Skip to content
English
More support Sign in
EveryCloud
  • There are no suggestions because the search field is empty.

Cymulate Pre-Requisites

Follow these pre-reqs for the pre-requisites for the agent deployment for Cymulate.

Cymulate agent requirements

The Cymulate agent is available for different operating systems: 

  • Windows and Linux agent (service-based): This agent operates as a background service, offering a scalable and modular approach ideal for enterprise environments. It does not require a user to be logged in, enabling continuous and efficient security assessments. Multiple user profiles can be configured to run assessments seamlessly across different accounts. For environments using Active Directory, ensure Interactive Logon is enabled for any user profiles added to the agent.
  • Mac agent (process-based): This lightweight agent communicates directly with the Cymulate platform and is designed to run on a dedicated machine, such as a laptop, desktop, or Virtual Machine (VM). The process-based agent requires an active user login to operate, enabling real-time security assessment without extensive background processes.

System requirements 

Make sure to meet the following system requirements for the agent.

Criteria Minimum requirement Recommended
CPU 2 cores 4 cores
Memory (RAM) 8GB 16GB
Free disk space 30GB 60GB
Network One network interface One network interface

Memory (RAM) requirements for Endpoint Security assessments

For optimal performance during Endpoint Security assessments, we strongly recommend using 16 GB of RAM, as EDR tools are typically resource-intensive. While 8 GB is sufficient for basic testing, it may lead to poor performance in more demanding scenarios. Upgrading to 16 GB ensures smoother operations and enhanced reliability in production environments.

Additional requirements for process-based (Mac) agents:

  1. The user must be logged in to the dedicated machine where the Cymulate agent is installed.
  2. The user logged in to the machine with the installed Cymulate agent must have Read, Write, and Delete permissions. 
  3. If an automated passwords changing policy is being used, the user logged in to the Cymulate agent machine should be excluded from that policy.

Communication requirements 

To perform security assessments on a network, it is necessary for the Cymulate Agent to be able to communicate with the Cymulate platform. This communication requires HTTPS and is required for managing agents and performing attacks. 

If a firewall is present between the Cymulate agent and the Cymulate platform, certain ports need to be opened either directly or through a proxy to enable the required communication.

Source Destination  Port Description
Cymulate agent machine

Cymulate Cloud Domain

*.app.cymulate.com

*.us-app.cymulate.com

 443
HTTPS

Essential communication between the Cymulate agent and the Cymulate cloud platform.

Supported operating systems

The Cymulate agent is supported for the following operating systems.

OS type OS Version Architecture
Windows Windows 10 client 1607+ x64
Windows  11 22000+ x64
Windows server 2012+ x64
Windows server core 2012+ x64
Nano server 1809+ x64
Mac Mac 10.15+ x64
       
Linux (service based agent) Oracle Linux Server 9.3+ x64
Ubuntu 20.04+ x64
Red Hat Enterprise Linux 8.1+ x64
Alpine 3.17+ x64
CentOS Stream 9 x64
Debian 12 x64
Fedora 39+ x64
openSUSE Leap 15.5+ x64 
SUSE Enterprise  12.5+ x64
Amazon Linux 2 x64

Supported Cymulate modules per operating system  

The following table lists each module, and which operating systems are supported. 

Module Windows Mac Linux
Immediate Threats Yes Yes Yes
Email Gateway Yes Yes Yes
Web Gateway Yes Yes Yes
Web Application Firewall Yes Yes Yes
Endpoint Security Yes Yes Yes
Data Exfiltration Yes Yes Yes
Advanced Scenarios Yes Yes Yes
Phishing Awareness Yes Yes Yes
Hopper Yes No No
Full Kill Chain APT Yes Limited Limited

Supported browsers

  • Google Chrome
  • Microsoft Edge

Windows agent minimum user permissions 

To install and run the Windows agent properly, the service account used for the agent must have the following permissions: 

  • program data read/write access
  • program files read/write access
  • perform interactive login from users (domain & local)
  • run process under a different user profile
  • load user profile
  • read user token
  • impersonate user

Exclusions 

The HTTPS/443 traffic between the Cymulate agent and the Cymulate platform  should be excluded from any mechanisms such as anti-malware, URL filtering ,etc. 

Accounts opened via the Cymulate website are automatically opened in the EU environment regardless of your region. In this case, follow the EU region exclusions.
Testing exclusions
Once the agent is installed, you can test the exclusions by running an agent Diagnostics test. For more information, see Running a Diagnostics test for an agent.

EU URL exclusions

The following list displays the required EU URL exclusions and what they are relevant for.

