The CyQuantiFi Capture Appliance
A passive on-site sensor that turns live network traffic into an FAIR-based dollar figure — and an SMB1001, Essential Eight, or SOCI-ready report the board, the underwriter, or the regulator will actually accept.
The gap the industry left open
The dedicated cyber risk quantification vendors (Safe, Kovrr, Axio, RiskLens) are pure cloud SaaS at USD 75–300K per year. None of them put a sensor on your network. The on-site vendors that do ship an appliance — Nozomi, Claroty, Dragos — are OT visibility platforms, not risk quantifiers. They tell you what's on the wire; they don't tell you what it's worth if it breaks.
The Capture Appliance sits in the gap. A passive tap on a mirror port; asset and third-party discovery from real traffic; automatic FAIR-based Monte Carlo modelling with prediction-market inputs for the assets your scanners can't touch; and a signed compliance report at the end — SMB1001 for the underwriter, Essential Eight for the board, SOCI hazard mapping for the regulator.
Live network truth in. Dollars and audit-ready evidence out. No cloud egress required.
What the appliance does on-site
Passive network capture
Plug into a SPAN, mirror, or TAP port. No agents, no active scanning, no risk of disturbing OT. Dual-NIC by default so the management plane never touches the traffic plane.
Automatic asset & third-party discovery
The sensor reconstructs your asset inventory and vendor exposure map from what it actually sees on the wire — not from a spreadsheet last updated in 2023. Third-party services (SaaS, cloud, upstream vendors) are flagged as separate risk graphs.
Attack graphs & prediction-market inputs
Discovered assets become nodes in an attack graph. For unscannable assets (OT, SCADA, air-gapped, legacy) the platform opens prediction markets so your team — or a broader expert pool — can price the paths that no scanner can measure.
FAIR-based dollar risk, on-box
Monte Carlo simulation runs against the graph and produces an Annual Loss Expectancy in dollars, with confidence intervals. The number is defensible to a board, an underwriter, and a regulator using the same industry-standard method.
Signed compliance report — SMB1001, Essential Eight, SOCI
The output isn't a dashboard alone. It's a report the customer can hand to their insurer, their board, or the regulator: SMB1001 Bronze → Diamond readiness, Essential Eight maturity, and SOCI four-hazard mapping — each with dollar-quantified evidence attached.
One appliance, three modes
The same platform runs in three coupling modes. The customer's assurance requirements pick the mode — not the other way around.
| Mode | What runs on the box | Egress | Best for |
|---|---|---|---|
| Sensor | Capture & push agent only | HTTPS to central CyQuantiFi | Insurance & SMB assessments |
| Edge | Full CyQuantiFi + capture | Optional one-way, ALE-only | Critical infrastructure & SOCI |
| Sovereign | Full CyQuantiFi, air-gapped | None | Government, classified, PROTECTED-adjacent |
Why the modes matter. Raw traffic never leaves the box in Edge or Sovereign mode. If aggregation happens at all, only the dollar output — the ALE and its confidence interval — is shared, and only in one direction. Sovereignty and OT-safety are engineered in, not policy overlays.
Who it's for
Insurance & SMB channel
Job to be done: underwriting evidence, loss-control input, and an SMB1001 readiness report the agency can hand to the insured.
Deployment: the agency carries the box between clients for 24–48 hour captures. Report generated centrally.
Edge over the incumbents: Coalition, At-Bay, and Cowbell do outside-in. This appliance sees inside-out — the data they can't reach.
Critical infrastructure (SOCI)
Job to be done: passive visibility on unscannable OT/ICS, continuous quantified monitoring, and dollar-per-hazard evidence for CIRMP annual reports.
Deployment: always-on industrial appliance, DIN-rail or 1U, per site. Egress optional and one-way.
Edge over the incumbents: Nozomi, Claroty and Dragos give you visibility. CyQuantiFi gives you the quantification and compliance layer on top — the layer the board and the regulator actually read.
