1. Home
  2. Blog

Meet White Shark: The Eyes and Ears of the Network

In the architectural hierarchy of CyberNEMO, the White Shark probe acts as the primary sensory organ, providing the critical observability required for a secure meta-Operating System. While other components focus on high-level orchestration or AI-driven analysis, White Shark operates at the “ground level,” functioning as a high-precision network probe that monitors the most fundamental unit of connectivity: the network socket.

Technical Architecture and Integration

Technically, White Shark is designed for seamless deployment within Kubernetes-based environments, where it integrates into the data plane to capture real-time telemetry. Its architecture is built around a lightweight footprint to minimize overhead while maintaining the ability to collect granular network metrics across the distributed Computing Continuum. As a key asset within Work Package 2 (WP2), it is specifically engineered to support Zero Trust Network Access (ZTNA) by providing the visibility needed to enforce “explicit verification” for every connection within the cluster.

Point-to-Point Measurement for High Precision

The defining feature of White Shark is its use of point-to-point measurement. Unlike traditional tools that provide broad averages, White Shark retrieves specific metrics—including latency, throughput, and jitter—directly between two communication endpoints. This socket-level approach bypasses the “fog” created by virtual network overlays and high-level abstractions, ensuring that the captured data reflects the actual communication experience of the microservices. This high-fidelity data is essential for differentiating between standard network fluctuations and subtle anomalies.

Driving Intelligence: The Link to NADA

The precision of White Shark is not just for monitoring performance; it is the essential fuel for NADA (Network Anomaly Detection AI). By providing a continuous stream of verifiable point-to-point data, White Shark allows NADA to analyze temporal and contextual patterns with extreme accuracy. Together, they form a proactive security loop: White Shark captures the “ground truth” of the network, and NADA interprets that truth to identify, ensuring the CyberNEMO environment remains resilient and secure.

Read More

Sphynx Cybersecurity Solutions and Contributions to CyberNEMO

Sphynx is research-driven a cybersecurity company, initially founded in Switzerland and currently operating in Switzerland, Greece, and Cyprus.  

We develop cutting edge cybersecurity technologies and provide services to our clients in the areas of security operation centres, managed security, cyber threat intelligence, incident response, training and certification.  

Our solutions are powered by products that have been developed in-house, including the Sphynx Security and Privacy Assurance Suite (SPA Suite) and the Sphynx Cyber Range platform. These products incorporate novel event processing, vulnerabilities detection, cyber threat intelligence, incident response and systems emulation capabilities which are based on machine learning, auto ML and generative AI. Sphynx has a strong R&D team that helps maintaining the cutting-edge features and technology of its products. 

At Sphynx, we are proud of our an extensive track record of participating in European and national R&D projects. Sphynx participates as a partner in CyberNEMO through its  Swiss arm,  Sphynx Technology Solutions AG (STS). Within CyberNEMO, STS mainly contributes to Task 4.1: Micro-services Auditing, Certification & Accreditation, Task 4.2: XAI Tools for continuous system risk analysis and Task 4.3: Strategies & Tools for cooperative remediation and mitigation. As part of those tasks the company develops a Proactive Cyber-Defense with Real-time Threat Intelligence Extraction, Prediction and Response; The primary objective is to minimize human workload and reduce the potential for error in the large-scale processing of Open-Source Cyber Threat Intelligence (OSCTI) by developing an automated, standards-compliant toolchain capable of transforming raw, unstructured intelligence into actionable defensive artefacts. The implemented system follows a hybrid, modular pipeline that integrates multiple stages of the cyber threat intelligence lifecycle.

Read More

From NEMO to CyberNEMO: The Evolution of Network Monitoring

The transition from the NEMO project to CyberNEMO marks a critical evolution in how we approach network visibility within distributed systems. In the original NEMO project, the primary challenge was establishing reliable performance monitoring across diverse infrastructure. Our response, developed by UPM within the networking work package, was White Shark. White Shark was designed as a network probe, focusing on the fundamental socket layer to measure point-to-point communication metrics like latency, throughput, and jitter. This provided a foundational level of observability, allowing operators to understand how the network was performing at any given moment.

