Docs Getting Started Platform Architecture

Platform Architecture

How WNCYBER components fit together — identity sources, the control plane, the policy engine, and the audit layer.

WNCYBER is built as a multi-layered platform with clear separation between the data collection layer, the control plane, and the enforcement layer. Understanding this architecture helps you plan deployments, configure integrations, and interpret audit data.

Core Components

Identity Connector Layer

The connector layer interfaces with your existing identity sources:

  • Directory connectors — sync identities from Microsoft Entra ID, Active Directory, Okta, and other directories
  • Cloud connectors — discover IAM roles, service accounts, and workload identities in AWS, Azure, and GCP
  • CI/CD connectors — discover secrets and credentials embedded in pipelines, repos, and configuration management systems
  • Agent SDK — a lightweight agent for environments where API-based discovery is not available

Connectors are read-only by default. Write operations (provisioning, deprovisioning, rotation) are performed through the control plane and require explicit configuration.

Control Plane

The control plane is where all identity decisions are made:

  • Identity graph — a unified view of all discovered identities, their relationships, and their access rights across every connected source
  • Policy engine — evaluates access requests and identity state against configured policies in real time
  • AI risk scoring — assigns continuous risk scores to identities based on behaviour, access patterns, and threat intelligence
  • Workflow engine — manages approval workflows, access certifications, and remediation tasks

Enforcement Layer

The enforcement layer translates control plane decisions into actions:

  • Dynamic credential issuance — issues short-lived credentials to requesting workloads on demand
  • Session broker — proxies privileged sessions to enable recording and real-time monitoring
  • Policy propagation — pushes policy decisions to connected enforcement points (firewalls, proxies, PAM systems)

Audit Layer

Every access event, policy decision, and identity change is written to the immutable audit layer:

  • Tamper-resistant event log accessible via API and the console
  • Pre-built compliance reports for SOC 2, ISO 27001, HIPAA, and GDPR
  • Real-time streaming to your SIEM via webhook or native integrations

Data Flow

A typical access request flows through the platform as follows:

  1. A workload or user requests access to a resource
  2. The request reaches the control plane via the WNCYBER agent or API
  3. The policy engine evaluates the request against applicable policies
  4. The AI risk engine scores the requesting identity in real time
  5. The control plane approves, denies, or escalates the request
  6. If approved, the enforcement layer issues credentials or opens a session
  7. All steps are written to the audit log

Deployment Models

SaaS (default) — the WNCYBER control plane is hosted and managed. Connectors run in your environment and communicate outbound to the control plane over TLS 1.3.

Private deployment — the control plane can be deployed in your cloud account or on-premises. Contact your account team for private deployment requirements.

Back to Docs Need help? Contact support