Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Cyber Vision Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (819.5 KB)
    View with Adobe Reader on a variety of devices
Updated:June 25, 2020

Available Languages

Download Options

  • PDF
    (819.5 KB)
    View with Adobe Reader on a variety of devices
Updated:June 25, 2020


Cisco® Cyber Vision enables organizations to ensure the continuity, resilience, and safety of their industrial operations by providing continuous visibility into their ICS infrastructures and controlling the risks of cyber attacks.

Product overview

The deeper integration between IT, cloud, and industrial networks is exposing your industrial control systems (ICS) to cyber threats. As you begin to capture the benefits of your industry digitization efforts and start deploying Industrial Internet of Things (IIoT) technologies, you need a cybersecurity solution to help you ensure the continuity, resilience, and safety of your industrial operations.

Cisco Cyber Vision has been specifically designed for industrial organizations to gain full visibility into their industrial networks, so they can detect threats, ensure process integrity, build secure infrastructures, drive regulatory compliance, and enforce security policies to control risks.

Cisco Cyber Vision combines a unique edge monitoring architecture and deep integration with Cisco’s leading security portfolio. Built into your Cisco industrial network equipment, it can be easily deployed at scale to monitor your industrial assets and their application flows in real time. It is the ideal solution to feed your IT security operations center (SOC) with OT context, so you can build a unified IT/OT cybersecurity architecture.

Features and benefits

Table 1.           Features and benefits



Edge architecture

Easily deploy ICS security at scale. Cyber Vision network sensors include the Cisco Catalyst® IE3400 Rugged and IE3400 Heavy Duty Series ruggedized switches, Cisco Catalyst 9300, 9400, and 9500 Series switches, and Cisco 1101 Industrial Integrated Services Router for reduced hardware spending and minimal impact to industrial control network traffic.

Comprehensive visibility

Build appropriate security policies and increase operational efficiency. Cyber Vision gives you real-time, detailed visibility into your industrial assets, their communication patterns, and application flows.

Operational insights

Maintain process integrity by tracking unexpected variable changes and programmable logic controller (PLC) program modifications. Cyber Vision supports operations to work more efficiently and with reduced risk.

Security insights dashboard

Quickly understand your current security status, identify anomalies, and respond to threats.

Vulnerability detection

Keep your industrial assets safe. Cyber Vision alerts you to hardware and software vulnerabilities that need to be patched.

Intrusion detection (IDS)

Uncover the cybersecurity threats coming from your IT network. Cyber Vision leverages Talos® subscription rules to detect known and emerging threats and keep you protected.

Anomaly detection

Keep your ICS safe from unknown attacks and malfunctions. Detect illegitimate modifications to your industrial assets and processes such as unexpected program downloads or variable changes.

Baseline monitoring and alerting

Detect deviations to expected process behaviors. Profile your ICS and industrial processes in baselines that define what normal should be. Create multiple baselines to detect specific behaviors (e.g., remote access) or specific production states (e.g., maintenance operations) to help ensure accurate detection and minimum false positives. Deviations are immediately detected. Alerts are generated in the console and may be automatically forwarded to integrated tools such as SIEMs and SOARs.

OT tags

Immediately understand what each device is doing. Cyber Vision translates each application flow into human-readable tags, so you know what is going on, even if you’re not a protocol expert.

Preset views

Easily dive into your dataset by using preset and custom views that highlight what really matters to you.

Map views

Visualize the activity of your control network. Cyber Vision offers several types of maps to show your assets and their communications. Quickly spot threats and anomalies, thanks to color coding.

Deep Packet Inspection (DPI)

Track the content of all application flows. Cyber Vision “understands” the ICS protocols you use so it can profile your industrial assets and detect abnormal behaviors or malfunctions.

OT flight recorder

Meet compliance requirements. Cyber Vision maintains the history of all events and application flows, including variable accesses so you can easily run forensic searches and build incident reports.

Deep IT security integration

Build a unified OT/IT SOC. Cyber Vision feeds your IT security platforms with OT context so you can enforce security policies without disrupting production.

Security built into your industrial network

Deploying OT cybersecurity can quickly become very complex, especially if the industrial network is dispersed across an entire country or many remote industrial sites. For your OT cybersecurity project to be successful, the solution you select must be able to scale easily and at a reasonable cost across your entire organization.

Cisco Cyber Vision’s unique edge computing architecture embeds security monitoring components within our industrial network equipment. There’s no need to source dedicated appliances and think about how to install them. There’s no need to build an out-of-band network to send industrial network flows to a central security platform. Cyber Vision enables the industrial network to collect the information required to provide comprehensive visibility, analytics, and threat detection. Network managers will appreciate the unique simplicity and lower costs of the Cyber Vision architecture for deploying OT security at scale.

Cyber Vision’s use of embedded sensors

Figure 1.               

