VAULTGUARDIANDEC-1
HOW IT WORKS

Invisible protection that kills in milliseconds

VaultGuardian sits inline between your router and backup server as a Layer 2 bridge. It monitors every packet, measures egress speed in real-time, and severs the connection the moment upload thresholds are breached. No AI. No cloud. Deterministic math.

DEPLOYMENT

Ghost mode architecture

VaultGuardian operates as a transparent Layer 2 bridge — it has no IP address, no ARP presence, and no IPv6 footprint. It's completely invisible to both your network and any attacker who has compromised your backup server.

Three dedicated interfaces

WAN port connects to your router. LAN port connects to the protected server. Management port provides an isolated administrative interface — physically separated from the data plane.

Zero attack surface

No IP means it can't be pinged, scanned, or targeted. ARP disabled means it can't be discovered. STP disabled prevents DHCP issues. An attacker on your backup server literally cannot see VaultGuardian exists.

Software kill, not hardware relay

When VaultGuardian kills a connection, it brings down the network interface cleanly via software. No relay clicking, no power cut. This prevents filesystem corruption on the protected device — critical when that device holds the only copy of your data.

INTERNET / ROUTER
eth0 — WAN
VAULTGUARDIAN DEC-1L2 BRIDGE · NO IP · GHOST MODE
eth2
MGMT
eth1 — LAN
BACKUP SERVER
DETECTION

The 5-Rule Detection Engine

Five complementary detection mechanisms working simultaneously. Each rule catches a different exfiltration pattern. Together, they're comprehensive — an attacker would need to bypass all five, which is physically impossible while moving meaningful amounts of data.

01

Big Packet Flood

Detects sustained large uploads

Monitors for streams of large outbound packets (>1000 bytes) sustained over a measurement window. Legitimate traffic produces small ACK packets. Exfiltration produces large data packets.

CATCHES:Bulk file upload, database dump transfer
02

Medium Packet Drip

Detects low-and-slow exfiltration

Watches for sustained medium-sized outbound packets that stay below the flood threshold but persist over time. Catches attackers who throttle their upload to avoid detection.

CATCHES:Throttled exfiltration, data trickle attacks
03

Volume Backstop

Catches cumulative data theft

Tracks total bytes uploaded over a rolling time window. Even if individual packet rates stay low, the total volume triggers an alert once it crosses the threshold.

CATCHES:Any exfiltration pattern over time
04

Idle Upload Trap

Detects uploads during expected silence

Your backup server downloads from R2 on a schedule. Between sync windows, there should be near-zero upload traffic. Any meaningful upload during idle periods is immediately suspicious.

CATCHES:Off-hours exfiltration, unauthorized access
05

Speed Ceiling

Absolute speed limit enforcement

Hard ceiling on upload bandwidth. Legitimate traffic (ACKs, DNS queries) never approaches this limit. An attacker attempting full-speed exfiltration hits this wall instantly.

CATCHES:Full-speed exfiltration attempts

Why deterministic?

AI-based detection systems have false positive rates, training data requirements, and can be adversarially fooled. VaultGuardian uses pure math: threshold exceeded = kill. The physics of data movement can't be spoofed. You can't upload 6 TB without generating upload traffic. Period.

Physics, not promises
RESPONSE FLOW

From packet to kill in under 1 millisecond

👁

MONITOR

  • Captures every packet traversing the bridge using gopacket/pcap
  • Filters by MAC address — tracks only the protected device
  • Source MAC = device → counted as upload (potential exfil)
  • Dest MAC = device → counted as download (legitimate)
  • 1-second measurement windows for real-time speed calculation

DETECT

  • All 5 rules evaluated simultaneously every measurement window
  • Upload speed compared against deterministic thresholds
  • Three detection modes: STANDARD, STRICT, VAULT
  • No heuristics, no ML models, no cloud analysis
  • Threshold breach = instant trigger, zero deliberation
🔴

KILL + ALERT

  • Network link to protected device severed via software
  • Alert fired with full forensic context (speed, rule triggered, timestamp)
  • JSONL log entry written with all packet metadata
  • Management interface remains active on isolated port
  • Re-arm requires manual action — no auto-reconnect
BREACH DETECTION

The kill is the alarm

Most companies discover breaches weeks or months after the fact. VaultGuardian flips this — the moment the connection is killed, you know your infrastructure is compromised. The defensive action IS the detection event.

Because attackers exfiltrate data before encrypting it, catching the upload gives your team a response window to isolate other systems, capture forensic evidence, and potentially prevent ransomware deployment entirely.

What a VaultGuardian alert tells you

{
  "ts": "2026-02-16T14:32:11Z",
  "type": "EXFILTRATION",
  "rule": "BIG_PACKET_FLOOD",
  "speed_mbps": 84.85,
  "threshold_mbps": 50,
  "action": "KILLED",
  "victim_mac": "c4:2c:03:xx:xx:xx"
}

Forensic logging

Every second of traffic is logged in JSON Lines format — upload speed, download speed, byte counts, timestamps. 180 days of retention. AI-ready format for future anomaly detection and pattern analysis across deployments.

DEFENSE IN DEPTH

We don't claim to solve everything

Your backup infrastructure needs two things. Most companies only have one.

AGAINST ENCRYPTION

Immutable Snapshots

ZFS, btrfs, or WORM storage. If an attacker encrypts your files, yesterday's snapshot is untouched. This is well-understood and widely deployed.

ZFS snapshots
btrfs read-only snapshots
WORM-compliant storage
Offline rotation
Many solutions exist
AGAINST EXFILTRATION

VaultGuardian DEC-1

Deterministic egress enforcement at the hardware level. If an attacker tries to upload your data, the connection dies in under 1ms. Plus instant breach detection.

5-rule detection engine
Sub-millisecond response
Instant breach alerting
Forensic JSONL logging
Nobody else does this

Snapshots protect against encryption. VaultGuardian protects against exfiltration. Together, your backup infrastructure is defended against both halves of the modern ransomware playbook.

CONFIGURATION

Three detection modes, three action modes

Detection Modes

STANDARD

Balanced thresholds for typical backup server workloads. Good starting point for most deployments.

STRICT

Tighter thresholds for high-security environments. Lower tolerance for upload traffic.

VAULT

Maximum security. Near-zero upload tolerance. Designed for air-gapped archives that should never upload.

Action Modes

LIVE

Production mode. Thresholds enforced. Connections killed on breach. This is the real deal.

AUDIT

Monitoring only. Logs everything, kills nothing. Use this to baseline your traffic patterns before going live.

TEST

Simulates kills without actually severing the connection. Validates your thresholds are set correctly.

Ready to protect your infrastructure?

DEC-1 ships pre-configured. Plug it in, set your MAC, go live.

View PricingSee the Threat Data