1. Home
  2. CyberNEMO Components

MoniKube: Security-Aware Infrastructure Discovery for Cloud-Native Environments

As organizations continue to adopt Kubernetes and cloud-native technologies, their infrastructures become increasingly complex and difficult to manage. Distributed clusters, virtual machines, containers, and interconnected services provide scalability and flexibility, but they also create significant challenges in maintaining visibility, understanding asset relationships, and identifying security risks.

MoniKube is a distributed security-aware monitoring and intelligence platform designed to address these challenges. By continuously monitoring Kubernetes and cloud-native environments, collecting telemetry data, and performing vulnerability assessments, it automatically discovers infrastructure components and builds a comprehensive representation of the operational environment. The platform correlates infrastructure, monitoring, and security information to provide organizations with a deeper understanding of their assets, dependencies, and overall security posture.

At the core of MoniKube is a security-aware knowledge graph that transforms distributed infrastructure data into a centralized and interactive model. By mapping assets and their relationships, the platform enables operators and security teams to explore infrastructure topology, understand dependencies between systems, identify exposed components, and gain valuable insights into potential risk and exposure pathways.

MoniKube discovers Kubernetes resources through the Kubernetes API and can optionally enrich the model with host-level Docker workloads. The platform integrates Trivy-based vulnerability and misconfiguration scanning, allowing assets to be continuously assessed for security weaknesses. Vulnerability information, exposure indicators, runtime metrics, and security scores are incorporated directly into the graph, enabling users to filter, compare, and prioritize risks from a single dashboard.

Beyond infrastructure discovery, MoniKube can ingest information from external security and monitoring solutions, including IDS, SIEM, and IDMEF-compatible sources. This allows the knowledge graph to remain synchronized with operational reality while providing a unified view across cloud-native and traditional systems.

MoniKube combines vulnerability information, runtime monitoring metrics, and exposure indicators into a unified security-scoring framework. It can integrate information from both cloud-native and traditional systems, creating a unified view of infrastructure regardless of underlying technology. Beyond infrastructure monitoring and security assessment, MoniKube introduces the ability to generate exportable infrastructure models that can serve as the foundation for digital twins, automating much of this process by capturing the security characteristics of operational environments and transforming them into reusable digital representations. The result is a comprehensive solution that helps organizations gain visibility into complex environments, strengthen their security posture, and transform operational infrastructure data into actionable security intelligence.

Read More

Why Micro-Segmentation Matters in Kubernetes

Kubernetes revolutionised the deployment of cloud-native applications by making workloads portable, scalable, and easy to orchestrate. However, while Kubernetes excels at managing applications, its networking model introduces an important challenge for network services: a lack of flexibility in its networking model.

Most Kubernetes deployments rely on a flat network approach where every pod can potentially communicate with every other pod inside the cluster. Although Network Policies can restrict some traffic flows, workloads still fundamentally share the same networking space. For traditional microservice applications, which are usually application-layer oriented, this behaviour may be acceptable, but for network functions, multi-tenant platforms, or security-sensitive services, this approach quickly becomes limiting. This is where micro-segmentation becomes critical.

Micro-segmentation is the practice of dividing an infrastructure into isolated virtual network segments, where workloads only communicate with the components explicitly allowed to them. Instead of treating the cluster as a single trusted environment, micro-segmentation applies the principles of least privilege directly to network connectivity.

The benefit of applying micro-segmentation over K8s platforms can be substantial. First, micro-segmentation improves security by reducing lateral movement. If one workload becomes compromised, attackers cannot freely traverse the infrastructure to reach other services. Each segment behaves as an isolated environment with controlled entry and exit points.

Second, it enables the deployment of advanced network services inside Kubernetes. Functions such as firewalls, routers, proxies, or content delivery components often require separated Layer 2 or Layer 3 domains to operate correctly. In a flat network, these services lose much of their networking context because every workload remains directly reachable.

Third, micro-segmentation simplifies multi-tenant deployments. Different applications, customers, or services can coexist within the same Kubernetes infrastructure while remaining logically isolated from one another. This becomes increasingly important in edge computing, telecom platforms, and distributed cloud environments.

