
CyCognito
External Attack Surface Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The CyCognito connector integrates with the CyCognito External Attack Surface Management (EASM) platform. It synchronizes asset inventory and security findings data, including web applications, IP addresses, IP ranges, domains, certificates, issues (findings), and issue definitions (vulnerability definitions). The connector uses the CyCognito REST API v1 to discover and import external-facing assets and their associated security issues.
Data retrieved from CyCognito
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Web Application | Yes | Site |
| IP Range | Yes | Ip Range |
| IP Address | Yes | Host |
| Domain | Yes | Site |
| Certificate | Yes | Certificate |
| Issue Definition | Yes | Vulnerability Definition |
| Issue | Yes | Vulnerability |
Model relationships
For detailed steps on how to view the data retrieved from CyCognito in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select CyCognito from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.platform.cycognito.com | CyCognito API URL |
| API token | Yes | — | CyCognito API token |
| Page size | No | 1000 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, availableProcessors()) | Maximum number of parallel API requests |
Authentication
CyCognito uses API Token authentication. A static API token is generated in the CyCognito platform and sent verbatim as the Authorization header value on every request. There is no OAuth flow, login call, or token refresh mechanism — the token is configured once and reused for the lifetime of the connector instance.
Credential Verification
The connector validates the configured credential by issuing a minimal paged request against the issues endpoint. A 2xx response confirms the token is valid; 401/403 indicate bad or insufficient credentials.
| Method | URL |
|---|---|
POST | {url}/v1/issues?offset=0&count=1 |
Request Headers
| Header | Value | Description |
|---|---|---|
Authorization | <api-token> | The raw CyCognito API token (no Bearer prefix). |
Content-Type | application/json | All requests send a JSON filter array body. |
Request Body
The body is a JSON array of filter objects (empty when no filters apply):
[]
Sample Response
[
{
"id": "issue-0001",
"issue_id": "CYC-EXPOSED-RDP-2",
"title": "Exposed RDP service",
"issue_status": "new",
"severity": "high",
"first_detected": "2026-01-04T10:15:00.000Z",
"last_detected": "2026-06-01T08:00:00.000Z"
}
]
Response Fields
| Field | Description |
|---|---|
id | Unique issue (finding) identifier. |
issue_id | Issue definition identifier the finding maps to. |
title | Human-readable issue title. |
issue_status | Raw status of the issue from CyCognito. |
severity | Issue severity level. |
first_detected | Timestamp the issue was first detected. |
last_detected | Timestamp the issue was last detected. |
A non-error response indicates the token is accepted. On rate limiting (429) the connector honors the Retry-After header and retries.
Usage in Subsequent Requests
Every paged API call (assets and issues) sends the same Authorization: <api-token> header. The connector does not exchange the token for a session or bearer token; the configured value is attached to each outbound request directly.
How to obtain CyCognito credentials
Generate a new CyCognito API token
For the CyCognito connector to use the CyCognito API, you must provide an API token. Only administrators can generate new API tokens. To generate a new API token, follow these steps:
-
Log in to your organization's CyCognito server as an administrator.
-
On the left-hand side of the page, click Workflows & Integrations, and then click API Key Management.
-
Click Add API key. A new window displays. Provide the following information:
-
Key Name: Give your API token a name.
-
Key Access: The CyCognito connector requires read access only, so select Read Only.
-
Set Expiration: Determine whether the token expires or not. If you select On, indicate a time limit for how long the new token is valid.
-
-
Click Create.
Your new API token displays. You cannot view the token again after this. Copy and save it to a secure location.