However, as we moved into CyberNEMO, the landscape shifted dramatically. The emergence of a true “computing continuum”—spanning Cloud, Edge, and IoT devices—introduced complexity and a expanded attack surface. Simple performance monitoring was no longer sufficient. We realized that the massive stream of high-fidelity network telemetry generated by White Shark was not just performance data; it was a rich, untapped source of security intelligence. The data that previously told us if the network was fast, could now tell us if the network was being compromised.

This realization led to the development of the NADA (Network Anomaly Detection AI) component in CyberNEMO. NADA represents the intelligent brain that sits atop the White Shark sensing layer. Its purpose is to ingest the granular, socket-level data captured by the probe and use advanced machine learning algorithms to identify temporal and contextual anomalies.

The journey from NEMO to CyberNEMO is therefore characterized by a shift from reactive performance observation to proactive, AI-driven security validation. By enriching the data previously used only for network optimization, we have created a robust mechanism for enforcing Zero Trust principles by design. This evolutionary step ensures that CyberNEMO doesn’t just provide a high-performance network, but a verifiably secure and resilient foundation for the next generation of meta-operating systems.

Read More

The MITRE ATT&CK framework for attacks

Understanding the MITRE ATT&CK Framework

In the world of cybersecurity, defenders and hackers are locked in a constant game of cat and mouse. For a long time, defenders focused on who was attacking them (attribution). However, names and locations change. The MITRE ATT&CK® framework shifted the focus to something more permanent: how they attack. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. Think of it as a comprehensive, living encyclopedia of “bad guy” behavior. It is a globally accessible knowledge base that tracks the specific actions cybercriminals take from the moment they start scouting a target to the moment they steal data or cause damage.

The Anatomy of an Attack

The framework is organized into a matrix that reads like a story of a digital break-in. It breaks down an attack into two main components: (a) Tactics (The “Why”): These are the attacker’s technical goals. For example, a tactic might be “Initial Access” (getting into the network) or “Exfiltration” (taking the data out). (b) Techniques (The “How”): these are the specific methods used to achieve a tactic. If the goal is “Initial Access,” the technique might be a “Phishing” email. By using this common language, security teams across different companies can share information instantly. If a bank in London discovers a new way hackers are bypassing passwords, they can label it with an ATT&CK ID (like T1078), and a hospital in New York will immediately know exactly what to look for.

Mitigations: Building the Shield

The framework isn’t just a list of threats; it’s a roadmap for defense. For every technique listed in the matrix, MITRE provides mitigations, i.e., specific actions organizations can take to prevent a technique from working.

TacticTechnique (Example)Mitigation (Defense action)
Initial AccessPhishingSecurity awareness training and email filtering.
PersistenceCreate AccountUse Multi-Factor Authentication (MFA) and monitor new user creation.
ExfiltrationTransfer Data to CloudBlock unauthorized cloud storage sites on the company network.

Why It Matters

While ATT&CK is a technical tool, its impact reaches everyone. When organizations use this framework, they move away from “guessing” what might happen and start “knowing” what to defend against. It allows companies to test their security systems against real-world scenarios, ensuring that your personal data and the services you rely on—like banking, healthcare, and power—are protected by more than just a firewall and a prayer. MITRE ATT&CK is a resource that has turned cybersecurity from a dark art into a measurable science by documenting the “playbook” of the adversary.

Read More

AI’s role in cyber risk assessment, monitoring and mitigation

AI: The New Digital Watchman

In the fast-moving world of the internet, new threats appear every second. Traditional security tools are like a library catalog—they work great for finding things we already know about, but they struggle with anything new. Artificial Intelligence (AI) has changed the game by acting less like a catalog and more like a highly trained digital watchman that never sleeps and learns as it goes. It contributes in monitoring, risk assessment and mitigation.

In monitoring it acts like the guard that never blinks. AI’s greatest strength is its ability to watch millions of events at once without getting tired. It can perform behavioral analysis and phishing detection. In behavioral analysis instead of just looking for “bad files,” AI looks for “bad behavior.” If an employee who usually only checks email suddenly starts downloading the entire company’s client list at 2:00 AM, the AI flags it as an anomaly. In phishing detectionAI can read the intent behind an email. It can spot the subtle signs of a scam—like a slightly misspelled link or a tone that is “too urgent”—and stop the email before it ever hits your inbox.

