Detection-validation platform

Measure what your SOC actually detects.

Not a coverage dashboard. Not a simulation. We replay real attack techniques against a digital twin of your environment and measure whether your own SIEM fires — and how fast.

On-prem & air-gapped · your data never leaves · mapped to MITRE ATT&CK
Detection Reality — live measurement on your SIEM
T1110.001 · SSH brute-forceALERTED 1.8s
T1059.001 · PowerShellALERTED 3.1s
T1003.001 · LSASS dumpMISSED
T1486 · RansomwareMISSED
Coverage proven by real alerts firing — not rule counts.source: your running SIEM
84
ATT&CK techniques across 13 tactics
sec
MTTD measured in seconds, not estimated
3 SIEM
QRadar · Splunk · Wazuh — measured on the real thing
258 days
mean time to identify & contain a breach
IBM 2024
The gap

A green coverage dashboard is not detection.

Coverage counts the rules that exist. Detection is whether they actually fire — on your telemetry, right now, and how fast. Most teams cannot give you that second number, because measuring it is uncomfortable work no dashboard rewards.

Missing log source. The rule exists but the events never reach the SIEM.
Drifted parser. A field shifted; the rule silently stops matching a trivial variant.
Disabled or mis-thresholded rule. Survives the audit, not the intrusion.
How it works

Emulate. Measure. Close the loop.

A closed-loop method that treats detection like code — with an owner, a source, and a test that runs again after every change.

Build a digital twin

We model your environment and replay real ATT&CK techniques as safe emulation — never on production, safe by construction.

Measure real detection

It reads the outcome from your own SIEM: did the alert actually fire for each technique, and the real time-to-detect (MTTD).

Close the loop

Every blind spot comes with a rule fix. Apply it, re-measure, and prove the number moved — reproducibly.

The difference

Most tools tell you the attack ran. We tell you if you saw it.

BAS and validation platforms confirm the technique executed, or show coverage on paper. VCyber Twin measures the actual detection outcome on your own SIEM.

Measured, not inferred

Coverage proven by alerts that actually fire, with real MTTD — not derived from a count of rules.

On your SIEM, not a sandbox

It reads QRadar, Splunk or Wazuh in your own environment — the detection you actually rely on.

It closes the loop

Find the gap, fix the rule, re-measure — the coverage number moves and you can prove it.

The deliverable

A board-ready Detection Reality Report.

Not a self-assessed checklist — measured facts your board and regulator can act on.

Coverage proven by real alerts firing, with MTTD per technique.
Named blind spots mapped to ATT&CK, each with a root cause.
Compliance mapping to NIST CSF · ISO 27001 · 800-53, and DORA / RMiT-style drills.
Prioritised remediation — every fix re-measurable.
Detection Reality ReportSAMPLE
64%
detected
4
blind spots
3.4s
median MTTD
🟩 blocked · 🟦 alerted · 🟥 missed — measured on the running SIEM
Data sovereignty

Runs inside your network. Nothing leaves.

Delivered as an offline appliance — on-prem or air-gapped. It reads your SIEM locally; your security telemetry and results stay entirely on your side.

On-prem / air-gap

Offline appliance

Installs inside your network with its own isolated stack. No phone-home required.

Your SIEM

Reads, never exfiltrates

Connects to your QRadar / Splunk / Wazuh to read detection outcomes. Data does not leave the environment.

Safe by design

No production impact

Techniques run as emulation on a digital twin — never against your live systems.

Founding design-partner program · now open

See exactly what your SOC would catch.

We are onboarding a small cohort of founding design partners. Run a Detection Reality Check on your environment, get the board-ready report, and shape the product with candid feedback. Free for the founding cohort.

info@dataq.vn +84 382 998 514 WhatsApp · Telegram · Zalo
Pre-commercial · SIEM support today: QRadar · Splunk · Wazuh