EVIDENTIA is Latin for clarity and evidence.

Our Endpoint Detection and Response (EDR) solution provides crystal-clear visibility into endpoint activities. We empower you to rapidly detect, investigate, and respond to threats at the device level, ensuring your infrastructure remains secure and resilient. 🛡️💻

VateX EVIDENTIA EDR consists of two key components that work in tandem to protect your endpoints.

1. Kernel Access Agent (C/C++): A high-performance agent deployed on endpoints to collect deep, kernel-level event data.
2. EDR Server (C/C++): A centralized server that ingests, analyzes, and correlates data from all agents to detect threats.

Our EDR leverages a multi-layered approach to threat detection, combining advanced AI with proven intelligence techniques.

Our core detection engine uses machine learning to analyze and predict threats based on process behavior. The agent collects entire process tree sessions, which are then processed through our sophisticated AI pipeline.

Step 1: 3D Process Session Modeling We begin by modeling each process tree session as a 3-dimensional data structure to capture its full context, including parent-child relationships, execution sequence, and call depth over time.

Step 2: Flattening to a 2D Representation To prepare the data for machine learning, the 3D model is flattened into a 2D representation by ordering all events chronologically, creating a sequential "surface" of the session's activity.

Step 3: Feature Extraction From the 2D data, we extract key features to build a feature vector (X data). This includes:

• Session Metadata: Core attributes of the process session.
• Behavioral Analytics (XBA): Detections from our rule-based engine.
• Threat Intelligence: Enrichment data from our VateX INTELLINA platform.

Step 4: Creating a Single Data Sample These combined features form a single, comprehensive data sample that numerically represents the entire process session.

Step 5: Building the Dataset By repeating this process for thousands of sessions, we construct a rich dataset of X samples ready for model training.

Step 6: Model Application This dataset is fed into various machine learning models for:

• Classification: Labeling sessions as benign or malicious.
• Regression: Assigning a dynamic risk score.
• Clustering: Identifying novel and unknown attack patterns.

Step 7: Defining the Target Variable (y) For supervised learning (Classification, Regression), a corresponding target variable (y data) is required for each sample. The nature of y depends on the model's goal (e.g., a "malicious" label or a risk score). For unsupervised learning like Clustering, y is not needed, as the model discovers patterns on its own.

The EDR can configure the AI loop cycle as follows.

First, you create a process session, which continues to collect events such as file systems, registry, network, child generation, and so on, and combine them with action-based rules and intelligence results.

For sessions that have since closed, asynchronous postprocessing is of utmost importance. Send session events to the SIEM in a summary or communicate rule-based severity.

In particular, for AI, "machine learning" is available for performance and relatively few data samples.

The picture above additionally shows the loop AI cycle, which has the following process.

1. Process Session Closed
2. To obtain the machine learning sample X value, a sample of a one-dimensional structure is generated through aggregation processing.
3. Ask the VATEX NOVA AI to proceed with the model prediction.
4. Apply the predicted value as the y value of the sample obtained in (2).
5. The completed sample can be delivered to NOVA AI and delivered to SIEM.

Combining with VATEX INTELINA, we collect very rich latest threat intelligence and metadata information.

Our Kernel Agent is designed for modern operating systems:

• Windows: WDK-based driver (supports 22H2 or newer)
• Linux: eBPF-based instrumentation (requires Kernel 6.10 or newer)

We are committed to continuous improvement. Our current focus is on expanding detection capabilities through advanced research and performing extensive testing to ensure the solution is robust, stable, and effective against emerging threats.