How Halcyon Works

Our anti-ransomware technology takes an end-to-end approach to proactively disrupt threats at every stage of the attack lifecycle, from pre-execution to data exfiltration and encryption. With an included 24/7 expert team that investigates and responds to threats for you, Halcyon ensures no ransom is paid and no downtime is tolerated.

End-to-End Ransomware Protection

Halcyon breaks the ransomware attack chain, providing a complete defense to protect your business.

1

Let’s Dispel Some Ransomware Fallacies

Ransomware isn’t as simple as a file or a label. It is not a specific malware classification. It is not just an executable encrypting files. It is not a single type of detection or alert. It’s a coordinated attack strategy, involving multiple stages, actors, and tools.

2

Ransomware has Become an Ecosystem

It’s not a lone hacker in a hoodie. Modern Ransomware Ops run like businesses, complete with: Initial Access Brokers, RaaS operators, affiliates, developers, and even pen testers. Each player has a role. Each role profits from your vulnerability.

3

One Executable?
Try an Entire Playbook.

Ransomware is not a singular tool or a one-time event. it has evolved into a coordinated, systematic, multi-stage campaign. From initial access to lateral movement, encryption, and extortion — every step is planned, executed, and profit-driven.

How it Works Across the Attack Chain

INITIAL ACCESS
REMOTE ACCESS
PRIVIlege escalation
ENVIRONMENT Enumeration
credential Harvesting
Lateral Movement
Security Bypass
DATA EXFILTRATION
Backup DESTRUCTION
DATA ENCRYPTION
INITIAL ACCESS
Halcyon detects when attackers use malicious executables, brute force attempts, or command and control (C2) infrastructure to access your environment.
PREVENTION
DXP
After gaining initial access, attackers typically use remote access tools to carry out their attacks more effectively. Halcyon detects this activity, creating alerts for immediate investigations.
PREVENTION
DXP
Halcyon alerts and interrupts an attacker's attempt to escalate user privileges using malicious executables or vulnerable kernel drivers. 
PREVENTION
KERNEL GUARD
Halcyon identifies when an attacker attempts to enumerate your environment for recon and intel gathering, to make their attack ultimately more effective. 
PREVENTION
Halcyon understands attackers' methods to harvest valid user credentials, detecting and preventing their actions automatically. 
PREVENTION
Halcyon detects and prevents when attackers attempt to move laterally across your environment. For example, when using an RMM tool to try and connect to machines in environment, Halcyon can halt their progression. 
PREVENTION
Halcyon employs unique features like EDR Last Gasp and Tamper Guard to protect against attackers' attempts to bypass and disable security products in real-time. 
LAST GASP
TAMPER GUARD
Halcyon Data Exfiltration Protection (DXP) acts as an early warning system alerting you of an attacker's attempt to steal your data, yet to be caught by other security tools.
DXP
Halcyon can detect and disrupt an attacker attempting to gain initial access into your environment using malicious executables, brute force attacks, or command and control (C2) infrastructure.
BEHAVIORAL
DXP
Halcyon's ability to decrypt data using captured key material allows for an alternative recovery path if data is encrypted during a ransomware event. 
BEHAVIORAL
KEY CAPTURE

How it Works Across the Attack Chain

INITIAL
ACCESS
REMOTE
ACCESS
PRIVIlege
escalation
ENVIRONMENT
enumeration
credential
Harvesting
Lateral
Movement
Security
Bypass
DATA
EXFILTRATION
Backup
DESTRUCTION
DATA
ENCRYPTION
INITIAL ACCESS
Halcyon detects when attackers use malicious executables, brute force attempts, or command and control (C2) infrastructure to access your environment.
PREVENTION
DXP
After gaining initial access, attackers typically use remote access tools to carry out their attacks more effectively. Halcyon detects this activity, creating alerts for immediate investigations.
PREVENTION
DXP
Halcyon alerts and interrupts an attacker's attempt to escalate user privileges using malicious executables or vulnerable kernel drivers. 
PREVENTION
KERNEL GUARD
Halcyon identifies when an attacker attempts to enumerate your environment for recon and intel gathering, to make their attack ultimately more effective. 
PREVENTION
Halcyon understands attackers' methods to harvest valid user credentials, detecting and preventing their actions automatically. 
PREVENTION
Halcyon detects and prevents when attackers attempt to move laterally across your environment. For example, when using an RMM tool to try and connect to machines in environment, Halcyon can halt their progression. 
PREVENTION
Halcyon employs unique features like EDR Last Gasp and Tamper Guard to protect against attackers' attempts to bypass and disable security products in real-time. 
LAST GASP
TAMPER GUARD
Halcyon Data Exfiltration Protection (DXP) acts as an early warning system alerting you of an attacker's attempt to steal your data, yet to be caught by other security tools.
DXP
Halcyon can detect and disrupt an attacker attempting to gain initial access into your environment using malicious executables, brute force attacks, or command and control (C2) infrastructure.
BEHAVIORAL
DXP
Halcyon's ability to decrypt data using captured key material allows for an alternative recovery path if data is encrypted during a ransomware event. 
BEHAVIORAL
KEY CAPTURE