Note: If you do not have permissions to create an API token, contact your CyCognito administrator. For additional information, see CyCognito documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Web Application
| Source Field Name | SDM Attribute |
|---|---|
asset.getId() | NAME |
asset.getId() (prefix stripped) | UID |
| at_risk | AT_RISK |
| attribution_certainty | ATTRIBUTION_CERTAINTY |
comment.content + comment.last_update | COMMENT |
continent() | CONTINENT |
description() | DESCRIPTION |
discoverability | DISCOVERABILITY |
discovery_path (formatted) | DISCOVERY_PATH |
domains() | DOMAINS |
environments() | ENVIRONMENTS |
form() | FORM |
| Hardcoded "Web Application" | CATEGORIES |
| has_login | HAS_LOGIN |
| home_page_display_label | HOME_PAGE_DISPLAY_LABEL |
| hosting_type | HOSTING_TYPE |
| investigation_status | INVESTIGATION_STATUS |
| is_encrypted | IS_ENCRYPTED |
locations() | LOCATIONS |
max(lastDetected(), lastSeen()) | LAST_SEEN |
min(firstDetected(), firstSeen()) | FIRST_SEEN |
organizations() | ORGANIZATIONS |
| owned_by | OWNED_BY |
owners() | OWNER |
platforms() | PLATFORMS |
regions() | REGIONS |
related_asset_ids.cert (normalized) | RELATED_CERT_IDS |
related_asset_ids.domain (normalized) | RELATED_DOMAIN_IDS |
related_asset_ids.ip (normalized) | RELATED_IP_IDS |
| security_grade | SECURITY_GRADE |
services() (formatted CPE strings) | SERVICES |
status() (normalized) | STATUS |
status() (raw) | SOURCE_STATUS |
| supported_protocols | SUPPORTED_PROTOCOLS |
tags() | TAGS |
title() | TITLE |
| web_resources_urls | WEB_RESOURCE_URLS |
| web_servers | WEB_SERVERS |
| webapp_address | WEB_APP_ADDRESS |
IP Range
| Source Field Name | SDM Attribute |
|---|---|
| as_list | AS_LIST |
asset.getId() | IP_RANGE |
asset.getId() (prefix stripped) | UID |
| at_risk | AT_RISK |
| attribution_certainty | ATTRIBUTION_CERTAINTY |
cidr() | CIDR |
comment.content + comment.last_update | COMMENT |
continent() | CONTINENT |
| country_code | COUNTRY_CODE |
discoverability | DISCOVERABILITY |
discovery_path (formatted) | DISCOVERY_PATH |
domains() | DOMAINS |
environments() | ENVIRONMENTS |
| hosting_type | HOSTING_TYPE |
| investigation_status | INVESTIGATION_STATUS |
locations() | LOCATIONS |
max(lastDetected(), lastSeen()) | LAST_SEEN |
min(firstDetected(), firstSeen()) | FIRST_SEEN |
organizations() | ORGANIZATIONS |
| owned_by | OWNED_BY |
owners() | OWNER |
platforms() | PLATFORMS |
| range_name | NAME |
| rangeName + id | DESCRIPTION |
regions() | REGIONS |
| security_grade | SECURITY_GRADE |
services() (formatted CPE strings) | SERVICES |
source() | SOURCE |
status() (normalized) | STATUS |
status() (raw) | SOURCE_STATUS |
tags() | TAGS |
type() + "Network" | CATEGORIES |
IP Address
| Source Field Name | SDM Attribute |
|---|---|
alive() | ALIVE |
asset.getId() | NAME |
asset.getId() (prefix stripped) | UID |
| at_risk | AT_RISK |
| attribution_certainty | ATTRIBUTION_CERTAINTY |
closed_ports[].port | CLOSED_PORTS |
comment.content + comment.last_update | COMMENT |
continent() | CONTINENT |
discoverability | DISCOVERABILITY |
discovery_path (formatted) | DISCOVERY_PATH |
domains() | DOMAIN_NAMES |
domains() | DOMAINS |
| dynamically_resolved | DYNAMICALLY_RESOLVED |
environments() | ENVIRONMENTS |
filtered_ports[].port | FILTERED_PORTS |
| Hardcoded "Host" | CATEGORIES |
| hosting_type | HOSTING_TYPE |
| investigation_status | INVESTIGATION_STATUS |
ip() | IP_ADDRESSES |
ip_ranges[].inetnum | IP_RANGES |
locations() | LOCATIONS |
max(lastDetected(), lastSeen()) | LAST_SEEN |
min(firstDetected(), firstSeen()) | FIRST_SEEN |
open_ports[].port | OPEN_PORTS |
organizations() | ORGANIZATIONS |
| owned_by | OWNED_BY |
owners() | OWNER |
platforms() | PLATFORMS |
regions() | REGIONS |
related_asset_ids.cert (normalized) | RELATED_CERT_IDS |
related_asset_ids.domain (normalized) | RELATED_DOMAIN_IDS |
related_asset_ids.webapp (normalized) | RELATED_WEB_APP_IDS |