Cyber Vision’s use of embedded sensors and dedicated hardware appliances provides the flexibility for maximum visibility without impacting network performance


Securing your OT infrastructure starts with having a precise view of your asset inventory, communication patterns, and network topologies. Cisco Cyber Vision gives OT teams and network managers full visibility into their assets and application flows so they can implement security best practices, drivenetwork segmentation projects, and improve operational resilience.

Cisco Cyber Vision automatically uncovers the smallest details of the production infrastructure: vendor references, firmware and hardware versions, serial numbers, PLC rack slot configuration, etc. It identifies asset relationships, communication patterns, changes to variables, and more. This wealth of information is shown in various types of maps, tables, and reports that maintain a complete inventory of industrial assets, their relationships, their vulnerabilities, and the programs they run.

Examples of Cyber Vision information displays

Figure 2.               

Examples of Cyber Vision information displays

Operational insights

Cisco Cyber Vision gives OT engineers real-time insight into the actual status of industrial processes, such as unexpected variable changes or controller modifications, so they can take action to maintain system integrity and production continuity. Cyber experts can easily dive into all this data to analyze attacks and find the source. Chief information security officers have all the necessary information to document their incident reports.

Cisco Cyber Vision “understands” the proprietary OT protocols used by automation equipment, so it can track process anomalies, errors, misconfigurations, and unauthorized industrial events. It also records these events, becoming the “flight recorder” of the industrial infrastructure.

The product uses tags to highlight asset roles and communication contexts, so that any OT and IT team member can easily understand the industrial infrastructure and operational events, regardless of the asset brand or references. IT teams can then work with OT staff to drive best practices such as patching vulnerable assets, tracking default password uses, improving network segmentation, and more.

Operational insights

Figure 3.               

Operational insights

Holistic threat detection

Industrial networks are ever more connected to IT networks, and protecting them from threats, such as malware or intrusions, becomes increasingly important. And because attacks on industrial networks generally look like legitimate instructions to assets, you also need to detect those unwanted process modifications. To secure an industrial network, you need a variety of threat detection mechanisms.

Cisco Cyber Vision combines protocol analysis, intrusion detection, and behavioral analysis to detect a multitude of attack techniques. This holistic approach helps ensure that Cyber Vision can detect both known and unknown attacks, as well as malicious behaviors that could be warning signs of an attack. Cyber Vision integrates seamlessly with IT SOCs so security analysts can trace industrial events in their security information and event management (SIEM) system for OT/IT correlation and automatically trigger firewall filter rules in the event of an attack.

Detecting and remediating threats

Figure 4.               

Detecting and remediating threats


Cyber Vision’s visibility and context provide value to both operations and IT security teams with deeper knowledge of their ICS and into the state of their industrial processes, industrial network traffic, anomaly detection, and security posture. Integrations with our networking portfolio, our security portfolio, and a broad set of third parties extends Cyber Vision’s insight to risk and compliance monitoring and reporting, security policy enforcement, and much more.

Cisco Threat Response

Are you seeing an abnormal behavior in Cisco Cyber Vision? Just click the “Investigate in Cisco Threat Response” button to run a deeper investigation. Cyber Vision will automatically pass observables (such as IP addresses, MAC addresses, usernames, hostnames, URLs, and more) to Cisco Threat Response to centrally search Cisco AMP, Stealthwatch®, Firepower®, and more, giving you a complete view of threats and activities across your IT and OT networks.

Cisco Identity Services Engine (ISE)

Extend software-based network segmentation policies to your industrial control network through Cyber Vision’s integration with Cisco ISE. Cyber Vision shares discovered host, protocol, communications patterns, and more through pxGrid to extend ISE’s awareness and policy enforcement into the control network. Cisco ISE can also leverage asset groups created by control engineers in Cyber Vision to automatically build secure zones and drive dynamic micro-segmentation of the industrial network. ISE uses Cisco TrustSec® to enforce these groups by configuring your Cisco network equipment accordingly.

Cisco Stealthwatch

Extend your network behavioral analysis across your corporate and control networks through Cyber Vision’s integration with Cisco Stealthwatch.

Cisco Firepower

Network segmentation is a key pillar to securing your network and protecting critical processes. Cyber Vision enriches host information in Cisco Firepower to provide additional context in firewall policies. This context gives you laser-focused control of your network segmentation, as well as the ability to terminate unsanctioned sessions.


Cyber Vision exposes functionality and data access through a REST API. This allows for custom integration of third-party and homegrown applications for compliance and risk reporting, system and event monitoring and dashboards, and more.

Common event format (CEF)

Cyber Vision discovery and event data may be output in common event format (CEF) syslog for consumption by any number of third-party applications such as configuration management databases (CMDBs), SIEM solutions, security orchestration, automation, and response (SOAR) platforms, and more.