At the infrastructure level, achieving true micro-segmentation requires more than simple traffic filtering. It requires programmable virtual networking capable of creating isolated communication domains between workloads, independently of where they are physically deployed. This becomes even more relevant in distributed cloud-edge environments, where services may span multiple Kubernetes clusters and heterogeneous infrastructures.

To address these challenges, the CyberNEMO Zero Trust Network Access (ZTNA) framework extends the capabilities of the NEMO meta Network Cluster Controller (mNCC) to provide secure micro-segmentation mechanisms for both intra-cluster and inter-cluster communications. By enabling isolated virtual networking domains across cloud-native infrastructures, CyberNEMO introduces a flexible networking foundation for advanced network services, secure workload isolation, and distributed edge deployments. In next posts, we will explore in more detail the technology behind this functionality:

L2S-M.Why Micro-Segmentation Matters in Kubernetes

Kubernetes revolutionised the deployment of cloud-native applications by making workloads portable, scalable, and easy to orchestrate. However, while Kubernetes excels at managing applications, its networking model introduces an important challenge for network services: a lack of flexibility in its networking model.

Most Kubernetes deployments rely on a flat network approach where every pod can potentially communicate with every other pod inside the cluster. Although Network Policies can restrict some traffic flows, workloads still fundamentally share the same networking space. For traditional microservice applications, which are usually application-layer oriented, this behaviour may be acceptable, but for network functions, multi-tenant platforms, or security-sensitive services, this approach quickly becomes limiting. This is where micro-segmentation becomes critical.

Micro-segmentation is the practice of dividing an infrastructure into isolated virtual network segments, where workloads only communicate with the components explicitly allowed to them. Instead of treating the cluster as a single trusted environment, micro-segmentation applies the principles of least privilege directly to network connectivity.

The benefit of applying micro-segmentation over K8s platforms can be substantial. First, micro-segmentation improves security by reducing lateral movement. If one workload becomes compromised, attackers cannot freely traverse the infrastructure to reach other services. Each segment behaves as an isolated environment with controlled entry and exit points.

Second, it enables the deployment of advanced network services inside Kubernetes. Functions such as firewalls, routers, proxies, or content delivery components often require separated Layer 2 or Layer 3 domains to operate correctly. In a flat network, these services lose much of their networking context because every workload remains directly reachable.

Third, micro-segmentation simplifies multi-tenant deployments. Different applications, customers, or services can coexist within the same Kubernetes infrastructure while remaining logically isolated from one another. This becomes increasingly important in edge computing, telecom platforms, and distributed cloud environments.

At the infrastructure level, achieving true micro-segmentation requires more than simple traffic filtering. It requires programmable virtual networking capable of creating isolated communication domains between workloads, independently of where they are physically deployed. This becomes even more relevant in distributed cloud-edge environments, where services may span multiple Kubernetes clusters and heterogeneous infrastructures.

To address these challenges, the CyberNEMO Zero Trust Network Access (ZTNA) framework extends the capabilities of the NEMO meta Network Cluster Controller (mNCC) to provide secure micro-segmentation mechanisms for both intra-cluster and inter-cluster communications. By enabling isolated virtual networking domains across cloud-native infrastructures, CyberNEMO introduces a flexible networking foundation for advanced network services, secure workload isolation, and distributed edge deployments. In next posts, we will explore in more detail the technology behind this functionality: L2S-M.

Read More

CyberNEMO Tools: First Validation Results in the Supply Chain / Smart Agriculture Pilot

CyberNEMO has started initial validation of its integrated tools within the pilots and specifically the Supply Chain / Smart Agriculture pilot, led by ENTERSOFTONE and technically supported by SYNELIXIS. The validation largely covers the end-to-end cybersecurity risk management process, i.e. from scope establishment to detection, decision support and countermeasure enforcement, across the computing continuum composed by:

-The dedicated pilot cluster hosted in a commercial cloud provider

-The NEMO and CyberNEMO clusters hosted by OneLab facility of Sorbonne University.

