CyberUp24 logo

How CyberUp24 Runs AI-Native Security Monitoring on Air-Gapped AI Edge Kits with RunReveal

CyberUp24 deploys RunReveal on its on-prem, Kubernetes-based AI Edge kits, bringing AI-native SOC capability to air-gapped defense and government environments.

We got a customer’s infrastructure up and running in less than a couple of hours. They were able to monitor one of the buildings within a couple minutes after we set it up, and they started using RunReveal to pull statistics on what type of traffic was going on.

Dan Le

CEO & Co-Founder, CyberUp24

CyberUp24 builds the LARK (Lightweight AI Recon Kit), hardware that brings full security monitoring to environments the cloud can't reach: no internet, no external connections, no compromise on data control. Inside every kit is RunReveal, the SIEM doing the work.

Built by operators, for the environments others avoid

The CyberUp24 team spent years as cyber operators inside government agencies before building AI Edge kits: hardware-based systems designed for austere and air-gapped environments where standard cloud monitoring doesn't work.

"We've seen kits that were built really flimsy, or they cost way too much and weren't great quality," says Dan Le, founder of CyberUp24. "We took our years of experience to build something quality-based, AI-enabled right out of the box, with the best optimal software possible."

RunReveal is a core part of that software stack, handling detection, correlation, and investigation for every kit deployed in the field.

The problem with running Splunk on Kubernetes at the edge

CyberUp24 originally bundled Splunk Enterprise Security into its kits, deployed on an on-prem Kubernetes stack. It didn't hold up.

"It was a big problem, cost for not a lot of benefit," Dan says. "We had problems getting it to run in our Kubernetes stack. And it was slow to build; it would take 20 to 30 minutes just to sync up."

For a kit that's meant to be self-contained hardware, dropped into a site and stood up fast, a 20-to-30 minute sync on every build is a real constraint. It also didn't leave room for the AI capability CyberUp24 wanted baked into the stack. The team went looking for a SIEM that could run natively on their Kubernetes environment and deliver real AI SOC functionality without giving up on-prem deployment.

Why RunReveal fit the kit model

Two things made RunReveal work on the kits where Splunk hadn't: it deploys cleanly on on-prem Kubernetes stack with no internet dependency, and it pairs that with an AI chat interface that replaces query languages with plain English.

"We can run this on-prem, no internet connection, with our own embedded LLMs," Dan says.

That on-prem, Kubernetes-native, air-gapped model is now running the same way for other CyberUp24 customers.

AI chat as a force multiplier for SOC analysts and security engineers

The chat interface changes what a single SOC analyst can cover on a kit. Analysts already bring the methodology, and RunReveal removes the friction between knowing what to look for and getting the answer.

"They [the security team] can ask the chat: give me a chart of the top 10 talkers, or has there been any DNS exfil or anomalies. It actually goes and does it, and gives you recommendations."

That extends to detection engineering. Analysts can build a new detection by describing the use case directly, without hand-writing it in Sigma or SQL.

"They just need to tell it, hey, I want a use case that alerts me on critical alerts on XYZ platform, and it'll go do it," Dan says.

Speed to value, measured in hours

CyberUp24 deploys kits into live environments fast, and RunReveal has to be ready to go the moment a kit powers on.

"We got a customer's infrastructure up and running in less than a couple of hours," Dan says. "They were able to monitor one of the buildings within a couple minutes after we set it up, and they started using RunReveal to pull statistics on what type of traffic was going on."

What's next

Today, CyberUp24's kits are deployed for security teams. Dan sees the same model extending into OT networks, US Government Agencies, and critical infrastructure: oil and gas, manufacturing, utilities, and government operations that run on-prem by necessity rather than choice.

"These are critical, sensitive environments that can't do cloud-based monitoring," Dan says. "I see this becoming part of the infrastructure that's still in use today, especially for critical infrastructure and government. This is a great way to get a SOC up and running in minutes, with one box and RunReveal in the LARK."

CyberUp24 is a RunReveal partner, deploying RunReveal as the embedded SIEM across their AI Edge kits for government and commercial customers operating in on-prem and air-gapped environments.

More Customer Stories

One platform. All your security data.
Complete Control.