Fact to MalOp

The Cybereason platform uses a tiered “pyramid” approach to detect activities - both benign and malicious - occurring in your organization.

This approach is meant to collect, analyze, and classify data and events in your environment in a meaningful way to make it clear to you:

  1. What data is collected

  2. What activities are detected

  3. What activities are malicious and need further action

The pyramid contains multiple levels of detection that build from a foundation of collected data (facts) to the highest level of the MalOp:

Cybereason pyramid


Facts represent data collected from endpoint sensors that is sent to the Detection servers.

Facts include the properties of different activities on the machine on which a sensor is installed, including (but not limited to):

  • Processes

  • Machines

  • Files

  • Connections

  • Services

  • Modules

For details on the specific data collected by sensors, see Collected System-Level data.

The Cross-Machine Correlation (CMC) Engine on the detection server collects facts from all associated machines. The CMC Engine then correlates Facts across all machines and enriches the analysis with artificial intelligence, machine learning, behavioral analysis, and information from threat intelligence sources.

The CMC Engine analyzes the collected facts based on Cybereason’s threat intelligence, and then generates evidence or suspicions, the next levels of the pyramid, to explain patterns of behavior on the machines in your organization.


Evidence describe patterns of behaviors that the Cybereason platform detects on a machine.

For example, when a Process Element connects to an RDP port, the CMC Engine generates the Connected to RDP Port evidence.

Evidence can be benign or malicious.


Above evidence in the pyramid are suspicions. The CMC Engine generates a suspicion when an individual activity is potentially malicious, or when several pieces of evidence, taken together, might represent malicious activity.

In general, the threshold for evidence to become a suspicion is deliberately low to minimize the likelihood the Cybereason platform will miss an attack.


When evidence and/or suspicions reflect a confirmed pattern of malicious behavior, the Cybereason platform deems the activity a MalOp (or malicious operation).

A MalOp is a collection of related suspicious activities that are highly likely to be part of a security incident.

Every MalOp has a number of related suspicions and evidence, which are listed in the MalOp details.

For details on MalOp types, see Malop Types and Components. For detailed descriptions of each MalOp, see MalOp Types in Depth.

Related resources:

Evidence FAQ