  • app.cymulate.com - Access to Cymulate platform
  • agent.app.cymulate.com -  For Mac and Linux agent to cloud communication, getting instructions, and updating results and statuses from the agent.
  • agents.app.cymulate.com - For Windows agent to cloud communication, getting instructions, and updating results and statuses from the agent.
  • cyagent.app.cymulate.com  - For Windows agent to cloud communication, for getting instructions and updating results and statuses from the agent.
  • agentlogs.app.cymulate.com - The Windows agent sends logs to this URL. 
  • api.app.cymulate.com - For users that use the Cymulate REST API. 
  • edr-resources.app.cymulate.com  -Where the agent downloads resources for Endpoint Security assessments.
  • dlp-resources.app.cymulate.com - Where the agent downloads resources for Data Exfiltration assessments.
  • cypy.app.cymulate.com - Advanced Scenarios.

US URL exclusions

The following list displays the required US URL exclusions and what they are relevant for.

  • us-app.cymulate.com - Access to Cymulate platform
  • agent.us-app.cymulate.com - For Mac and Linux agent to cloud communication, getting instructions, and updating results and statuses from the agent.
  • agents.us-app.cymulate.com - For Windows agent to cloud communication, getting instructions, and updating results and statuses from the agent.
  • cyagent.us-app.cymulate.com - For Windows agent to cloud communication, for getting instructions and updating results and statuses from the agent.
  • us-cyagent.cymulate.com - For Windows agent to cloud communication, for getting instructions and updating results and statuses from the agent.
  • agentlogs.us-app.cymulate.com - The Windows agent sends logs to this URL. 
  • api.us-app.cymulate.com - For users that use the Cymulate REST API. 
  • edr-resources.us-app.cymulate.com - Where the agent downloads resources for Endpoint Security assessments.
  • dlp-resources.us-app.cymulate.com - Where the agent downloads resources for Data Exfiltration assessments.
  • cypy.app.cymulate.com - Advanced Scenarios

Private tenant exclusions 

The following list displays the private tenant URL exclusions and what they are relevant for.

  • {tenantName}-agent.cymulate.com - Mac and Linux agent
  • {tenantName}-cyagent.cymulate.com - Windows agent
  • {tenantName}.cymulate.com - Access to Cymulate platform 
  • {tenantName}-api.cymulate.com - For users that use the Cymulate REST API. 
  • {tenantName}-agentlogs.cymulate.com - The Windows agent sends logs to this URL.

Directory exclusions

Some directories must be excluded/whitelisted for the assessments to run properly.  Based on your operating system, exclude the following directories (and their sub-folders) on your security controls. Your security controls must also allow downloading encrypted files to these paths.

For more information on setting exclusions in specific security tools, see Whitelisting and exclusions in security products.

Windows agents

  • C:\Program Files\Cymulate\Agent\** 
  • C:\ProgramData\Cymulate\Agent\**
Ensure the Cymulate agent has read/write permissions for C:\Windows\SystemTemp and C:\Windows\Temp and that no security policies or software are blocking access to these directories.

Mac    

  • /Applications/Cymulate/Agent/*
  • /Users/Shared/Cymulate/Agent/*
  • Mac agents must be installed and run with root privileges.

Linux agent

  • /usr/local/lib/Cymulate/Agent/* 
  • /usr/local/share/Cymulate/Agent/*

Module specific requirements

Email Gateway requirements

During Email Gateway assessments, numerous emails are sent in a short period of time, which can trigger spam filters. To accurately test your organization’s security engines, such as anti-virus, sandbox, URL filter, and more, it is necessary to whitelist the Cymulate attack server IP address/domain from your email’s anti-spam filtering.

This allows assessment emails sent through the Cymulate mail server to reach the configured mailbox without being mistakenly flagged as spam. This exclusion is essential to ensure an effective evaluation of your organization's email security.

  1. Set up a dedicated mailbox under your email domain (ex. cymulate@example.com).
  2. Exclude the following from anti-spam filtering and Rate Limiting and Throttling policies:
    • IP address - 18.202.69.111
    • Domain  - cymulatemailgateway.com

Supported email platforms 

The Cymulate Agent supports multiple communication options with a dedicated mailbox:

  • Microsoft Exchange - HTTP connection to Microsoft Exchange (Preferred). The agent will prompt for user mailbox credentials and exchange server IP/Hostname address.
  • Office 365- Select one of the following authentication methods:
    • Interactive - If there is an interactive browser on your system, it will automatically open and prompt you to log in to your account.
    • DeviceCode - Copy the code and enter it when prompted.
    • AppOnly - This authentication method (OAuth 2.0) is only available if you registered an Azure AD application. See Connecting Office 365 - using the App-only authentication method

 

Note:
Hybrid mailboxes are not supported by Microsoft Graph API.

 

  • GSuite- There are two available connection options:
  • Dynamic IMAP - The Dynamic IMAP option enables a connection with any email client, including those currently unsupported, or for users preferring dynamic IMAP connections.
  • Outlook client (IMAP and SMTP) - available for Windows OS only - Connecting to an Outlook application running on the local machine that the Cymulate agent is installed on. The Cymulate agent will use Outlook COM object to monitor incoming /outgoing email traffic using Outlook (Outlook 2013 and above is required).

