+11 batteries.
One kill chain to break.

Vimy doesn't monitor one layer and hope for the best. It monitors every layer simultaneously — perimeter, identity, infrastructure, email, endpoint, network, SaaS, data, supply chain, compliance, and quantum — and correlates signals across all of them in real time.

Book Demo → See All Capabilities →
+11 security batteries 56+ detection specs 13+ cross-battery correlations
Vimy security batteries dashboard
Combined Arms

Why batteries, not modules.

Traditional security tools are siloed. Your EDR watches endpoints. Your SIEM aggregates logs. Your identity provider tracks logins. Each tool sees one slice — attackers move between slices.

Vimy organizes defense into batteries — a military term for coordinated defensive positions. Each battery specializes in one layer but shares intelligence with every other battery. When the Identity battery detects an impossible travel login, the Infrastructure battery is immediately on alert for that user's server access. The Perimeter battery watches for their IP across all edge traffic.

This is combined arms defense. The attacker can't evade +11 coordinated layers the way they evade one.

All +11 batteries
PerimeterEdge protection, DDoS, WAF, DNS
IdentityAccount takeover, MFA, OAuth, sessions
InfrastructureServers, cloud, SSH, backups
EmailPhishing, BEC, forwarding rules
EndpointMalware, EDR, device compliance
NetworkLateral movement, C2, DNS tunneling
SaaSSlack, GitHub, data leaks
DataExfiltration, bulk downloads, sharing
Supply ChainVendor risk, OAuth apps, dependencies
ComplianceRegulatory gaps, policy drift
QuantumPQC readiness, cryptographic inventory
Live Now

Always watching. Every layer.

Cross-signal detection across your perimeter, identity, and infrastructure — with automated response.

Live

Perimeter Battery

Connector: Cloudflare

Monitors your edge — the boundary between the internet and your infrastructure. Detects DDoS patterns, WAF bypass attempts, origin IP exposure, DNS hijacking, bot swarms, and SSL/TLS downgrade attacks.

Detection Specifications
WAF BypassOrigin IP ExposureDNS HijackSSL DowngradeBot SwarmDDoS PatternNon-CF Web Traffic
Response Actions
Block IPEnable Under Attack ModeModify WAF Rules
Mutual support: Identity, Email
Live

Identity Battery

Connector: Google Workspace · Okta · Entra ID

Monitors authentication and authorization across your identity providers. Detects account takeover, MFA bypass and fatigue attacks, OAuth abuse, impossible travel, privilege escalation, credential stuffing, and session hijacking.

Detection Specifications
Impossible TravelMFA FatigueSuspicious OAuth GrantToken ReplayPrivilege EscalationCredential StuffingSession Hijack
Response Actions
Revoke SessionForce MFA ResetSuspend Account
Mutual support: Infrastructure, Data
Live

Infrastructure Battery

Connectors: Vimy Agent, Canadian cloud infrastructure · AWS · Azure

Monitors servers, cloud resources, and containerized workloads. Detects unauthorized SSH access, cryptomining, reverse shells, firewall tampering, backup deletion, SSH key injection, and API key abuse.

Detection Specifications
Unauthorized SSHCryptominingReverse ShellFirewall TamperingBackup DeletionSSH Key InjectionAPI Key AbuseNon-CF Web Traffic
Response Actions
Firewall RulesServer Isolation
Mutual support: Data, Perimeter
Detection Engine

Every attack has a pattern. We find it.

Vimy evaluates activity across every connected layer — matching behavior against known attack techniques, baselines, and cross-signal correlations. When something triggers, a full investigation is created automatically with evidence attached.

Behavioral baselines

Learn what's normal for every user, device, and service. Flag what isn't.

MITRE ATT&CK mapped

Every detection ties to a known technique, so your team speaks the same language as the threat.

Cross-battery correlation

A login anomaly alone is noise. Paired with a firewall change? That's an attack chain.

PerimeterEdge, DDoS, WAF, DNS
IdentityAccount takeover, MFA bypass, OAuth
InfrastructureServers, cloud, SSH, containers
EmailPhishing, BEC, forwarding rules
EndpointMalware, EDR signals, device posture
NetworkLateral movement, C2, DNS tunneling
DataExfiltration, bulk downloads, sharing
SaaSSlack, GitHub, app-level data leaks
DeceptionHoneytokens, canary files, trip wires
Cross-Battery CorrelationsMulti-stage attack chains
Correlation Engine

The patterns single tools can't see.

Cross-battery correlation connects signals from different batteries into unified attack stories — catching multi-stage attacks that would appear as unrelated alerts in single-vendor tools.

Phishing → Infrastructure Compromise

Email Battery
Suspicious email detected with credential-harvesting link
Identity Battery
User clicks link, impossible travel login detected
Infrastructure Battery
Lateral movement to finance server via compromised account
TRO: CRITICAL — Single operation correlating all three events with full blast radius

A standalone email gateway sees a phishing attempt. A standalone identity tool sees an unusual login. A standalone server monitor sees an SSH session. None of them see the full attack chain. Vimy does.

Credential Stuffing → Data Exfiltration

Perimeter Battery
Brute force login attempts from rotating IPs detected
Identity Battery
Successful authentication from unusual geography
Data Battery
Bulk data download initiated within minutes of login
TRO: CRITICAL — Full blast radius mapped, autonomous containment triggered

The brute force, the successful auth, and the download appear in three separate tools. The correlation is the threat.

Configuration Drift Campaign

Perimeter Battery
WAF rule weakened — known bypass pattern removed
Identity Battery
MFA disabled for an admin account by another admin
Infrastructure Battery
Firewall port 22 opened from restricted to public
TRO: HIGH — Correlated as coordinated config weakening campaign

No single change is alarming. The pattern across three batteries raises the alert before exploitation begins.

Threat Response Operations

Every threat becomes a structured operation.

When a detection fires, Vimy creates a Threat Response Operation (TRO) — a structured object with a full lifecycle. Every TRO includes a complete evidence chain, entity graph, and audit trail from detection through verified closure.

Detected
Triaged
Response Planned
Awaiting Approval
Executing
Completed
BDA Verifying
Narrative Generated
Closed
Any state can transition to → Rolled Back

Evidence Chain

Every TRO captures the complete evidence trail — raw events, normalized data, entity relationships, detection rule that fired, AI triage reasoning, response actions taken, and verification results.

Action Manifest

Response actions are planned as a manifest — a structured list of what will be done, to which entities, via which connectors. In supervised mode, the manifest awaits human approval before execution.

Battle Damage Assessment

After response execution, Vimy verifies containment worked. Did the attacker adapt? Is the threat neutralized? BDA closes the loop — don't assume containment, prove it.

Coverage

Know what you cover. Know what you don't.

Vimy maps every detection specification to MITRE ATT&CK techniques. The Fog of War page in the platform shows your real-time coverage across the ATT&CK matrix — which techniques you detect, which you partially cover, and which are blind spots.

Every connector you add and every battery that activates fills in more of the matrix. Coverage is measurable, not assumed.

Vimy ATT&CK fog-of-war coverage map
56+
Detection specifications
13+
Cross-battery correlations
ATT&CK
Full technique mapping

See your attack surface
through Vimy.

30-minute demo. We'll show you which layers are covered, which are exposed, and what lights up on day one.

+11 batteries 56+ detections 100% Canadian infrastructure