In risk assessment it can find the weak spots. Before an attack even happens, AI helps companies understand their “Cyber Risk”—basically, a score of how likely they are to be hacked. Often prioritizing is what matters. A large company might have thousands of software “vulnerabilities” (tiny bugs). AI can scan all of them and tell the security team, “These three are the most dangerous because hackers are currently using them to attack other companies.”. It can also support simulating attacks. AI can run “digital drills,” pretending to be a hacker to find paths through a network that a human might never think to check.

Finally, in mitigation, it can act at machine speed. When an attack happens, every second counts. AI allows a company to respond at “machine speed” rather than waiting for a human to wake up and read an alert. It can contribute in automated containment. If AI detects a virus spreading on one laptop, it can instantly “quarantine” that device, cutting its connection to the rest of the office so the virus can’t jump to other computers. Moreover, it can provide smart recommendations. If a threat is detected, AI can provide a “playbook” for the human staff, saying: “I’ve blocked the suspicious IP address. I recommend you reset these three user passwords and check this specific server for damage.”

While AI is fast, it isn’t perfect. It can sometimes mistake a legitimate heavy workload for an attack (a “false positive”). This is why the best cybersecurity is based on the human-AI partnership and uses a “Human-in-the-loop” approach. The AI handles the “heavy lifting” by filtering out 99% of the noise, allowing human experts to focus their energy on the most complex and dangerous 1% of threats.

Compared to traditional methods for security, AI-powered security offers many advantages. Instead of looking for known signatures (like finderprints) it looks for unknown patterns that may indicate suspicious behovior. Instead of requiring manual updates to stay current, it learns and adapts to new threats automatically. Moreover, it does not become overwhelmed by too much data; instead, it gets better the more data is processes.

AI has turned cybersecurity from a game of “catch-up” into a proactive defense, allowing us to predict and stop threats before they can do real damage.

Read More

Why Sockets Matter in Kubernetes: Beyond the Abstraction

In a standard Kubernetes (K8s) deployment, the sheer level of abstraction is a double-edged sword. While it simplifies orchestration, it often obscures the granular reality of network traffic. For the CyberNEMO project, specifically within WP2, we move past these high-level views to focus on the network socket. Why? Because sockets represent the “ground truth” of connectivity. In a distributed meta-OS, understanding the real-time state of point-to-point communication is the only way to ensure Cybersecurity and Privacy by Design.

Capturing the “Ground Truth” with White Shark

Traditional Kubernetes monitoring often looks at service-level averages, which can mask micro-bursts of latency or intermittent failures. By monitoring at the socket level, our White Shark probe can collect raw, high-fidelity data—including latency, throughput, and jitter—directly from the source. This allows us to see exactly how data moves between specific pods, bypassing the “fog” of virtualized overlays. This level of precision is essential for building a verifiable data plane, ensuring that every packet follows its intended path without manipulation.

Building a Stronger Zero Trust Foundation

Ultimately, focusing on sockets supports the Zero Trust principle of “explicit verification”. In CyberNEMO, we don’t just trust that a connection is secure because it’s inside the cluster. Instead, we use socket-based telemetry to constantly validate that communication patterns match the intended security policies.

Read More

The use of Explainable AI methods for monitoring assets, detecting cyberattacks, and suggesting mitigation actions

As cyberattacks become more frequent and complex, organizations are turning to Artificial Intelligence (AI) to defend their digital assets. Standard AI is incredibly fast at spotting patterns, but it often works like a “black box”—it might tell a security team, “This file is a virus,” or “there is a cyberattack going on from this IP addresss” without ever explaining why. For a security professional, a simple “Yes” or “No” isn’t enough. If the AI is wrong, it could block an important company document or block services that the company provides; if it’s right, the team still needs to know how the attacker got in to stop it from happening again. This is where Explainable AI (XAI) comes in.

What is Explainable AI (XAI)?

XAI is a set of tools and methods designed to make the “internal thought process” of an AI understandable to humans. In cybersecurity, XAI doesn’t just detect a threat; it provides a rational justification for its decision.

For monitoring assets and detecting attack instead of just monitoring for “bad” things, XAI helps security teams understand what “normal” looks like. If the AI flags a login attempt as suspicious, XAI can point to specific reasons: “The user is logging in from a new country” or “This account is suddenly accessing 2,000 files it never touched before.” XAI can generate maps or charts showing exactly where a network’s behavior deviated from the norm, helping humans spot the “smoking gun” quickly.

