Skip to main content
MainTegrity Cyber Security Framework (CSF)
MainTegrity Cyber Security Framework (CSF)
End-to-End Cyber Security for IBM z/OS

CSF Foundation

The core engine: Freeze threats in milliseconds, make recovery a breeze.

MainTegrity CSF cyber security suite for z/OS CSF FoundationFIM+EarlyWarningNetWatchSupplyChain
Suite Overview ›

React. Investigate. Recover.


CSF Foundation is the core platform that powers every MainTegrity deployment — real-time reaction, browser-based forensics, intelligent whitelisting, and guided recovery for IBM z/OS.

When any module detects a threat, Foundation is what stops it. Millisecond suspension. Automatic containment. Your team investigates while damage is frozen — not while it's spreading.

Every CSF deployment starts here. Add FIM+, Early Warning, NetWatch, or Supply Chain as your threat coverage requirements grow. See the full suite

Why CSF?

40+ Blind Spots Your Current Tools Can't See

RACF, ACF2, and Top Secret prevent intrusions. Foundation watches what happens after someone logs in with legitimate credentials — and turns detection into containment.

Damage Frozen. Decisions Unrushed.

The offending task is suspended before your team even opens the alert. You investigate a frozen scene, not a moving target.

Pentesters 0, CSF 3

Independent z/OS penetration testers — well known in the industry — have tested CSF extensively. No pentester to date has breached a CSF-protected system.

Recovery That Knows Which Backup Is Clean

The included Restore Assist doesn't just generate recovery JCL — it identifies when malware was installed so you pick the right backup point. The difference between restoring clean and reinfecting yourself.

Integration

CSF integrates bi-directionally via RESTful APIs with ServiceNow, BMC Helix/Remedy, Splunk, IBM QRadar, Sumo Logic, ArcSight, and IBM TZ. Alerts flow to your SOC. Foundation handles automated response.

One Intelligence Layer for Everything

Foundation's whitelisting and workload discovery serve every module — learning what normal looks like per job, per user, per program. All modules inherit less than 5% false positive rates from day one. No module-by-module tuning.

Any Analyst. Any Incident. One Click.

Browser-based forensics — no deep mainframe expertise required. Alert arrives, one click opens the full incident with all forensic data pre-loaded.

Compliance

CSF enhances compliance with PCI DSS (Controls 10.5, 11.5), NIST CSF, DORA, Zero Trust, ISO 27001, HIPAA, SOX, and GDPR. See detailed mappings →

A note about SMF

Many organizations assume SMF provides adequate security monitoring. It doesn't. SMF was built as an accounting tool — it aggregates data over intervals, can't distinguish approved encryption from rogue encryption, and can't stop anything. Foundation can.

The Cost of Standing Still

See more on the cost of a breach
  • Anthem (2015) — 78.8M patient records stolen. Undetected for 3 months. ~$500M+ in costs.
  • Equifax (2017) — 147M records exposed. Weeks to determine scope. $1.4B in costs.
  • UnitedHealth Group (2024) — 1/3 of Americans affected. 9 days offline. $3B+ write-down.

Every one of these breaches went undetected for days, weeks, or months. CSF detects attack patterns in seconds.

CSF Foundation key features

Real-time Reaction

The Gift of Time. When a threat is detected, Foundation suspends the offending task in milliseconds. Damage stops. Business continues. Your team reviews the alert and decides: resume if legitimate, or terminate and investigate.

No one is racing against an active attacker. The problem is frozen. Decisions are better when you're not making them under fire.

Human Interface

Investigate in seconds, not hours. Alert emails contain a direct link to the incident — forensic data pre-loaded. One click from inbox to full picture: affected files, user actions, network transfers, timeline.

No green screen. No deep mainframe expertise required. Any security analyst can investigate.

Every CSF interface — browser, ISPF, batch — runs on a single RESTful API. Anything in the GUI is equally available for automation and integration. See the demo →

Restore Assist

Recover with confidence — not hope.  Generates JCL to recover affected datasets from the right source: IBM SafeGuarded Copy, Dell SnapVX/ZDP, Hitachi snapshots, or conventional backups (DFDSS, FDR, HSM). 

