Endpoint Security for Windows

See what happens to your data, and stop what shouldn't.

ZeroExfil shows you how your data is accessed, changed, and moved on every endpoint, along with the program and user account responsible. Suspicious activity is flagged and contained the moment it happens, stopping ransomware, credential theft, and data exfiltration before they spread.

Book a Demo See How It Works

A lightweight agent on each endpoint. A web portal for your team. No on-premises infrastructure to manage.

ZeroExfil portal home dashboard showing organisation risk, endpoint health, and active alerts

How ZeroExfil Works

A lightweight agent deploys to each Windows endpoint in minutes. From there, the platform delivers three core capabilities.

1

Monitor file activity

The agent captures every file operation on the endpoint in real time: reads, writes, renames, and deletes. Each event is enriched with the originating process, signature status, user account, and bytes transferred, then streamed to the cloud.

2

Detect advanced threats

Dozens of built-in detection rules cover ransomware, credential theft, persistence, and data exfiltration techniques. Custom rules let you extend coverage with your own threat intelligence and environment-specific logic.

3

Investigate and respond

When an alert fires, the platform takes the response action you have configured. It can quarantine the offending process, isolate the endpoint from the network, and notify your team with a complete investigation timeline ready for review.

From our research

Close the file visibility gap

We measured what a leading endpoint protection platform records about file activity and compared it against ZeroExfil. We created 100 files across 100 different file types, then opened, moved, and deleted each one.

File types reported on
0/100 Other platform
0/100 ZeroExfil
File read events recorded
0 Other platform
0/100 ZeroExfil
File delete events recorded
0 Other platform
0/100 ZeroExfil

Sampled file telemetry

  • File reads and deletes routinely missing from the data
  • Coverage skewed to common document and script types
  • Databases, archives, key material, and config files often silent
  • Hard to answer what a specific process actually accessed

ZeroExfil file telemetry

  • Reads, writes, renames, and deletes captured uniformly
  • Every file type and every path, including network shares
  • Each event enriched with process, account, and bytes transferred
  • Independent of what the application reports about itself

Read the full experiment

Detections that map to real attacks

Four scenarios that occur on enterprise networks every day. ZeroExfil detects, alerts, and responds to all of them.

Credential Theft

Saved browser credentials accessed

An unsigned process opens the browser credential store and reads saved logins. ZeroExfil detects the access pattern, raises an alert with the full process chain, and can quarantine the process before credentials leave the endpoint.

Ransomware

Mass file encryption in progress

A process begins renaming hundreds of Office and PDF files with unfamiliar extensions, a common ransomware pattern as files are encrypted in place. ZeroExfil raises a Critical alert within seconds and can isolate the endpoint from the network automatically.

Data Exfiltration

Documents staged in a compressed archive

A process sweeps user directories reading documents, then writes them into a compressed archive ready for transfer. ZeroExfil correlates the sweep with the archive creation and raises an alert with the originating process, file list, and bytes transferred.

AI Tool Oversight

AI coding assistants accessing sensitive files

AI coding assistants such as GitHub Copilot run in the user's context and can read any file the user can. ZeroExfil records every file access by the assistant, giving you a complete audit trail independent of what the assistant reports.

See the test

From first signal to contained endpoint, in one portal.

Dozens of built-in detections, an AI analyst that triages every alert, and one-click response, all in the same place.

ZeroExfil home dashboard with organisation risk, endpoint health, active alerts, and threat intelligence feed
Home dashboard. Organisation risk, endpoint health, and active alerts in one view.
Activity dashboard showing file event volume, data moved, top processes, and user activity
See. File event volume, data moved, top processes, and user activity across your fleet, with outlier devices flagged automatically.
Investigation notes page with rich text and screenshot attachments
Decide. Document findings, attach evidence, and track the workflow as your team works the alert from triage to resolution.
Devices page listing all enrolled endpoints with health status
Act. Isolate an endpoint, collect logs, or run a scan with one click from the device page.

