Resources · API Docs

Build on the CYBRET fabric.
A live graph of your attack surface, as an API.

The CYBRET API exposes the same reasoning engine that powers the product: a typed knowledge graph of code, cloud, identity, and runtime, ranked by reachability. Query it over REST for day-to-day integrations, GraphQL for deep traversals, or subscribe to a streaming feed for live exposure, validation, and runtime events. Designed to drop into your existing ITSM, data platform, or detection stack, with scoped keys, per-workspace isolation, and first-class SDKs in Python, TypeScript, and Go.

REST · GraphQL · Stream
Three transports
30+
Endpoints
99.95%
Monthly uptime
<80ms
p95 latency
Quickstart

Three calls to go from nothing
to a ranked, reachable path.

01
Get a key
Mint a scoped workspace key from your org token. Keys are rotatable and carry an explicit scope set.
curl https://api.cybret.ai/v1/auth/keys \
  -H 'Authorization: Bearer $ORG_TOKEN'
02
Fetch your graph
Pull a summary of the live knowledge graph for your workspace, assets, identities, boundaries, and current risk posture.
curl https://api.cybret.ai/v1/graph/summary \
  -H 'Authorization: Bearer $CYBRET_KEY'
03
Query reachable paths
Ask the reasoner which paths actually connect a source to a sink, weighted by trust boundaries and auth.
curl -X POST https://api.cybret.ai/v1/paths/reachable \
  -H 'Authorization: Bearer $CYBRET_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "from": "asset://repo/api-gateway",
    "to":   "asset://db/payments",
    "max_hops": 8
  }'
Endpoints

Five resource groups,
one consistent shape.

Graph
Nodes, edges, and subgraphs of the knowledge graph.
GET
/v1/graph/summary
Workspace-level posture snapshot
GET
/v1/graph/nodes/{id}
Fetch a single typed node with neighbors
POST
/v1/graph/query
GraphQL-style subgraph traversal
POST
/v1/paths/reachable
Reachability between two assets
GET
/v1/graph/export
Signed bulk export (Parquet / JSONL)
Exposure
Deduped, ranked findings and root-cause clusters.
GET
/v1/exposure/findings
Paginated findings, filterable by score
GET
/v1/exposure/clusters/{id}
Root-cause cluster with evidence trail
PATCH
/v1/exposure/findings/{id}
Update state, owner, suppression reason
POST
/v1/exposure/webhooks
Subscribe to new-finding events
Validation
Safe proof-of-exploit runs against ranked paths.
POST
/v1/validation/runs
Start a validation run on a path or cluster
GET
/v1/validation/runs/{id}
Run status, timeline, and artifacts
GET
/v1/validation/capsules/{id}
Signed, reproducible exploit capsule
POST
/v1/validation/runs/{id}:stop
Safe, reversible abort
Runtime
Live detection signals, correlated with exposure.
GET
/v1/runtime/events
Stream of correlated runtime events
GET
/v1/runtime/incidents/{id}
Incident with attack-chain and blast radius
POST
/v1/runtime/contain
Request reversible containment action
GET
/v1/runtime/timeline
Unified timeline across tenants
Admin
Keys, scopes, workspaces, audit.
POST
/v1/auth/keys
Create a scoped workspace key
GET
/v1/auth/keys
List active keys and last-used metadata
PATCH
/v1/auth/keys/{id}
Rotate, rescope, or revoke a key
GET
/v1/admin/audit
Signed audit log, paginated
Authentication

Three ways in,
all scoped.

Personal Access Tokens
Per-user, short-lived, tied to SSO session. Best for notebooks, local tools, and one-off scripts. Scopes are always a subset of the user.
OAuth 2.0
Authorization-code flow for third-party apps. Users approve a scope set; tokens refresh on a rolling window and can be revoked from the admin console.
Workspace Keys
Long-lived service keys bound to a workspace, not a human. Rotatable, IP-pinnable, and required for server-to-server integrations and CI.
SCOPE SET
graph.readRead nodes, edges, and summary endpoints.
graph.writeMutate tags, ownership, custom metadata.
exposure.readList findings, clusters, evidence.
exposure.writeChange state, suppressions, owners.
validation.runStart, stop, and inspect validation runs.
runtime.readSubscribe to runtime events and incidents.
runtime.containIssue reversible containment actions.
admin.keysCreate, rotate, and revoke workspace keys.
admin.auditRead the signed audit log.
Examples

The same call,
three ways.

POST /v1/paths/reachable
# Find reachable paths from the API gateway to the payments DB
curl -X POST https://api.cybret.ai/v1/paths/reachable \
  -H 'Authorization: Bearer $CYBRET_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "from": "asset://repo/api-gateway",
    "to":   "asset://db/payments",
    "max_hops": 8,
    "require_auth_bypass": false
  }'
SDKs & tooling

Same surface,
in the language you ship in.

Python
01 / PYTHON
Docs →
Typed client with first-class asyncio support, pandas interop for exposure snapshots, and a pytest fixture for replaying validation capsules.
pip install cybret
TypeScript
02 / TYPESCRIPT
Docs →
Zero-dep ESM client, Zod-compatible response types, streaming helpers for runtime events, and an edge-runtime build for Workers and Deno.
npm install @cybret/sdk
Go
03 / GO
Docs →
Context-aware, generics-based client. Ships a cybretctl-compatible core, idiomatic errors, and a net/http middleware for attaching graph context.
go get github.com/cybret-ai/sdk-go
CLI
04 / CLI
Docs →
Local shell for the fabric. Tail runtime events, run validation capsules, diff graph snapshots, and pipe JSON into jq. MIT-licensed.
brew install cybret
Rate limits & reliability

Built to be called
from the hot path.

1,000 req/min
per key
Default workspace-key ceiling, with smooth burst credit up to 3x for 10 seconds. Higher tiers and dedicated pools available on Enterprise.
99.95%
monthly SLA
Availability and p95 latency SLAs on every paid plan, measured against the public status page. Credits issued automatically on breach.
5 regions
auto-routed
US-East, US-West, EU (Frankfurt), UK, and AU edge. Requests hit the nearest region; data residency is pinned per workspace.
Changelog

Small, frequent, and documented.

View full changelog →
2026-04-18
v1.14.0
GraphQL pagination and cursor semantics harmonized across exposure and runtime.
2026-04-02
v1.13.0
New /v1/paths/reachable body flag require_auth_bypass for stricter attacker modeling.
2026-03-17
v1.12.1
Streaming runtime events gain replay cursors with 24-hour retention.
2026-03-03
v1.12.0
Workspace keys can now be IP-pinned; audit log exposes last-used CIDR.
Start today

Connect a repo.
See your first proven path.

Read access. 30 minutes. No credit card.