Quickstart¶

Get Kysira running in your Kubernetes cluster in under 10 minutes.

Step 1 — Get your credentials¶

Log in to app.kysira.com and navigate to Pull credentials. You'll find:

• New credentials — Connect your GH account with Kysira
• GHCR Repo — Kysira images available

These are used to pull the Kysira container images from GitHub Container Registry in the next step.

Step 2 — Create the pull secret¶

kubectl create namespace kysira

kubectl create secret docker-registry kysira-pull \
  --docker-server=ghcr.io \
  --docker-username=<your-ghcr-username> \
  --docker-password=<your-ghcr-token> \
  --namespace kysira

Step 3 — Configure your deployment¶

Copy the example values file from your account dashboard, or start from this minimal config:

# kysira-values.yaml

kysira-proxy:
  config:
    targetURL: "http://your-app:3000"   # in-cluster URL of the app to protect
    mode: shadow                         # start in shadow mode — observe before blocking
    scoreThreshold: "0.95"

  imagePullSecrets:
    - name: kysira-pull

kysira-inference:
  imagePullSecrets:
    - name: kysira-pull

kysira-dashboard:
  imagePullSecrets:
    - name: kysira-pull

Replace http://your-app:3000 with the in-cluster URL of the application you want to protect.

Step 4 — Deploy¶

helm upgrade --install kysira oci://ghcr.io/kysira/charts/kysira-platform \
  --namespace kysira \
  --values kysira-values.yaml \
  --wait --timeout 15m

The first deploy takes a few minutes while the inference container downloads and loads the ML models (~1.5 GB). Subsequent deploys are fast.

Step 5 — Verify¶

# All pods should be Running
kubectl get pods -n kysira

# Proxy health
kubectl exec -n kysira deployment/kysira-proxy -- \
  wget -qO- http://localhost:8080/_kysira/health

# Fire a test SQL injection (shadow mode — passes through, appears in dashboard)
PROXY=$(kubectl get svc -n kysira kysira-proxy -o jsonpath='{.spec.clusterIP}')
curl "http://$PROXY/any-path?q=1'+OR+'1'='1"

Open the dashboard — the test request should appear with a high SQLi score.

# Port-forward the dashboard if you don't have an ingress configured
kubectl port-forward -n kysira svc/kysira-dashboard 8082:80
# Then open http://localhost:8082

Step 6 — (Optional) Switch to active mode¶

Once you're satisfied with shadow mode results and false-positive rate, switch to active blocking:

kubectl exec -n kysira deployment/kysira-proxy -- \
  wget -qO- --post-data='{"mode":"active"}' \
  --header='Content-Type: application/json' \
  http://localhost:8080/api/mode

Or via Helm (persists across restarts):

helm upgrade kysira oci://ghcr.io/kysira/charts/kysira-platform \
  --namespace kysira --reuse-values \
  --set "kysira-proxy.config.mode=active"

In active mode, requests scoring above the threshold are blocked with a 403 before reaching your application.

What's next¶

• Deployment guide — all four integration models (standalone proxy, Istio ext_proc, standalone Envoy, nginx)
• Client deployment — ingress, TLS, DNS, and production sizing
• Observability — connect to your existing Grafana or Datadog
• Troubleshooting — common issues and how to diagnose them