See the full platform tour

CORA
Built-in AI security analyst

CORA: Correlation Response Analyst

CORA is a built-in AI investigator that performs the first round of analysis on every alert. It executes the investigation steps defined by the detection rule, runs targeted queries against your endpoint telemetry, and delivers a verdict with a confidence score directly on the alert timeline.

  • Structured investigation. Every analysis follows the rule's defined steps. No generic summaries and no guesswork.
  • Artifact correlation. File hashes, IP addresses, and account names are cross-referenced against prior investigations to surface patterns across incidents.
  • Verdict with confidence score. Each investigation closes with a classification (True Positive, Expected Activity, or False Positive), a confidence score, and a written rationale.
  • Automated triage. High-confidence false positives can be closed automatically, while configured severity levels always escalate to a human analyst.

Enterprise capabilities, without the complexity

Everything your team needs to detect, investigate, and respond to advanced threats. Designed for IT teams of every size.

Automated response

Quarantine malicious files and isolate compromised endpoints automatically. Configure response actions by severity and detection type.

Advanced hunting

Query your endpoint telemetry to investigate incidents, run audits, and proactively hunt for threats across the fleet.

Investigation workflow

Rich investigation notes with screenshot attachments. Track findings, document analysis, and maintain an audit trail for every incident.

Multi-tenant ready

Built for managed service providers and multi-site organisations. Manage multiple tenants with role-based access control.

Secure by design

Multi-factor authentication, role-based access control, and full audit logging. Your security data stays protected.

Endpoint actions

Remotely isolate endpoints, collect logs, and run scans. Take immediate response actions on compromised endpoints from anywhere.

Frequently Asked Questions

ZeroExfil is an endpoint security platform for Windows. A lightweight agent deploys to each endpoint and monitors file activity in real time, streaming events to a cloud-based portal. From the portal your team views alerts, investigates threats, and takes response actions such as isolating an endpoint or quarantining a file. Built-in detection rules cover ransomware, credential theft, and data exfiltration, and our built-in AI investigator (CORA) handles the first round of analysis on every alert.

Yes. ZeroExfil ships as a standard Windows MSI installer. Your IT team can deploy it the same way they deploy other business software, including silent command line, Group Policy, or Intune. Once installed, agents register automatically and start protecting the endpoint immediately. Everything is managed from the web portal, with no on-premises infrastructure required.

The agent monitors file activity at the kernel level and correlates it against built-in detection rules covering ransomware, credential theft, persistence, and data exfiltration techniques. When a detection fires, the platform can take an automated response action and CORA, our built-in AI investigator, performs the first round of analysis on the alert.

Most endpoint protection platforms are broad and cover many threat surfaces, but their file activity telemetry is sampled and focused on common document types. ZeroExfil is purpose-built around the file. Our agent captures every read, write, rename, and delete on every file type, with the originating process, account, and bytes transferred. In our own testing of a leading platform, file reads and deletes did not surface, and only 31 of 100 file types produced any events at all. Read the full experiment. ZeroExfil is designed to complement your existing endpoint protection, not replace it.

Yes. Because monitoring happens at the kernel level, every file read is captured regardless of which application performed it, including AI coding assistants such as GitHub Copilot or Cursor running inside the user's editor. You get the file path, process, account, and exact bytes transferred, independent of what the assistant itself reports. See a worked example.

Currently, ZeroExfil is only available for Windows systems.

Custom detection rules are currently being implemented. When released, you will be able to extend the built-in rules with your own logic, tailored to your environment and proprietary threat intelligence. ZeroExfil ships with dozens of built-in rules today.

See ZeroExfil on your own endpoints.

A 30-minute walkthrough with our team. We show you the portal, run a live detection on a test endpoint, and answer your questions. No prep required from your side.

Book a Demo

Prefer email? Reach us at contact@zeroexfil.com