For suggesting mitigations XAI doesn’t just sound the alarm; it helps build the shield. By explaining the nature of the attack, it can suggest the best way to stop it.If the AI explains: “This is a Brute Force attack targeting the HR database,” the suggested action is clear: “Temporarily lock the targeted accounts and require a password reset.”

The Importance of the “User-in-the-Loop”

The most critical part of XAI is that it keeps a human—the User-in-the-Loop—at the center of the decision. Cybersecurity is high-stakes; a mistake could shut down a hospital’s network or a city’s power grid. XAI increases trust, facilitates collaboration and provides accountability.

  • Trust and Validation: When an AI can explain itself, a human expert can quickly verify if the alert is a real threat or a “false positive” (a mistake).
  • Collaboration: Humans bring “common sense” and context that AI lacks. For example, the AI might flag a large data transfer as an attack, but a human knows it’s just the annual company backup. XAI allows the human to see the AI’s logic, agree or disagree, and teach the system to be better next time.
  • Accountability: If something goes wrong, XAI provides a clear “paper trail” showing why a certain decision was made, which is essential for legal and safety audits.

The main differences between standard AI and explainable AI (XAI) are the following. In terms of output standard AI could mention that “High Risk is detected” but explainable AI would say “High Risk: Unusual data flow to an unknown IP is detected.” The human role is highly elevated in XAI from blindly trust or ignore the human to review evidence and take informed action. In addition, the learning process becomes stronger because instead of AI algorithms learning alone the human can provide feedback to refine the AI algorithms.

XAI transforms AI from a mysterious oracle into a transparent partner, ensuring that while the computer does the “heavy lifting” of data analysis, the human stays in control of the final defense strategy.

Read More

CyberNEMO SAAM: Building a Pan-European Cyber Shield for Critical Infrastructure

CyberNEMO SAAM is a pan-European Knowledge Sharing, risk Assessment, threat Analysis and incidents Mitigation collaborative platform designed to protect Critical Infrastructures (CIs) across Europe. Operating as the federated CTI exchange backbone of the broader CyberNEMO platform, SAAM serves as a pan-European CTI hub that collects, analysis, enriches, and distributes cybersecurity intelligence among interconnected infrastructure operators, national and cross-border cybersecurity authorities and communities. By centralising cyber threat data from diverse CI sectors including energy, transport, healthcare, and finance and structuring it around the widely adopted STIX 2.1 standard, SAAM creates a common operational picture that no single organisation could achieve on its own.

Modern cyber threats do not respect sector or national boundaries. A sophisticated attack on an energy grid can swiftly ripple into transport management systems or hospital networks, creating cascading failures that isolated, manually-processed intelligence cannot prevent. SAAM addresses this gap by positioning itself as the central nervous system of European CI cybersecurity, automatically correlating cross-sector incident patterns, attributing threats to known actors, and generating timely advisories for eligible partners. Governed by the most appropriate authority within the CyberNEMO ecosystem, and fully aligned with NIS2 compliance obligations, SAAM represents a significant step forward in building the collective resilience that Europe’s critical infrastructure communities urgently need.

SAAM delivers four tightly integrated capabilities. Cross-CI Knowledge Sharing enables the seamless exchange of CTI data across sector boundaries and national borders through secure Trusted Circles at Sectoral, National, Cross-Border, and Pan-European level utilizing interoperable standards such as STIX v2.1, TAXII 2.1 and Traffic Light Protocol (TLP) for controlled dissemination. SAAM’s Systemic Risk Analysis Engine applies automated analysis over incoming cyberthreat reports to score, correlate, and contextualise vulnerabilities and attacks. In addiiton, SRAE analysis contributes to the identification of coordinated attacks taking into account potential cascading effects. This contributes to SAAM’s enhanced State Awareness which gives operators and authorities a real-time, holistic view of the threat landscape across interconnected CI domains. Finally, SAAM’s Incident Mitigation translates enriched intelligence into actionable guidance, enabling CSIRTs and CI owners to coordinate responses swiftly and effectively before threats cascade across sectors.