In terms of tools, Monikube extracts topology discovery, asset reading, and vulnerability identificationand assessment. AI-FWaaS detects cybersecurity incidents while the IPDM DSS correlates threat intelligence with asset risk profiles to generate response recommendations. The CyberNEMO Policy Manager (CNPM) enforces network policies as countermeasures across the infrastructure.

Services run across the pilot’s Kubernetes cluster and the shared OneLab infrastructure, which hosts both CyberNEMO and NEMO project clusters while the multi-site architecture allows for local and centralised deployment modes.

Read More

CyberNEMO contributes to AIOTI – Mutual Reinforcement

CyberNEMO has submitted its contribution to the AIOTI report on the IoT and Edge Computing EU-funded Projects Landscape (Release 5.0).

CyberNEMO brings to AIOTI a timely contribution at the frontier of the IoT and edge security agenda. Specifically, CyberNEMO contribution referred to a set of research challenges confronted by the project including:

  • Zero Trust and dynamic identity management across heterogeneous continuum environments.
  • AI-powered runtime threat detection and self-healing architectures at the edge.
  • Privacy-preserving federated learning for secure AI model lifecycle management.
  • Kubernetes and container security at scale in multi-cluster deployments.
  • Federated and decentralised security policy management.
  • Cross-domain Cyber Threat Intelligence sharing with IDMEFv2 and STIX.
  • Secure lifecycle and update management for distributed IoT/edge services.
  • Explainable, human-centric decision support for security operators.

Through AIOTI, the project is acquiring access to a high-impact dissemination channel reaching the European research, standardisation, and policy communities and positioning the project within the broader IoT and edge computing ecosystem.

Read More

Privacy Protection Enforcement (PPE)

The Privacy Protection Enforcement (PPE) component has been designed and developed by CyberSocial Lab  within the CyberNEMO project and publicly accessible on the Eclipse Research Labs repository,
Our tool acts as a privacy-aware authorization and enforcement mechanism supporting secure data sharing across the computing continuum. Operating in conjunction with the Computing Continuum Access Security Broker (CASB), the PPE is responsible for ensuring that access to personal and sensitive data is granted only when the applicable processing policies and user consents are satisfied.

The architecture of the PPE has been designed to support secure and trustworthy data exchanges across cloud, edge, and IoT environments, while promoting data sovereignty, privacy preservation, and regulatory compliance. By combining policy-based access control mechanisms with consent management capabilities, the component enables organizations to maintain control over how sensitive data is accessed and processed across distributed infrastructures.

PPE provides a structured framework for defining and enforcing privacy and data access requirements. Indicative controls and verification mechanisms supported by the component include:

  • Validation of consent records before access to protected data is granted.
  • Enforcement of data processing policies applicable to data consumers.
  • Verification of consent validity and policy applicability during access requests.
  • Auditing and traceability of authorization and access control decisions.
  • Verification of cryptographic proofs associated with policies and consents.

The PPE has been designed in alignment with the principles of the General Data Protection Regulation (GDPR), supporting key requirements such as lawful processing, explicit consent management, accountability, transparency. It contributes to ensuring that sensitive data is accessed only when valid consent and an applicable processing policy exist.

Furthermore, the use of cryptographic proofs and immutable audit trails strengthens accountability by providing verifiable evidence of consent and authorization decisions throughout the data lifecycle. The adoption of blockchain-based evidence storage, rather than storing personal data directly on-chain, supports privacy-preserving processing practices while facilitating regulatory compliance across distributed cloud, edge, and IoT environments.

PPE integrates with the broader CyberNEMO security ecosystem through the CASB. When a data consumer requests access to protected data, the component evaluates the corresponding policies and consents before authorizing the request. Authorization outcomes can be propagated to other platform components, enabling coordinated security, governance, and compliance operations across the CyberNEMO architecture.

The component is currently under development and will contribute to the implementation of secure, privacy-preserving data sharing services compliant with applicable regulatory requirements across the CyberNEMO computing continuum. In line with the CyberNEMO open-source strategy, the PPE is released under the Apache License 2.0. 

