HOW IT WORKS

Invisible protection that kills in milliseconds

VaultGuardian sits inline between your router and backup server as a Layer 2 bridge. It monitors traffic in real time, measures egress speed, and severs the connection the moment upload thresholds are breached. No AI. No cloud. Deterministic rules.

DEPLOYMENT

Ghost mode architecture

VaultGuardian operates as a transparent Layer 2 bridge — it has no IP address, no ARP presence, and no IPv6 footprint. It's completely invisible to both your network and any attacker who has compromised your backup server.

Three dedicated interfaces

WAN port connects to your router. LAN port connects to the protected server. Management port provides an isolated administrative interface — physically separated from the data plane.

Minimal attack surface

No IP means it can't be pinged, scanned, or targeted on the data path. ARP disabled means it can't be discovered. STP disabled prevents DHCP issues. An attacker on your backup server has no way to address or interact with VaultGuardian on the inline path.

Software kill, not hardware relay

When VaultGuardian kills a connection, it brings down the network interface cleanly via software. No relay clicking, no power cut. This prevents filesystem corruption on the protected device — critical when that device holds the only copy of your data.

INTERNET / ROUTER

eth0 — WAN

VAULTGUARDIAN DEC-1L2 BRIDGE · NO IP · GHOST MODE

eth1 — LAN

BACKUP SERVER

eth2 — MGMT

OUT-OF-BAND
MGMT NETWORK

DETECTION

The 5-Rule Detection Engine

Five complementary detection mechanisms working simultaneously. Each rule catches a different exfiltration pattern. Together, they make it extremely difficult for an attacker to move meaningful amounts of data without triggering at least one.

Big Packet Flood

Detects sustained large uploads

Monitors for streams of large outbound packets (>1000 bytes) sustained over a measurement window. Legitimate traffic produces small ACK packets. Exfiltration produces large data packets.

CATCHES:Bulk file upload, database dump transfer

Medium Packet Drip

Detects low-and-slow exfiltration

Watches for sustained medium-sized outbound packets that stay below the flood threshold but persist over time. Catches attackers who throttle their upload to avoid detection.

CATCHES:Throttled exfiltration, data trickle attacks

Volume Backstop

Catches cumulative data theft

Tracks total bytes uploaded over a rolling time window. Even if individual packet rates stay low, the total volume triggers an alert once it crosses the threshold.

CATCHES:Any exfiltration pattern over time

Idle Upload Trap

Detects uploads during expected silence

Your backup server downloads from R2 on a schedule. Between sync windows, there should be near-zero upload traffic. Any meaningful upload during idle periods is immediately suspicious.

CATCHES:Off-hours exfiltration, unauthorized access

Speed Ceiling

Absolute speed limit enforcement

Hard ceiling on upload bandwidth. Legitimate traffic (ACKs, DNS queries) never approaches this limit. An attacker attempting full-speed exfiltration hits this wall instantly.

CATCHES:Full-speed exfiltration attempts

Why deterministic?

AI-based detection systems have false positive rates, training data requirements, and can be adversarially fooled. VaultGuardian uses fixed rules: threshold exceeded = kill. No training data. No model drift. No opaque decisions. You can't upload 6 TB without generating upload traffic, and deterministic thresholds don't miss what they're configured to catch.

Physics, not promises

RESPONSE FLOW

From packet to kill in milliseconds

👁

MONITOR

Monitors packets traversing the bridge using gopacket/pcap
Filters by MAC address — tracks only the protected device
Source MAC = device → counted as upload (potential exfil)
Dest MAC = device → counted as download (legitimate)
1-second measurement windows for real-time speed calculation

⚡

DETECT

All 5 rules evaluated simultaneously every measurement window
Upload speed compared against deterministic thresholds
Three detection modes: STANDARD, STRICT, VAULT
No ML models, no cloud analysis, no opaque decisions
Threshold breach = instant trigger, zero deliberation

🔴

KILL + ALERT

Network link to protected device severed via software
Alert fired with key forensic context (speed, rule triggered, timestamp)
JSONL log entry written with all packet metadata
Management interface remains active on isolated port
Re-arm requires manual action — no auto-reconnect

BREACH DETECTION

The kill is the alarm

Most companies discover breaches weeks or months after the fact. VaultGuardian flips this — the moment the connection is killed, you know your infrastructure is compromised. The defensive action IS the detection event.

Because attackers typically exfiltrate data before encrypting it, catching the upload gives your team a response window to isolate other systems, capture forensic evidence, and potentially prevent ransomware deployment.

What a VaultGuardian alert tells you

{
  "ts": "2026-02-16T14:32:11Z",
  "type": "EXFILTRATION",
  "rule": "BIG_PACKET_FLOOD",
  "speed_mbps": 84.85,
  "threshold_mbps": 50,
  "action": "KILLED",
  "victim_mac": "c4:2c:03:xx:xx:xx"
}

Forensic logging

Every second of traffic is logged in JSON Lines format — upload speed, download speed, byte counts, timestamps. 180 days of retention. AI-ready format for future anomaly detection and pattern analysis across deployments.

DEFENSE IN DEPTH

We don't claim to solve everything

Your backup infrastructure needs two things. Most companies only have one.

AGAINST ENCRYPTION

Immutable Snapshots

ZFS, btrfs, or WORM storage. If an attacker encrypts your files, yesterday's snapshot is untouched. This is well-understood and widely deployed.

ZFS snapshots

btrfs read-only snapshots

WORM-compliant storage

Offline rotation

Many solutions exist

AGAINST EXFILTRATION

VaultGuardian DEC-1

Deterministic egress enforcement at the network level. If an attacker tries to upload your data, the connection is severed in milliseconds. The kill event doubles as instant breach detection.

5-rule detection engine

Sub-millisecond response

Instant breach alerting

Forensic JSONL logging

The missing layer

Snapshots protect against encryption. VaultGuardian protects against exfiltration. Together, your backup infrastructure is defended against both halves of the modern ransomware playbook.

CONFIGURATION

Three detection modes, three action modes

Detection Modes

STANDARD

Balanced thresholds for typical backup server workloads. Good starting point for most deployments.

STRICT

Tighter thresholds for high-security environments. Lower tolerance for upload traffic.

VAULT

Maximum security. Near-zero upload tolerance. Designed for isolated archives and systems that should never upload.

Action Modes

LIVE

Production mode. Thresholds enforced. Connections killed on breach. This is the real deal.

AUDIT

Monitoring only. Logs everything, kills nothing. Use this to baseline your traffic patterns before going live.

TEST

Simulates kills without actually severing the connection. Validates your thresholds are set correctly.

The DEC-1 stops data from leaving. Want to catch the act itself?

Observer watches your container and system logs in real time, classifies threats using AI, and learns from every line it sees.

Meet Observer

Ready to protect your infrastructure?

DEC-1 ships pre-configured. Plug it in, set your MAC, go live.

View Pricing See the Threat Data