Product | Profiler

The Profiler is a web threat detection tool that uses AI to detect and uniquely prioritise attacks depending on the risk they pose to your data.

The Profiler enables IT teams to detect, prioritise and respond immediately to high-risk attacks.

A Self Learning System, Revolutionising Web Applications Security

The Profiler detects sophisticated attacks often missed by conventional web application firewalls that rely on signature detection. The Profiler prioritises workload by only alerting teams when high-risk attacks occur, enabling incident response time to be reduced to seconds.

The Profiler analyses all aspects of the web traffic, providing a comprehensive web defence that can operate independently or complement existing security systems.

Data sheet

Anomaly Detection

The Profiler implements novel strategies to analyse anomalous behaviour in web traffic, reducing the pitfalls that standard signature and rule-based techniques are susceptible to. These methods help detect emerging and sophisticated cyber threats in real-time, reducing the effort for human intervention or interaction.

The Profiler uses unsupervised machine learning to analyse characteristics of typical data flows through the web application. These self-learning algorithms profile normal web traffic behaviour, inferring their own decisions. Metrics obtained are unique to a web server.

These include trend (modelled on logistic growth) and seasonality models (for example, accounting for time of day and day of the week). Field characteristics include character length and distribution. By profiling the web application, the Profiler determines whether the requests made are derived from the normal distribution of that specific field of the web application.

This approach determines what 'normal' looks like to the specific organisation, and subsequently makes a decision of what constitutes anomalous traffic based on that initial benchmark. Detected anomalies highlight likely malicious activity and are passed to the classification process for fingerprinting and risk assessment.

Real-time attack classification completes a holistic, intelligent defence.

All anomalies are presented, showing malicious activity. The Profiler uses a patented classification approach to determine attack characteristics for the following attacks (accounting for approximately 80% of all web attacks):

• SQL injection

• Cross-site Scripting (XSS)

• Bash

Semi-supervised machine learning algorithms are used to determine the type of web threat and three key characteristics:

• Sophistication: the quality of the attack string

• Capability: inference about the attacker, including if it is human or machine

• Effectiveness: critically, the server response is analysed to see if it is normal or abnormal traffic

Characteristics are normalised through the machine learning process to determine the risk of each attack and where it lies in the attack lifecycle. For example; a highly sophisticated attack, by a capable attacker, and where the system is responding in an abnormal way can be considered, with high degree of certainty, to be a very high risk.

Zero-day or polymorphic attacks that fall outside the classification tolerances of the Profiler, are immediately flagged as high risk and assigned for labelling for future classification.

Start my free trial

Get in touch to experience Cyberlytic’s revolutionary software for yourself today!

The Profiler offers advanced web defence, reducing response time from the most dangerous web-based attacks, from weeks to seconds


increase in SQL injection attacks since 2016


average number of days to fix a web application attack


of organisations report a shortage of cybersecurity skills

How the Profiler works

The Profiler is an application that detects and prioritises web injection attacks in real-time. The Profiler uses a patented Machine Learning classification approach to analyse the characteristics of each attack to determine the information security risk.

The Profiler includes features that support the user to identify and prioritise dangerous attacks, to effectively initiate incident response.

Risk-based dynamic reporting provides senior management with a regular summary of attack activity and risk exposure across hosts.

The Profiler application has two core components:

  • Connector
  • Profiler

Raw HTTP data is sent to the Profiler via:

  • Cloud Proxy
  • Web Server Agent Connector
  • Network Connector
  • The Profiler Cloud Proxy deployment provides instant connection and monitoring.  Simply point your web services to Cyberlytic's secure UK cloud.

    The Web Server Agent Connector is deployed as an agent onto the web server. It extracts and forwards HTTP sessions to a local or centrally hosted Profiler for analysis.

    The Network Connector is a virtual appliance that connects to a mirrored port of a switch. It monitors the full network traffic and extracts and forwards just the HTTP sessions to a local or centrally hosted Profiler for analysis.

    Keen to find out more?

    Experience our advanced web application security software for yourself. Just fill in the form and we’ll be in touch to arrange a demonstration or free proof of value trial.