Read More

CyberNEMO Releases the Network Policy Manager (CNPM)

The alpha version of the CyberNEMO Network Policy Manager (CNPM), a policy enforcement component of the CyberNEMO cybersecurity platform, developed by Synelixis SA and publicly accessible on the Eclipse Research Labs repository, undergone under initial testing and validation in the Smart Agriculture / Supply Chain pilot.

CNPM is designed for the cloud–edge–IoT continuum as it operates natively within Kubernetes, the de facto orchestration standard for containerised applications. It is based on Cilium networking layer that enables fine-grained, identity-aware security controls across distributed clusters. Each cluster in a CyberNEMO deployment runs its own CNPM instance, ensuring that policy management remains local, responsive, and aligned with the specific security posture of that environment.

CNPM provides the operators a structured, template-driven workflow for defining and enforcing network security policies. Indicative policies that CNPM can create and enforce include:

  • Deny-all ingress rules that block all inbound traffic to a namespace by default, enforcing an explicit allowlist model.
  • Least-privilege access controls that permit only the minimum necessary communication between services.
  • Source-based filtering, restricting traffic to specific IP ranges or trusted origins.
  • Port-level controls, limiting exposure to only the protocols and ports a service legitimately requires.

Policies can be generated from reusable templates, validated before deployment, and pushed directly to the cluster, reducing the risk of misconfiguration and ensuring consistency across environments.

CNPM integrates with the CyberNEMO event bus, receiving mitigation instructions from upstream platform components such as the Cloud Access Security Broker (CASB) and the Intrusion Prevention Detection and Mitigation Decision Support System (IPDM-DSS), closing the loop between threat detection and network-level response.

The module is released under the Apache License 2.0.

Read More

Meet White Shark: The Eyes and Ears of the Network

In the architectural hierarchy of CyberNEMO, the White Shark probe acts as the primary sensory organ, providing the critical observability required for a secure meta-Operating System. While other components focus on high-level orchestration or AI-driven analysis, White Shark operates at the “ground level,” functioning as a high-precision network probe that monitors the most fundamental unit of connectivity: the network socket.

Technical Architecture and Integration

Technically, White Shark is designed for seamless deployment within Kubernetes-based environments, where it integrates into the data plane to capture real-time telemetry. Its architecture is built around a lightweight footprint to minimize overhead while maintaining the ability to collect granular network metrics across the distributed Computing Continuum. As a key asset within Work Package 2 (WP2), it is specifically engineered to support Zero Trust Network Access (ZTNA) by providing the visibility needed to enforce “explicit verification” for every connection within the cluster.

Point-to-Point Measurement for High Precision

The defining feature of White Shark is its use of point-to-point measurement. Unlike traditional tools that provide broad averages, White Shark retrieves specific metrics—including latency, throughput, and jitter—directly between two communication endpoints. This socket-level approach bypasses the “fog” created by virtual network overlays and high-level abstractions, ensuring that the captured data reflects the actual communication experience of the microservices. This high-fidelity data is essential for differentiating between standard network fluctuations and subtle anomalies.

Driving Intelligence: The Link to NADA

The precision of White Shark is not just for monitoring performance; it is the essential fuel for NADA (Network Anomaly Detection AI). By providing a continuous stream of verifiable point-to-point data, White Shark allows NADA to analyze temporal and contextual patterns with extreme accuracy. Together, they form a proactive security loop: White Shark captures the “ground truth” of the network, and NADA interprets that truth to identify, ensuring the CyberNEMO environment remains resilient and secure.

Read More

Sphynx Cybersecurity Solutions and Contributions to CyberNEMO

Sphynx is research-driven a cybersecurity company, initially founded in Switzerland and currently operating in Switzerland, Greece, and Cyprus.  

We develop cutting edge cybersecurity technologies and provide services to our clients in the areas of security operation centres, managed security, cyber threat intelligence, incident response, training and certification.  

Our solutions are powered by products that have been developed in-house, including the Sphynx Security and Privacy Assurance Suite (SPA Suite) and the Sphynx Cyber Range platform. These products incorporate novel event processing, vulnerabilities detection, cyber threat intelligence, incident response and systems emulation capabilities which are based on machine learning, auto ML and generative AI. Sphynx has a strong R&D team that helps maintaining the cutting-edge features and technology of its products. 