Key Features

Halcyon uses AI and behavioral engines to proactively disrupt ransomware and rapidly isolate attacks, capturing encryption keys to recover data. Supported by a 24/7 ransomware SOC, Halcyon ensures threats are detected, defeated, and your business stays protected and operational.

AI Engine

We detect indicators of ransomware with AI models exclusively trained on ransomware signals, based on millions of data points from active TTPs, samples, playbooks and real-world ransomware incident response engagements.

Behavioral Engine

Ransomware tactics can commonly bypass even the best detection engines. Halcyon’s behavioral engine harnesses threat modeling, anti-detonation and deception exploitation, tricking ransomware into providing additional indicators of compromise for higher accuracy and faster detection time.

EDR Tamper Detection

One of the first things ransomware attackers often do is tamper with EDR tools to evade detection. Disabling EDR and EPP tools quickly expedites the deployment of ransomware tools and increases the dwell time until discovery. Halcyon monitors EDR activity to detect and notify on the evasion and disabling of EDRs.

Bring Your Own Vulnerable Driver (BYOVD)

Kernel guard protection defeats the use of signed-but-vulnerable drivers (Bring Your Own Vulnerable Driver “BYOVD” Attacks), which can create exploitation points of entry into your environment, ensuring bad actors cannot exploit this inherent trust to carry out their objectives.

Data Exfiltration Protection (DXP)

Modern ransomware attackers not only encrypt data, but also exfiltrate sensitive information from the target, then demand that victims pay up to prevent them from publishing their data online. Using both nefarious peer detection and volumetric detection, DXP detects and reports on unusual data movements within a 24-hour period, including unauthorized file-sharing services, cloud tunneling, and known malicious command-and-control infrastructure.

Key Material Capture & Decryption

Halcyon captures the symmetric encryption keys ransomware uses to lock files and, capitalizing on our agent, quickly decrypts impacted data, even if the ransomware bypasses EDR and Halcyon, restoring files to their original state quickly.

Ransomware Detection & Recovery (RDR)

Our team of ransomware analysts provides around-the-clock monitoring and real-time threat response, acting as an extension of your security team. We fine-tune detection to minimize false alarms and deliver instant, expert analysis of threats and reverse engineering of encryption keys creating real-time fleet inoculation-based protection.

Close the Ransomware Gap

Halcyon works within your existing security ecosystem providing a detection and protection layer that provides the resilience and recovery capability needed for ransomware, thereby filling the “ransomware gap.”
EDR/XDR
RANSOMWARE GAP
BACKUP
HALCYON + EDR/XDR
Halcyon works in tandem with EDRs in two ways. First it identifies and catches ransomware attacks designed to circumvent EDR signals and signatures, including exfiltration attempts. Second, Halcyon acts as a watchguard monitoring and detecting potential EDR tampering and disabling.
HALCYON + BACKUP
Backups are important, but when it comes to ransomware, they’re not enough. Halcyon offers a way to protect the Volume Shadow Service (VSS), or recover should those backups become compromised. With key material capturing, Halcyon can target encryption keys to decrypt backups as well as active file data.

Self-Guided Demo

Want a personalized live demo? Sign up today

Ready to take ransomware off your worry list?

Stop attacks, respond faster, leverage industry leading threat intel with Halcyon RDR and shut down extortion before it starts. Talk to a Halcyon expert today.

Get a 20-minute LIVE ransomware prevention demonstration.
Learn how Halcyon eliminates the business downtime risks from an attack.
See how Halcyon stops data extortion attacks and data exfiltration.
Discover why ransomware protection goes beyond traditional endpoint controls.