Read More

CyberNEMO Exploitation Strategy overview

Europe’s cybersecurity landscape is under mounting pressure. The EU cybersecurity market, already valued at approximately €30 billion in 2023, is growing at a compound annual rate of 9–11%, driven by an escalating threat environment, accelerating digital transformation, and tightening regulation under frameworks such as NIS2, the Cyber Resilience Act, and the AI Act. Ransomware attacks targeting critical infrastructure are rising by over 25% annually, while nation-state actors, supply-chain compromises, and the convergence of IT and Operational Technology (OT) networks continue to expand the attack surface. Across key verticals such as energy, healthcare, cloud, edge computing, IoT, and data management. CyberNEMO’s market analysis reveals a consistent pattern suggesting that demand is surging, solutions are fragmenting, and the gap between security investment and actual resilience is widening. Particularly underserved are small and medium enterprises, operators of critical infrastructure burdened by legacy systems, and the growing edge computing segment, where cybersecurity spending is already struggling to keep pace with infrastructure deployment.

CyberNEMO’s competitive advantage rests on five interconnected pillars. As an EU-funded initiative built on EU-sovereign infrastructure, it is fully aligned with the EU Cybersecurity Strategy, directly advancing Europe’s goal of strategic digital autonomy. This is reinforced by a unique public-private partnership model that grants privileged access to CERT and regulatory bodies alongside established relationships with critical infrastructure operators. The platform’s credibility is further substantiated by its validation across six diverse pilot sectors, providing concrete cross-domain applicability evidence that spans energy, healthcare, media, agrifood, logistics, and fintech. By anchoring its open-source core within the Eclipse Foundation, CyberNEMO fosters community-driven development that actively reduces vendor lock-in, encouraging broad adoption while preserving transparency and trust. Finally, the platform has been designed from the outset with regulatory foresight, embedding compliance with NIS2, the Critical Entities Resilience Directive (CER), the AI Act, and the Cyber Resilience Act directly into its architecture — positioning it as a ready-made solution for organisations navigating Europe’s increasingly demanding cybersecurity regulatory landscape.

CyberNEMO, delivers an end-to-end, zero-trust cybersecurity framework purpose-built for the Cloud-Edge-IoT-Data computing continuum. Following IEEE 42010 methodology, stakeholder concerns were systematically mapped to architectural viewpoints. Each viewpoint addresses specific concerns through defined architectural perspectives, conventions, and models covering viewpoints such as development, process, user, business and security ones. CyberNEMO has identified twelve Key Exploitable Results (KERs) that offer capabilities ranging from real-time AI-driven anomaly detection and explainable AI (XAI) to interoperable and standardized threat intelligence sharing, micro-services auditing and certification, and federated risk assessment across borders.

CyberNEMO’s multi-dimensional approach which combines financial self-sufficiency through subscription services, institutional permanence through Eclipse Foundation governance, regulatory foresight and community network effects through open-source engagement aims to position it to deliver lasting value to European Critical Infrastructure and citizens well beyond the project’s formal completion.

Read More

What is a Network Socket? The Building Block of CyberNEMO Connectivity

In the complex architecture of the CyberNEMO meta-Operating System, ensuring secure and reliable communication across the computing continuum is paramount. While high-level security frameworks like Zero Trust Network Access (ZTNA) provide the overarching strategy, the actual heavy lifting of data exchange happens at a much more fundamental level: the network socket.

A network socket is essentially an internal endpoint for sending or receiving data at a single node in a computer network. Think of it as a virtual “plug” that allows two different processes—whether they are on the same machine or across the world—to talk to each other. In a Kubernetes (K8s) environment, which serves as the foundation for CyberNEMO’s deployment, sockets are the critical bridges between containerized microservices. They enable the point-to-point communication necessary for workloads to function as a unified system.

Why Sockets Matter for Network Measurement

Within the WP2 (Work Package 2), the focus is on “Cybersecurity and Privacy by Design”. To achieve this, we cannot rely on surface-level metrics. We need to measure real communication at the socket level. This is where components like White Shark come into play.

Originally developed for the NEMO project, White Shark is a specialized network probe designed to collect and retrieve high-fidelity network data. By tapping into socket communication, White Shark can measure point-to-point metrics—such as latency and throughput—directly between two endpoints. This provides a level of precision that traditional network monitors often miss, as it captures the actual data flow as seen by the applications themselves, rather than just the underlying infrastructure.

From Raw Data to Intelligence: The Role of NADA

Capturing socket-level data is only half the battle; the next step is making sense of it. In CyberNEMO, this data is fed into the Network Anomaly Detection AI (NADA). NADA’s purpose is to identify temporal and contextual anomalies—suspicious patterns in the network traffic that could indicate a security breach.

Read More