Endpoint Security for Windows
ZeroExfil shows you how your data is accessed, changed, and moved on every endpoint, along with the program and user account responsible. Suspicious activity is flagged and contained the moment it happens, stopping ransomware, credential theft, and data exfiltration before they spread.
A lightweight agent on each endpoint. A web portal for your team. No on-premises infrastructure to manage.
A lightweight agent deploys to each Windows endpoint in minutes. From there, the platform delivers three core capabilities.
The agent captures every file operation on the endpoint in real time: reads, writes, renames, and deletes. Each event is enriched with the originating process, signature status, user account, and bytes transferred, then streamed to the cloud.
Dozens of built-in detection rules cover ransomware, credential theft, persistence, and data exfiltration techniques. Custom rules let you extend coverage with your own threat intelligence and environment-specific logic.
When an alert fires, the platform takes the response action you have configured. It can quarantine the offending process, isolate the endpoint from the network, and notify your team with a complete investigation timeline ready for review.
We measured what a leading endpoint protection platform records about file activity and compared the results with ZeroExfil. We created 100 files across 100 different file types, then opened, moved, and deleted each one.
Four scenarios that occur on enterprise networks every day. ZeroExfil detects, alerts, and responds to all of them.
An unsigned process opens the browser credential store and reads saved logins. ZeroExfil detects the access pattern, raises an alert with the full process chain, and can quarantine the process before credentials leave the endpoint.
A process begins renaming hundreds of Office and PDF files with unfamiliar extensions, a common ransomware pattern as files are encrypted in place. ZeroExfil raises a Critical alert within seconds and can isolate the endpoint from the network automatically.
A process sweeps user directories reading documents, then writes them into a compressed archive ready for transfer. ZeroExfil correlates the sweep with the archive creation and raises an alert with the originating process, file list, and bytes transferred.
AI coding assistants such as GitHub Copilot run in the user's context and can read any file the user can. ZeroExfil records every file access by the assistant, giving you a complete audit trail independent of what the assistant reports.
Dozens of built-in detections, an AI analyst that triages every alert, and one-click response, all in the same place.
CORA is a built-in AI investigator that performs the first round of analysis on every alert. It executes the investigation steps defined by the detection rule, runs targeted queries against your endpoint telemetry, and delivers a verdict with a confidence score directly on the alert timeline.
Everything your team needs to detect, investigate, and respond to advanced threats. Designed for IT teams of every size.
Quarantine malicious files and isolate compromised endpoints automatically. Configure response actions by severity and detection type.
Query your endpoint telemetry to investigate incidents, run audits, and proactively hunt for threats across the fleet.
Rich investigation notes with screenshot attachments. Track findings, document analysis, and maintain an audit trail for every incident.
Built for managed service providers and multi-site organisations. Manage multiple tenants with role-based access control.
Multi-factor authentication, role-based access control, and full audit logging. Your security data stays protected.
Remotely isolate endpoints, collect logs, and run scans. Take immediate response actions on compromised endpoints from anywhere.
Pricing & pilot
Try ZeroExfil on up to 10 of your own endpoints, free for two weeks. If it earns its place, you roll out the rest at a flat per-endpoint rate. No log-volume fees, no per-incident fees, and no separate SOC fee.
Pilot
Up to 10 endpoints, no commitment
Production After your pilot
Flat rate. Everything included.
ZeroExfil is an endpoint security platform for Windows. A lightweight agent deploys to each endpoint and monitors file activity in real time, streaming events to a cloud-based portal. From the portal your team views alerts, investigates threats, and takes response actions such as isolating an endpoint or quarantining a file. Built-in detection rules cover ransomware, credential theft, and data exfiltration, and our built-in AI investigator (CORA) handles the first round of analysis on every alert.
Yes. ZeroExfil ships as a standard Windows MSI installer. Your IT team can deploy it the same way they deploy any other business software, whether that is a silent command line, Group Policy, or Intune. Once installed, agents register automatically and start protecting the endpoint right away. Everything is managed from the web portal, with no on-premises infrastructure required.
The agent monitors file activity at the kernel level and correlates it against built-in detection rules that cover ransomware, credential theft, persistence, and data exfiltration techniques. When a detection fires, the platform can take an automated response action, and CORA, our built-in AI investigator, performs the first round of analysis on the alert.
Most endpoint protection platforms are broad and cover many threat surfaces, but they sample file activity and focus on common document types. ZeroExfil is purpose-built around the file. Our agent captures every read, write, rename, and delete on every file type, along with the originating process, account, and bytes transferred. In our own testing of a leading platform, file reads and deletes never surfaced, and only 31 of 100 file types produced any events at all. Read the full experiment. ZeroExfil is designed to complement your existing endpoint protection, not replace it.
Yes. Because monitoring happens at the kernel level, every file read is captured regardless of which application performed it, including AI coding assistants such as GitHub Copilot or Cursor running inside the user's editor. You get the file path, process, account, and exact bytes transferred, independent of what the assistant itself reports. See a worked example.
Currently, ZeroExfil is only available for Windows systems.
Custom detection rules are currently being implemented. When released, you will be able to extend the built-in rules with your own logic, tailored to your environment and proprietary threat intelligence. ZeroExfil ships with dozens of built-in rules today.
Share your contact details and we will get in touch. From there, we can provision your tenant within an hour, walk you through deployment on up to 10 endpoints, and run a live detection with you. No card, no commitment, and no auto-conversion when the two weeks end.
Prefer email? Reach us at contact@zeroexfil.com
