Data protection must at last become a fundamental standard of the Internet. With this in mind, _cyel is introducing a new cybersecurity strategy: not a new generation of patches and firewalls, but moving target security – we take away the targets. Without replacing your existing system.

Earlier security solutions responded to attacks, newer ones rely on intelligent attack detection, thus becoming more proactive. They do not solve the problem however, because the targets remain visible to attackers.

Fundamental solution

Moving target security provides a fundamental solution to this problem: we move, distribute and conceal the targets. Instead of preventing intrusions into a static network, the network becomes a dynamic system with moving targets. Users are no longer easily visible to the outside world. Every data transmission is encrypted. By the nature of the system, a laterally moving intruder stands out.

Moving target security

The operating principle

Software defined networking

We supplement the network topology introducing a software defined network in front of your existing infrastructure. All data traffic is routed seamlessly through it.

Stochastic target obfuscation

Because the network is constantly changing in different dimensions, the effort involved in an attack expands immeasurably. Security becomes predictable.

Dynamic flow checking

All data traffic is systematically controlled; network interfaces such as ports and services are protected.

The technologies

Attack surface mutation
Attack surface mutation

Instead of a fixed IP address, each device is assigned a new address for each transaction. Even in the event of third-party intrusion, they are unable to discern a pattern and draw any conclusions: sender and recipient are no longer identifiable with each new transaction. Accumulated information is instantly rendered worthless.


As you would expect, every communication is encrypted from point to point. In the process, the encryption changes at each node. There is no way of tracing back the data packages, the message is no longer identifiable as such.

Triple A

Authentication, authorisation and accounting means: all network processes can only be carried out by authenticated devices; they must be explicitly permitted (white list) and are recorded. There are no external players, unknown routes, lateral movements or unaudited actions.

Honey pot
Honey pot

Identified attackers are diverted to a simulated environment, a honey pot. They can do no damage there and their behaviour can be observed. This means that you are always one step ahead of the attackers, instead of having to respond to leaks.

Dummy traffic
Dummy traffic

The system sends out traffic padding to disguise the real signal. Attackers can neither discern nor make use of behavioural patterns; heavily frequented servers are indistinguishable from individual users.

Your benefits

System-independent and backwards-compatible

The installation is carried out as an add-on to the existing network, without modification to the network cabling, user systems, servers or applications.

Potential upgrade

The solution turns your existing layer-2 or layer-3 infrastructure into a zoned layer-3 network.

Savings potential

The solution can be operated with next to no effort.


Security can be adjusted automatically according to the threat level.

Protection against eavesdroppers

Information leaks from metadata are totally prevented.

Protection against direct attacks

Every intruder is detected by the nature of the system; services and internal structures are efficiently protected.

Password theft pointless

Protection takes place at the network level, coupled to the equipment.