I just wanted to protect
a backup server.
VaultGuardian didn’t start as a cybersecurity company. It started with sensitive documents sitting on the internet longer than they should have been — and the realization that fixing that problem would create the next one.
It started with driver’s licenses in a cloud bucket
I’m the solo developer and technical lead at a company where customers submit professional applications — including copies of their driver’s licenses. We were storing everything in Cloudflare R2. It worked. But keeping identity documents on internet-accessible storage longer than necessary felt wrong — operationally and from a risk standpoint.
So I built a dedicated backup server. Its only job: pull sensitive files off cloud storage after the business need passes, retain them locally for the required period, and let us delete the originals from R2. Simple. Responsible.
Then the next question hit me: what protects the backup server?
Backup servers have near-zero legitimate upload traffic by design. They pull data in. They don’t send it out. If an attacker compromises one and starts exfiltrating, the upload pattern is obvious — if anything is watching.
Nothing was watching. So I built something that would.
[problem] sensitive docs sitting in cloud storage too long
[solution] dedicated backup server → pull from R2 → delete originals
[problem] what protects the backup server itself?
[observation] backup servers have near-zero legitimate upload traffic
[solution] inline hardware that monitors egress → kills exfiltration
[product] → DEC-1
[problem] protection without detection is incomplete
[observation] the logs already contain evidence of every attack
[solution] AI-powered log classification that learns from every line
[product] → Observer
$ thesis → reduce exposure. detect abuse. stop exfiltration.
Then I started reading the breaches
I built VaultDEC to solve my own problem. Then I read every major breach post-mortem from 2023 to 2025 — and realized the pattern wasn’t unique to me. It was everywhere.
[2023] MOVEit — 3,000 orgs — EXFIL ONLY
[2023] MGM — 6 TB stolen — EXFIL → ENCRYPT
[2023] Caesars — 65M records — EXFIL ONLY
[2024] Microsoft — 7 wks undetected — EXFIL ONLY
[2024] Change HC — 6 TB / 192.7M records — EXFIL → ENCRYPT
[2024] Snowflake — 165 companies — EXFIL ONLY
[2024] Salt Typhoon — 3+ yrs undetected — EXFIL ONLY
$ pattern → exfiltration precedes encryption in 100% of cases
$ detection → 0 of 8 caught by automated security tooling
Every one of these breaches involved data leaving the network — sometimes terabytes — before anyone noticed. The tools that were supposed to catch it didn’t. The problem I was solving for one backup server turned out to be the problem the entire industry was ignoring.
Protect the vault. Catch the intruder.
Two products built from the same operational problem. The DEC-1 stops data from leaving. Observer watches for suspicious activity while it’s happening. Together, they form a defense-in-depth layer that covers network egress and host-level intelligence.
DEC-1
Deterministic Egress Controller. An inline Layer 2 bridge that sits between your router and server, monitors upload traffic with deterministic thresholds, and severs the connection in milliseconds when it detects exfiltration. No cloud. No AI. Pure physics.
Observer
AI-powered log security. Watches container and system logs in real time, classifies every line using tiered pattern matching backed by LLM inference, and learns from every line it sees. The first classification costs seconds. Every repeat is instant.
What we believe
Local-first, always
Both products work without an internet connection. The DEC-1 has no cloud dependency. Observer runs a local LLM or connects to a cloud API — your choice. Your security should never depend on someone else's uptime.
Determinism where it matters
The DEC-1 uses math, not models. Upload speed exceeds the threshold? Connection dies. No false positives from a confused neural network. Observer uses AI for classification, but its pattern cache is deterministic — once learned, every repeat match is instant and predictable.
Transparency as policy
We publish exactly how VaultGuardian works. Our detection methods are open to scrutiny. Security through obscurity is a liability. We'd rather you understand the products completely and trust them because you've verified them.
Honesty about limits
VaultGuardian doesn't stop initial access. It doesn't prevent lateral movement. It doesn't replace your firewall, your EDR, or your patch management. It reduces exposure, detects suspicious activity, and stops data from leaving. That's the scope. That's what we're great at.
Every decision has a reason
VaultGuardian wasn’t born in a pitch deck. Every design choice traces back to a specific threat scenario, failure mode, or lesson learned from building and deploying these tools in a real production environment.
Software kill, not hardware relay
A relay cutting power could corrupt the filesystem on the protected server — and when the local copy is the only copy, that's catastrophic. Software link-down is clean and safe.
Go for everything
Memory-safe, compiles to a single binary, exceptional networking libraries, no runtime dependency. Both products ship as one file. Nothing to break.
Layer 2 bridge, not Layer 3 routing
No IP address means no attack surface. The DEC-1 is invisible to network scans. An attacker who has compromised the protected server cannot discover, target, or disable it.
Learn from inference, serve from cache
Observer pays for AI classification once per log pattern. Every repeat is a nanosecond cache hit. The system gets cheaper and faster the longer it runs — the opposite of most AI products.
MAC-filtered counting, not deep packet inspection
The DEC-1 doesn't care what's in the packets. It counts bytes and direction. An attacker can encrypt their exfiltration stream — it doesn't matter. The bytes still have to leave.
What VaultGuardian is not
The security industry is full of products that claim to do everything. We’d rather tell you exactly what we don’t do, so you can trust us on what we do.
✕Not a firewall
We don't filter inbound traffic or manage access rules. Your firewall does that. We watch what leaves.
✕Not an IDS / IPS
The DEC-1 doesn't inspect packet payloads or match signatures. It counts bytes and measures speed. Simpler. Harder to evade.
✕Not cloud-dependent
No internet connection required for the DEC-1. Observer works with a local LLM or a cloud API — your choice. Neither product phones home.
✕Not a SIEM replacement
Observer classifies and alerts on log lines in real time. It's not a log aggregation platform or a compliance dashboard. It watches and learns.
✕Not a silver bullet
VaultGuardian is one layer in a defense-in-depth strategy. You still need access controls, patch management, backups, and incident response.
✕Not vaporware
Working firmware, deployed hardware, Observer running in production catching real threats. We ship, we iterate, and we show our work.
Built by an operator, not a pitch deck.
I’m a solo developer and technical lead responsible for real sensitive documents in a real company. I built VaultGuardian because “store it online and hope for the best” wasn’t good enough.
No venture capital dictating the roadmap. No enterprise sales team inflating the feature list. No marketing department inventing threats I don’t actually solve.
I answer support emails personally. I publish the methodology openly. And when I don’t know something, I say so.
Reduce exposure.
Detect and stop.
The DEC-1 prevents data exfiltration from backup infrastructure. Observer catches threats in your logs before they escalate.