Workload Discovery & Whitelisting

Before CSF enforces anything, it listens. The workload discovery engine profiles every job, user, and program on each LPAR — building a behavioral map of what normal looks like in your environment.

Jobs that conform to established patterns don't generate alerts. Jobs that exceed their baseline by more than the configured variance get flagged. This applies across all modules — including NetWatch for network transfers.

More intelligence, less noise

    Less than 5% false positive rate. Industry standard is 90%+. That's the difference between a tool your team trusts and one they ignore.

Foundation at Work

The 3 AM Encryption Attack

Ransomware starts encrypting production datasets at 3 AM. Nobody is in the office. Foundation's reaction engine suspends the offending task automatically — in milliseconds. By the time your on-call analyst opens the alert email and clicks through to the forensics browser, the attack is frozen in place. Not escalating. Not spreading. Just waiting for a decision.

The Batch Job That Changed Its Habits

A long-running batch job that normally processes 50,000 records suddenly starts touching 500,000. Workload discovery knows this job's behavioral baseline. Foundation flags the deviation and suspends the task. Your team reviews — turns out a developer changed the job scope without submitting a change request. Resume the job, update the whitelist, move on. No breach. No panic. Just the system doing its job.

CICS and the Thousand False Alarms

CICS impersonates other RACF users during normal transaction processing — it's how CICS works. Without intelligent filtering, that's thousands of impersonation alerts per day. Foundation's whitelisting engine learns which impersonations are legitimate and silences them. A genuinely suspicious impersonation — someone who isn't CICS trying the same trick — still triggers immediately.

The Backup That Wasn't Clean

After an incident, your team reaches for the most recent SafeGuarded Copy snapshot. Restore Assist flags a problem: CSF's timeline shows malware was installed two days before the visible attack. That "clean" immutable snapshot contains the backdoor. Restore Assist points you to a conventional backup from before the actual compromise — and after recovery, FIM+ verifies every restored file against its vault. Confirmed clean.

The SOC Analyst Who's Never Touched a Mainframe

A security analyst on your SOC team gets a CSF alert. She's never used TSO, doesn't know ISPF, and can't read JCL. She clicks the link in the alert email. The browser-based forensics interface opens with the full incident pre-loaded — which files were affected, who did it, when it happened, what the recommended response is. She makes the call. No green screen required.

The CSF Suite Modules

FIM+ 
(File Integrity Monitoring)

"Has anyone tampered with my critical files?"

Monitors critical system datasets for unauthorized changes. Detects malware and ransomware insertion. Alerts on unapproved updates. Enables surgical recovery of only affected components.
    More on FIM+

    Early Warning

    "Is someone probing my system?"

    Detects reconnaissance activity, privilege escalation attempts, and malicious encryption — plus 40 other z/OS exposure points. Blocks exploits before they take effect.
    More on Early Warning

    NetWatch

    "Is my data being stolen?"

    Monitors network connections to detect and stop unauthorized data transfers. Discovers your z/OS network topology, learns behavioral baselines, and halts suspicious activity at threshold. Once data is stolen, no amount of backup brings it back.
    More on NetWatch

    Supply Chain

    "Can I trust this software update?"

    Validates vendor software releases against cryptographic signatures before installation. Blocks compromised code before it enters your environment. Improves approval process and monitors external code changes.
    More on Supply Chain

    CSF Foundation

    The engine underneath it all.  Provides millisecond task suspension, browser-based forensic investigation, intelligent workload whitelisting, and guided recovery assistance. Every module depends on Foundation — it's what actually freezes the attack.

    Response Chain

    Early Warning detects → Foundation suspends → FIM+ identifies affected files → Restore Assist generates recovery JCL → FIM+ verifies post-recovery integrity. 

    See a Demo

    Watch CSF detect & stop an encryption attack

    Book a meeting

    Speak directly with MainTegrity experts

    Talk to our AI Agent

    24/7 in multiple languages