Platform support

Cisco Cyber Vision is built on a two-tier architecture consisting of multiple sensor devices that perform deep packet inspection, protocol analysis, and intrusion detection at the edge and an aggregation platform known as Cyber Vision Center. Cyber Vision Center stores data coming from the sensors and provides the user interface, analytics, behavioral analysis, reporting, and more. It may be run on a hardware appliance or as a virtual machine, and the sensor is supported on the network platforms listed in the table below.

Table 2.           Platforms for Cyber Vision products

Product components

Platforms supported

Sensor hardware appliance

Cisco IC3000 Industrial Compute Gateway (IC3000-2C2F-K9)

Network sensor

Cisco Catalyst IE3400 Rugged Series switch

Cisco Catalyst IE3400 Heavy Duty Series switch

Cisco 1101 Industrial Integrated Services Router

Cisco Catalyst 9300 Series switch

Cisco Catalyst 9400 Series switch

Cisco Catalyst 9500 Series switch

Center hardware appliance


Center software appliance

VMware ESXi software appliance

Microsoft Hyper-V software appliance

Cyber Vision hardware appliance specifications

Please refer to the associated data sheets for hardware specifications:

     Refer to the Cyber Vision Center data sheet for hardware appliance specifications.

     Refer to the IC3000 Industrial Compute Gateway data sheet for sensor hardware specifications.

Cyber Vision network sensor specifications

Please refer to the associated data sheets for hardware specifications:

     Cisco IE3400 Rugged Series switch

     Cisco IE3400 Heavy Duty Series switch

     Cisco 1101 Industrial Integrated Services Router (IR1101)

     Cisco Catalyst 9300 Series switch

     Cisco Catalyst 9400 Series switch

     Cisco Catalyst 9500 Series switch

Cyber Vision Center virtual appliance specifications

Table 3.           Minimum specifications for the Cyber Vision Center virtual appliance


Minimum requirements*


Intel® Xeon®, 4 cores minimum


8 GB minimum


50-GB SSD minimum

Virtualization software

VMware ESXi 6.x or later, Microsoft Hyper-V on Windows Server 2016 or later

* These minimum VM requirements support monitoring of up to 500 devices.


Cisco Cyber Vision is licensed using a recurring subscription model based on the number of endpoints monitored and is available in 1-, 3-, and 5-year terms. Licensing is available in two tiers—Essentials and Advantage—that provide different levels of capabilities to meet your particular requirements. The product uses Cisco Smart Licensing with the option for Specific License Reservation (SLR) licenses for air-gapped networks. Please note that a current subscription license includes access to Cyber Vision Center and sensor software, which may be downloaded directly from software.cisco.com.

Table 4.           Licensing tiers

Licensing levels




  Asset inventory
  Identify relationships between assets
  Generate inventory reports


  Threat Intelligence database
  Identify asset vulnerabilities
  Generate vulnerability reports

Operational insights

  History of events and asset modifications
  Highlight changes to asset configurations
  View key events on the control system
  Generate controller reports

Restful API

  REST API for integration other platforms

Includes Essentials plus:

Anomaly detection

  Automated baselines for asset behaviors
  User-created baselines
  Alerts on deviations

Advanced integration

  pxGrid integration with ISE
  Send data and events to SIEM
  Kill firewall session

Cyber Vision IDS

(Requires Cyber Vision Advantage; licensed per IC3000 appliance deployed)

Intrusion detection

  Snort-based intrusion detection
  Talos subscription signatures, specifically curated for industrial networks

Endpoint license packs are available for 100, 250, 500, 750, 1000, 2500, 5000, 7500, and 10,000 endpoints.

Intrusion detection system (IDS) licensing is available to Advantage subscribers and is licensed per IC3000 sensor appliance deployed.

Ordering information

Cisco Cyber Vision is available for order today. Please visit the Cisco Ordering homepage for more information.

Table 5.           Cyber Vision product IDs

Product ID

Product description


Cyber Vision subscription license


Cyber Vision Center hardware appliance(Cisco UCS® C220 M5 Rack Server)


Cyber Vision Sensor hardware appliance (Cisco IC3000 Industrial Compute Gateway)

Warranty information

Please refer to the respective data sheets for the IC3000 Industrial Compute Gateway and Cisco Cyber Vision Center for warranty information.

Cisco environmental sustainability

Please refer to the respective data sheets for the IC3000 Industrial Compute Gateway and Cisco Cyber Vision Center for sustainability information.

Cisco and partner services

Services for planning, deploying, and support

Services provided by Cisco and our certified partners are available to help you through the assessment, design, deployment, and operational phases of your Cisco Cyber Vision project. Whether you need some expert advice, support throughout the entire project, or something in between, we, together with our partners, have the experts and expertise to help you be successful. For more information, visit https://www.cisco.com/go/services.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

Learn more