, TBML, and operational software.

Resource10 min read

What is Entity Resolution?

Entity Resolution explained: deterministic, probabilistic, ML, and graph methods for matching records to real-world identities.

Resource13 min read

What is Narrative Intelligence?

Narrative Intelligence (NARINT) explained: detecting and countering influence operations, DISARM framework, CIB, and OSINT.

Resource13 min read

What is EMSO?

EMSO explained: Electronic Warfare, EMBM, JEMSO, Electronic Order of Battle, CEMA, spectrum management, and operational software.

Resource12 min read

What is a Common Operational Picture?

Common Operational Picture (COP) explained: why most COPs fail, display vs. decision surface, edge deployment, and true fusion.

Resource13 min read

What is Space Situational Awareness?

Space Situational Awareness (SSA) explained: orbital tracking, TLEs, the Space Surveillance Network, and counterspace threats.

Resource12 min read

What is Counter-UAS?

Counter-UAS (C-UAS) explained: sensors, fusion, effectors, legal authorities, and layered drone defense for military and critical sites.

Resource12 min read

What is JADC2?

JADC2 explained: why top-down fails, what sensor-up architecture means, and why edge-deployed fusion survives contact.

Resource11 min read

What is Sensor Fusion?

Sensor fusion explained: state estimation, data association, multi-hypothesis tracking, identity provenance, and edge deployment.

Research43 min read

High-Powered Microwave (HPM): From Hard Kill to Residual Risk

3,400 Monte Carlo runs reveal HPM's service-rate ceiling, residual warhead hazard, and cascade failure against 40-400 drone swarms.

Research48 min read

The Devil Dog and the Dragon: USMC IADS vs. PLARF Cruise Missile Saturation

USMC MRIC vs 60 CJ-10 cruise missiles: 92.7% kill rate, then magazine exhaustion at T+28:37. The Marines need more rounds.

Research34 min read

Quantifying Layered Naval Defense Against Hypersonic Glide Vehicles

DF-17 HGV vs Arleigh Burke: 50 Monte Carlo seeds, SM-6 at 23% kill rate, PAC-3 at zero. The timeline is the constraint.

Insight47 min read

Maritime Domain Awareness: The Complete Field Guide

Maritime domain awareness field guide: spectrum, seabed, ownership, and cyber threats that single-domain tools miss.

Insight25 min read

TAK Server on AWS: From Zero to Operational in Under Ten Minutes

Deploy TAK Server on AWS with CloudFormation: TLS, Docker, hardening, and security best practices in under ten minutes.

Insight8 min read

Release Log Vol. 1: Maritime Intelligence & UAS Traffic Management

Empyrean ships Maritime Intelligence, Air Domain Intelligence, and UAS Traffic Management with 20+ data sources and FAA enrichment.

Insight20 min read

The Environment Is Trying to Kill Your Mission. We Want to Mitigate It.

Weather & environmental intelligence that modifies sensor confidence, route feasibility, and UAS BVLOS risk in real time.

Insight73 min read

EMSO Is Everyone's Problem. Let's Do Something About It.

EMSO deep dive: EW history, doctrinal evolution to CEMA, cross-domain effects, and what operators can do about it today.

Insight23 min read

Would the Real Common Operating Picture (COP) Please Stand Up

Most COPs are PowerPoint and uncorrelated feeds. What a real COP requires: fusion, policy, edge deployment, and echelon logic.

Insight7 min read

Building Physics-Backed, Unclassified, Open-Source Defense Research

Introducing Empyrean Defense Research: unclassified, physics-backed wargaming. First drop: 1,500 Monte Carlo sims of DF-17 vs DDG.

Insight37 min read

How the Space Domain Impacts Your Operations

Space domain impacts on EW, ground, maritime, air, and information ops — and what you can do to counter them.

Insight74 min read

Sense, Make Sense, Act: How to Conduct Counter-UAS From Sensors to Deployments

Counter-UAS playbook: 8 sensor types, fusion methods, jam vs. shoot decisions, and layered drone defense for DDIL environments.

Insight12 min read

Why JADC2 Needs Sensor Fusion at the Edge

JADC2 assumes persistent cloud and top-down authority. Operators have neither. Why sensor fusion must live at the edge.

Empyrean Defense

Become a CyOps design partner

We're looking for organizations at the intersection of cyber, physical, and electromagnetic security who want to shape this capability from day one. 25 years of combined SecDataOps expertise. Let's build together.