IstroSec GRYPHON

See How GRYPHON Works
Product Brief
Request a Demo

Agent-based advanced Defense and Incident Response toolkit designed to complement EDR/XDR and strengthen a multi-layer resilience strategy.

About

GRYPHON is the first Defense and Incident Response (IR) toolkit that stops ransomware and sophisticated cyber attacks, recovers any files damaged during an attack, and gives your team everything needed to investigate and resolve an incident - all in a single piece of software, developed by IstroSec, a European cybersecurity company.

Built-in Incident Response

“One agent, one console, one license. And when an incident starts, the same agent handles response.”

A single tool that stops an attack as it happens, cleans up the damage, and lets your team investigate what occurred - without switching between multiple products or calling in outside help.

Behavioral ransomware defense. Integrated anti-malware. Protected file recovery.

GRYPHON blocks ransomware - even types that have never been seen before - without relying on internet connectivity or regular signature updates and based on behavioral analysis. If anything slips through, it automatically restores the affected files from a protected backup. The same software then gives your team a full picture of what happened.

“Built for the moment the breach is already happening.”

When the breach is already in progress, most tools give up. GRYPHON starts there.

The first incident response toolkit designed to deploy inside a compromised environment, stop the attack, quarantine the malware, recover what was damaged, and help you regain control.

Product

For fifteen years, endpoint security split into two camps

Traditional security tools each handle one part of the problem. Some detect threats. Some scan for known malware. Others investigate incidents after the fact. But when an attack is happening, none of them do everything - leaving your team to stitch together multiple products and manage the response manually.

GRYPHON brings all three approaches into one product.

GRYPHON watches for threats in real time and scans files for known malware simultaneously. When it detects something, your team can immediately access the affected computer remotely, investigate what happened, isolate it from the network, and push any additional tools - all from the same console. No switching between systems. No extra vendors.

Built on two decades of real-world incident response experience, GRYPHON is a self-contained product that can be deployed even into environments that have already been compromised.

“Behavioral ransomware defense. Integrated anti-malware. Protected file recovery. One agent.”

Blocks ransomware. If anything gets through, GRYPHON recovers the encrypted files from backups ransomware cannot delete.

Blocks ransomware. If any files are encrypted, GRYPHON recovers them from backups ransomware cannot delete.

Features

No signatures. No cloud. Catches zero-day strains.

Most security tools rely on known lists of threats. If ransomware is new, they miss it. GRYPHON works differently - it watches how software behaves, not its fingerprints.

GRYPHON monitors everything process on your device and identifies the patterns that encryption attacks follow - such as large numbers of files changing at once, backup deletion, or unusual system activity. Everything happens on the device itself, with no internet connection required, so it works even on isolated or air-gapped systems. Because it looks for behavior rather than known threat names, it catches attacks that no one has seen before.

Layered on top, GRYPHON enforces a set of ransomware-specific protections:

  • Backup protection: ransomware almost always tries to delete your backups before encrypting your files. GRYPHON blocks this, so your recovery points are intact when you need them.
  • Automatic backup creation: GRYPHON creates backups on a daily schedule, and immediately when suspicious activity is detected - so recovery points are always current.
  • Automatic file recovery: when an attack is detected, GRYPHON restores any affected files automatically, without manual intervention.
  • Tamper protection: GRYPHON protects itself from being switched off by an attacker. Any attempt to disable or remove it triggers a separate alert.

“Two detection engines. One console. Zero cloud dependency.”

GRYPHON replaces your antivirus. And goes further.

GRYPHON combines two layers of protection in one product: one that detects threats as they happen based on how software behaves, and one that scans files for known malware just as a standard antivirus would. Both run at the same time, and every alert shows which layer caught the threat.

Detection capabilities at a glance

  • Detects malware in files, running programmes, and scripts.
  • Quarantine: threats are isolated rather than just blocked, so they can be reviewed.
  • Scheduled and on-demand scans.
  • Automatic first scan: any new device is scanned automatically as soon as GRYPHON is installed.
  • Monitors files accessed over the network and from USB drives, configurable separately.
  • Scans compressed files such as ZIP and RAR archives - optional setting.
  • Scripts are scanned before they are allowed to run.

Detection alone does not save the business. Recovery does.

“Blocked at 3%, damage rolled back inline - not ‘blocked at 3%, restore from backups’.”

Almost every ransomware attack follows the same pattern: first, delete the backups; then encrypt the files. When organizations want to recover, the backups are already gone. Most incidents end with a slow restore from an off-site copy that can take hours or even days.