Please follow the next steps to enable Cymulate Agent to use the Outlook API:

  1. Add cymulate.com domain to Safe Senders List in Outlook (How Do I Add a Domain to Safe Senders in Outlook?)
  2. In Outlook, go to File > Options.
  3. Click Trust Center, and then click Trust Center Settings.
  4. Click Programmatic Access.
  5. Select Never warn me about suspicious activity and click OK.

Web Gateway requirements

To ensure the accurate testing of the Web Gateway, it is necessary to partially whitelist the URL that the agent uses to download potentially malicious files during inbound testing. The following URL should be excluded from URL filtering while maintaining file download scanning, AV, and sandbox checks: 

  • https://cym-files-download.s3.eu-west-1.amazonaws.com
  • https://s3-eu-west-1-r-w.amazonaws.com/

Web Application Firewall requirements

During WAF assessments, Cymulate sends a high volume of web payloads in a short amount of time which can trigger anti-bot/anti-DDoS mechanisms.

To ensure the assessment accurately tests the resilience of your application's security measures, it is essential to whitelist the specific source IP addresses provided. By excluding these IPs from your WAF's anti-bot/anti-DDoS protection, you enable the assessment to function without interference, allowing for a comprehensive evaluation of your application's defenses against web-based attacks.

EU

  • 54.217.50.18
  • 52.208.202.111
  • 52.49.144.209

US

  • 54.237.172.129
  • 35.169.219.115
  • 52.4.48.52
Important note for Imperva users
If you are using Imperva, please contact their customer support to disable the Three Strike Rule. This adjustment prevents the source IP from being blocked, yet continues to block WAF violations, ensuring Cymulate assessments run smoothly.

Endpoint Security requirements

During Endpoint Security assessments, Cymulate needs to retrieve the endpoint attack files from its cloud. To ensure the attack files are downloaded properly and not blocked by the web gateway, whitelist the following domains in your Web gateway/Firewall:

EU

  • edr-resources.app.cymulate.com

US

Microsoft Office requirement

Some Endpoint Security executions require Microsoft Office to be installed on the machine for the scenarios to run properly.

Data Exfiltration requirements

During Data Exfiltration assessments, Cymulate attempts to exfiltrate data to various remote IPs and URLs. To enable Cymulate to effectively assess the performance of your data classification policy without interference from the Firewall or URL filtering mechanisms, it is necessary to whitelist the following URLs:

EU:

  • dlp-resources.app.cymulate.com

US:

  • dlp-resources.us-app.cymulate.com

The following domains are where the agent attempts to exfiltrate the data:

EU:

  • p5.cymulatedlp.com (for HTTPS, HTTP, Browser HTTPS, and Browser HTTP categories). This domain should not be blocked by URL filtering.
  • allports.cymulatedlp.com (for port scanning for the Open ports category)

US: 

  • http://u7.cymulatedlp.com/ (for HTTPS, HTTP, Browser HTTPS, and Browser HTTP categories). This domain should not be blocked by URL filtering.
  • allports.cymulatedlp.com (for port scanning for the Open ports category)

Advanced Scenarios requirements

To run assessments with the Advanced Scenarios module, Cymulate needs to retrieve the advanced scenarios files from its cloud. To ensure the attack files are downloaded properly and not blocked by the web gateway, you should exclude the following URLs.

EU and US:

  • cypy.app.cymulate.com

Phishing Awareness requirements

To ensure that Phishing Awareness assessments run properly, you should exclude the Cymulate attack server from your email solution's anti-spam/anti-phishing protection. By doing so, phishing emails sent through the Cymulate mail server can reach the target mailboxes without being flagged as spam. This exclusion is necessary for an effective evaluation of your organization's phishing awareness.

Exclude/Whitelist the following from anti-spam or anti-phishing protection:

Domain:

  • EU - support-eu.lionnets.com
  • US - support-us.lionnets.com

IP address:

  • IP address - 54.170.181.225

Hopper requirements

The Hopper module assesses an organization’s privilege management and network segmentation. To ensure this layer of security is tested without being blocked by the EDR, it is necessary to whitelist the following binary hashes on all machines in the network:

  • File name: CymulateLM.exe
  • File name:CymulateLM64.exe

MD5, SHA1, SHA256 hash values for these files can be found under Settings > Agents > Download agent > Agent hashes.

Additionally, whitelist the following binary HASH on the agent machine (machine used as the Hopper starting point):

  • File name:HopperMaster.dll
  • File name: HopperReport.zip

MD5, SHA1, SHA256 hash values for these files can be found under Settings > Agents > Download agent > Agent hashes.

Exposure Analytics requirements

To ensure proper communication between the agent and Connectors, allow network access for the following domains:

  • https://cybi-resources-and-results.app.cymulate.com
  • https://cyagent.app.cymulate.com
  • https://agentlogs.cymulate.com

If you have a proxy configured on your machine, you must configure the proxy settings when installing the agent.