| security_grade | SECURITY_GRADE |
services() (formatted CPE strings) | SERVICES |
status() (normalized) | STATUS |
status() (raw) | SOURCE_STATUS |
tags() | TAGS |
Domain
| Source Field Name | SDM Attribute |
|---|---|
asset.getId() | NAME |
asset.getId() (prefix stripped) | UID |
| at_risk | AT_RISK |
| attribution_certainty | ATTRIBUTION_CERTAINTY |
comment.content + comment.last_update | COMMENT |
continent() | CONTINENT |
discoverability | DISCOVERABILITY |
discovery_path (formatted) | DISCOVERY_PATH |
| dns_rcode | DNS_RESPONSE_CODE |
domain() | DOMAIN |
domains() | DOMAINS |
environments() | ENVIRONMENTS |
| hosting_type | HOSTING_TYPE |
| investigation_status | INVESTIGATION_STATUS |
| ip_addresses | IP_ADDRESSES |
locations() | LOCATIONS |
max(lastDetected(), lastSeen()) | LAST_SEEN |
min(firstDetected(), firstSeen()) | FIRST_SEEN |
organizations() | ORGANIZATIONS |
| owned_by | OWNED_BY |
owners() | OWNER |
platforms() | PLATFORMS |
regions() | REGIONS |
related_asset_ids.cert (normalized) | RELATED_CERT_IDS |
related_asset_ids.ip (normalized) | RELATED_IP_IDS |
related_asset_ids.webapp (normalized) | RELATED_WEB_APP_IDS |
| security_grade | SECURITY_GRADE |
services() (formatted CPE strings) | SERVICES |
status() (normalized) | STATUS |
status() (raw) | SOURCE_STATUS |
| sub_domains | SUB_DOMAINS |
tags() | TAGS |
type() + "Web Application" | CATEGORIES |
Certificate
| Source Field Name | SDM Attribute |
|---|---|
asset.getId() | NAME |
asset.getId() (prefix stripped) | UID |
| at_risk | AT_RISK |
| attribution_certainty | ATTRIBUTION_CERTAINTY |
cert | CERT |
comment.content + comment.last_update | COMMENT |
continent() | CONTINENT |
| creation_time | SOURCE_CREATED_DATE |
discoverability | DISCOVERABILITY |
discovery_path (formatted) | DISCOVERY_PATH |
domains() | DOMAINS |
environments() | ENVIRONMENTS |
expiration | EXPIRATION |
| Hardcoded "Certificate" | CATEGORIES |
| hosting_type | HOSTING_TYPE |
| investigation_status | INVESTIGATION_STATUS |
| ip_addresses | IP_ADDRESSES |
| is_active | IS_ACTIVE |
| issuer_alt_names | ALTERNATIVE_NAMES |
| issuer_common_name | ISSUER_COMMON_NAME |
| issuer_country | ISSUER_COUNTRY |
| issuer_locality | ISSUER_LOCALITY |
| issuer_organization | ISSUER_ORG |
| issuer_organization_unit | ISSUER_ORG_UNIT |
| issuer_state | ISSUER_STATE |
locations() | LOCATIONS |
max(lastDetected(), lastSeen()) | LAST_SEEN |
min(firstDetected(), firstSeen()) | FIRST_SEEN |
organizations() | ORGANIZATIONS |
| owned_by | OWNED_BY |
owners() | OWNER |
platforms() | PLATFORMS |
regions() | REGIONS |
related_asset_ids.domain (normalized) | RELATED_DOMAIN_IDS |
related_asset_ids.ip (normalized) | RELATED_IP_IDS |
related_asset_ids.webapp (normalized) | RELATED_WEB_APP_IDS |
| security_grade | SECURITY_GRADE |
services() (formatted CPE strings) | SERVICES |
| signature_algorithm | SIGNATURE_ALGO |
status() (normalized) | STATUS |
status() (raw) | SOURCE_STATUS |
| subject_common_name | SUBJECT_COMMON_NAME |
| subject_country | SUBJECT_COUNTRY |
| subject_locality | SUBJECT_LOCALITY |
| subject_organization | SUBJECT_ORG |
| subject_organization_unit | SUBJECT_ORG_UNIT |
| subject_state | SUBJECT_STATE |
tags() | TAGS |
Issue Definition
| Source Field Name | SDM Attribute |
|---|---|
| cve_ids | CVE_RECORDS |
| cve_ids | CVE_IDS |
| detection_complexity | DETECTION_COMPLEXITY |
| exploitation_method | EXPLOIT_MATURITY |
| exploitation_score | EXPLOITATION_SCORE |
| issue_id | UID |
| issue_type | TYPE |
| potential_impact | POTENTIAL_IMPACT |
references | REFERENCES |
remediation_steps (numbered, joined) | RECOMMENDATION |
severity | SEVERITY |
severity (normalized) | SOURCE_SEVERITY |
| severity_score | SEVERITY_SCORE |
summary | SUMMARY |
threat | THREAT |
title | NAME |
Issue
| Source Field Name | SDM Attribute |
|---|---|
affected_asset (prefix stripped) | TARGETS |
comment.content + comment.last_update | COMMENT |
confidence | CONFIDENCE |