Government & sovereign
Job to be done: sovereignty, classification hygiene, and ISM / Essential Eight / PSPF-aligned reporting inside an assured boundary.
Deployment: air-gapped, no egress, offline licensing. Assured x86 industrial hardware with secure boot and TPM.
Edge over the incumbents: the cloud-only CRQ vendors can't meet a PROTECTED boundary. A sovereign appliance is the whole pitch — not a footnote.
Hardware options
The Capture Appliance is packaged in three hardware tiers. A customer or channel partner can start on the reference design and step up as their assurance bar rises.
| Tier | Platform | Suits | Assurance ceiling |
|---|---|---|---|
| Reference | Raspberry Pi 4 / CM4 build (documented spec, BYO) | Demos, insurance leave-behinds, SMB assessments | Assessment-grade |
| Industrial | CM5 industrial (fanless, dual-GbE, extended temp) | SMB continuous monitoring, light critical infrastructure | Commercial-grade |
| Assured | x86 industrial with secure boot & TPM (OEM partner) | SOCI, defence-adjacent, government | IRAP-scope target |
Three ways to buy it
Software subscription only. You (or your MSP / broker) build the box to our published spec. Fastest path to a pilot.
Buy or lease the appliance plus an Enterprise subscription — priced against your Value-at-Risk, so cost scales with what the appliance is defending.
A hardware partner ships the box; CyQuantiFi licenses the software and owns the assurance story. Built for critical infrastructure and government scale.
Insurance agencies & MSPs. The reference design is built for you. Bundle 24-hour captures into your quarterly business review, hand the insured an SMB1001-mapped report, and use the ALE number to argue premiums. Talk to us about the channel programme.
What we're shipping, and in what order
We are honest about what is available today, what is in build, and what needs a design partner in the room before it ships.
Now — Reference SKU (Sensor mode)
The Raspberry Pi build is documented, tested, and ready. Pilot programmes open to insurance agencies, SMB-focused MSPs, and consultancies who want to bundle it into an assessment.
Near — Edge SKU (full-local)
Full CyQuantiFi packaged on a CM5-industrial or x86 box. Offline licensing, local secrets, optional one-way ALE sync. Target: one or two critical-infrastructure design partners.
Later — Sovereign SKU (air-gapped, OEM)
Assured x86 industrial through an OEM partner, secure boot & TPM, IRAP assessment in scope. Deeper OT protocol coverage. Target: government and tier-one critical infrastructure.
What we won't pretend to be
We're a small Australian company. We're being deliberate about scope so we don't over-promise:
If you need deep Modbus / DNP3 / S7 anomaly detection, that's Dragos / Nozomi / Claroty. We consume passive capture — theirs or ours — and produce the dollar-and-compliance layer above it.
It's the reference and demo SKU. For government and sensitive-critical-infrastructure work, we ship the assured x86 tier through an OEM partner and are prepared for the IRAP conversation.
Active-scan paths are hard-disabled on Edge and Sovereign builds. Everything is passive. If a mirror port isn't available, we walk away rather than take the risk.
Raw traffic never egresses in Edge or Sovereign mode. If anything is aggregated centrally, it is the ALE number, one-way, on your terms. Data ownership is documented in the pilot agreement.
Design partners we're looking for
We're picking a small number of design partners to shape the first production release. What you get: the appliance at cost, direct access to the founder, joint authorship of the reference case study, and a locked-in launch-price on the first year of subscription.
Australian cyber-insurance broker or agency who wants an inside-out data source and an SMB1001 report to differentiate on renewal.
Water, energy, ports, transport — anywhere Enhanced CIRMP applies and the annual report needs quantified evidence, not colour-coded assurances.
Federal or state entity with an OFFICIAL or PROTECTED-adjacent boundary who wants a sovereign, on-appliance quantification story.
See a Capture Appliance report on your own network
Book a 30-minute call. If it's a fit, we'll run a 24-hour capture on your dev or lab environment and produce a full ALE + SMB1001 report you can keep — no obligation.