At Sphynx, we are proud of our an extensive track record of participating in European and national R&D projects. Sphynx participates as a partner in CyberNEMO through its  Swiss arm,  Sphynx Technology Solutions AG (STS). Within CyberNEMO, STS mainly contributes to Task 4.1: Micro-services Auditing, Certification & Accreditation, Task 4.2: XAI Tools for continuous system risk analysis and Task 4.3: Strategies & Tools for cooperative remediation and mitigation. As part of those tasks the company develops a Proactive Cyber-Defense with Real-time Threat Intelligence Extraction, Prediction and Response; The primary objective is to minimize human workload and reduce the potential for error in the large-scale processing of Open-Source Cyber Threat Intelligence (OSCTI) by developing an automated, standards-compliant toolchain capable of transforming raw, unstructured intelligence into actionable defensive artefacts. The implemented system follows a hybrid, modular pipeline that integrates multiple stages of the cyber threat intelligence lifecycle.

Read More

From NEMO to CyberNEMO: The Evolution of Network Monitoring

The transition from the NEMO project to CyberNEMO marks a critical evolution in how we approach network visibility within distributed systems. In the original NEMO project, the primary challenge was establishing reliable performance monitoring across diverse infrastructure. Our response, developed by UPM within the networking work package, was White Shark. White Shark was designed as a network probe, focusing on the fundamental socket layer to measure point-to-point communication metrics like latency, throughput, and jitter. This provided a foundational level of observability, allowing operators to understand how the network was performing at any given moment.

However, as we moved into CyberNEMO, the landscape shifted dramatically. The emergence of a true “computing continuum”—spanning Cloud, Edge, and IoT devices—introduced complexity and a expanded attack surface. Simple performance monitoring was no longer sufficient. We realized that the massive stream of high-fidelity network telemetry generated by White Shark was not just performance data; it was a rich, untapped source of security intelligence. The data that previously told us if the network was fast, could now tell us if the network was being compromised.

This realization led to the development of the NADA (Network Anomaly Detection AI) component in CyberNEMO. NADA represents the intelligent brain that sits atop the White Shark sensing layer. Its purpose is to ingest the granular, socket-level data captured by the probe and use advanced machine learning algorithms to identify temporal and contextual anomalies.

The journey from NEMO to CyberNEMO is therefore characterized by a shift from reactive performance observation to proactive, AI-driven security validation. By enriching the data previously used only for network optimization, we have created a robust mechanism for enforcing Zero Trust principles by design. This evolutionary step ensures that CyberNEMO doesn’t just provide a high-performance network, but a verifiably secure and resilient foundation for the next generation of meta-operating systems.

Read More

Why Sockets Matter in Kubernetes: Beyond the Abstraction

In a standard Kubernetes (K8s) deployment, the sheer level of abstraction is a double-edged sword. While it simplifies orchestration, it often obscures the granular reality of network traffic. For the CyberNEMO project, specifically within WP2, we move past these high-level views to focus on the network socket. Why? Because sockets represent the “ground truth” of connectivity. In a distributed meta-OS, understanding the real-time state of point-to-point communication is the only way to ensure Cybersecurity and Privacy by Design.

Capturing the “Ground Truth” with White Shark

Traditional Kubernetes monitoring often looks at service-level averages, which can mask micro-bursts of latency or intermittent failures. By monitoring at the socket level, our White Shark probe can collect raw, high-fidelity data—including latency, throughput, and jitter—directly from the source. This allows us to see exactly how data moves between specific pods, bypassing the “fog” of virtualized overlays. This level of precision is essential for building a verifiable data plane, ensuring that every packet follows its intended path without manipulation.

Building a Stronger Zero Trust Foundation

Ultimately, focusing on sockets supports the Zero Trust principle of “explicit verification”. In CyberNEMO, we don’t just trust that a connection is secure because it’s inside the cluster. Instead, we use socket-based telemetry to constantly validate that communication patterns match the intended security policies.

Read More