| confidence_level | CONFIDENCE_LEVEL |
| Derived from normalized status | STATUS_CATEGORY |
evidence.data | RESULTS |
| first_detected | FIRST_FOUND |
id | UID |
| investigation_status | INVESTIGATION_STATUS |
| issue_id | TYPE |
issue_status (normalized) | STATUS |
issue_status (raw) | SOURCE_STATUS |
| last_detected | LAST_FOUND |
locations | LOCATIONS |
organizations | ORGANIZATIONS |
port | PORT |
| resolved_at | RESOLVED_AT |
tags | TAGS |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Web Application
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/assets/webapp - Default filters:
scan-status: [normal, new, changed, removed],active: [true, false]; on incremental syncs,last_detectedbetween the prior sync time and now
IP Range
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/assets/iprange - Default filters:
scan-status: [normal, new, changed, removed],active: [true, false]; on incremental syncs,last_detectedbetween the prior sync time and now
IP Address
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/assets/ip - Default filters:
scan-status: [normal, new, changed, removed],active: [true, false]; on incremental syncs,last_detectedbetween the prior sync time and now
Domain
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/assets/domain - Default filters:
scan-status: [normal, new, changed, removed],active: [true, false]; on incremental syncs,last_detectedbetween the prior sync time and now
Certificate
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/assets/cert - Default filters:
scan-status: [normal, new, changed, removed],active: [true, false]; on incremental syncs,last_detectedbetween the prior sync time and now
Issue Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (issue definitions are de-duplicated by
issue_idfrom the issue records fetched below) · Endpoint:POST /v1/issues - Default filters: None on a full sync; on incremental syncs,
last_detectedbetween the prior sync time and now
Issue
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
POST /v1/issues - Default filters: None on a full sync; on incremental syncs,
last_detectedbetween the prior sync time and now
Changelog
The CyCognito connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.16 | Bug Fixes - Corrected the data type of the Certificate model's "Active" attribute from a true/false (Boolean) type to text, matching the string value returned by the API. | • Certificate: the "Active" attribute changed from Boolean to text. Re-sync the CyCognito connector to repopulate certificates with the corrected type. |
| 3.0.15 | Bug Fixes Issue and Certificate Date Attributes The "Resolved at" (Issue) and "Expiration" (Certificate) attributes were defined as numeric values but the connector emits date/time values. On existing tenants this caused Issue and Certificate syncs to fail when writing records. Both attributes are now correctly typed as timestamps, so the values the connector emits match the attribute type. | • Issue / Certificate: The "Resolved at" and "Expiration" attributes changed from a numeric type to a date/time type. Tenants that previously synced with version 3.0.14 have these columns stored as numeric (bigint) and must have them converted to a timestamp type before syncing; otherwise Issue and Certificate syncs will continue to fail. For columns containing existing epoch-millisecond data, convert with to_timestamp(value / 1000); columns with no data can be recreated directly as timestamptz. |
| 3.0.14 | Improvements Dependency Upgrades Upgraded internal framework and storage libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. Attribute Consolidation Precedence Connector-sourced attribute values now participate in consolidation at the platform's default priority, so values from this connector take precedence over non-connector data sources (UI input, manual imports, bulk uploads) when populating the same canonical attribute. | N/A |