GRYPHON closes this loop on the endpoint:

Backup deletion is blocked in real time: an attacker cannot delete your recovery points before GRYPHON stops them.

  • Backups are created automatically every day, and immediately if none exist.
  • Automatic file recovery: when an attack is detected, GRYPHON restores damaged files straight from the protected backup stored on the device - no external backup infrastructure needed.
  • Optional: backups can also be created for USB and other external drives.
  • Configurable storage: you control how much disk space is set aside for backup copies.

Stops threats before they complete.

“Detection in real time. Response in real time. Recovery on the endpoint.”

Most security tools spot a threat and then take action - but even a short delay gives an attack time to cause damage. GRYPHON acts at the same moment it detects something, before the threat has a chance to do anything.

Extensible rule system developed for analysts Your security team can write, read, and adjust GRYPHON’s detection rules without specialist knowledge. Rules cover everything happening on the device - programs launching, file changing, network activity, and more. When a rule is triggered, GRYPHON can block the threat, alert your team, run a response action, or any combination. Rules can apply to specific types of machines and can be imported from standard formats.

Detection in real time. Response in real time. Recovery on the endpoint.

Deployment

Designed to offer protection even in offline mode

GRYPHON is installed as a small piece of software on each device, managed from a central dashboard. The same software and the same level of protection apply everywhere - only the location of the management dashboard changes depending on your setup:

  • Cloud-based dashboard: hosted by IstroSec, the fastest option to get started with no additional infrastructure on your side.
  • On-premises dashboard: hosted entirely within your own organization, suitable for highly regulated environments or those with no external internet access.
  • Hybrid setup: devices in partially connected networks report to an on-premises dashboard, with optional centralized oversight - typical for industrial or operational environments.

GRYPHON does not need an internet connection to protect your devices. Detection, blocking, antivirus, and file recovery all run directly on the device, so a computer that is offline or disconnected remains fully protected.

Platform coverage and agent footprint

“Windows 7 through 11. Every version your environment actually runs.”

  • Works on all Windows versions from Windows 7 through Windows 11 and theirWindows Server equivalents. Older versions such as Windows 7, 8, and 8.1 are supported with some limitations.
  • Lightweight: requires a minimum of 2 GB of RAM and 2 GB of storage space.
  • Simple installation: no unusual software dependencies or complex prerequisites.
  • All protection runs on the device itself, not in the cloud. Deployment methods supported:
  • GUI installer
  • Silent MSI / scripted
  • SCCM / Intune
  • GPO (domain-wide)
  • Any other software deployment tool Most modern security tools drop support for anything older than Windows 10. GRYPHON does not. This matters for:
  • Industrial and manufacturing environments where control systems and operator stations run on older Windows versions that cannot be upgraded without halting operations.
  • Regulated industries such as healthcare, financial services, and retail, where certified equipment runs software that cannot be updated on a standard IT schedule.
  • Secure, isolated networks where systems are deliberately kept on older software versions and updates go through a strict approval process.

FAQ

GRYPHON has some overlap with EDR tools - it detects threats and blocks them. But the difference is what happens when an attack is already underway. EDR tools raise an alert and hand over to your team and other systems. GRYPHON stays in control throughout: it stops the attack, cleans up the damage, and gives your team everything they need to investigate, all within the same product. We call it an Incident Response toolkit.
GRYPHON keeps protected backups of your files and, crucially, prevents ransomware from deleting them - which is almost always the first thing ransomware tries to do. It also creates fresh backup copies every day. When an attack is detected, GRYPHON restores any damaged files automatically, directly on the device, with no separate backup system needed.
For most organizations, yes. GRYPHON includes a full antivirus engine that scans files, monitors threats in real time, runs scheduled and manual scans, and checks scripts before they run. If you keep Windows Defender active alongside GRYPHON, its alerts will also appear in the GRYPHON dashboard.
Most security tools detect a threat, then take action asynchronously, or even worse, after the rules are evaluated on the server. GRYPHON acts at the exact moment it detects something, stopping the threat before it can do anything. This is not a technical nuance: it is the difference between damage prevented and damage that has already happened.
Yes, as one layer among several. GRYPHON uses AI as part of its detection, but most of the work is done by rules and logic that your team can inspect and verify. We do not rely on AI as a black box - you can see exactly what GRYPHON is watching for and why.
Yes. When you isolate a device, GRYPHON cuts off all network access by default. You can then selectively re-enable specific connections - such as to your security tools or internal services - without fully lifting the isolation. GRYPHON always keeps its own management connection active throughout.
No. Everything - detection, blocking, file recovery, antivirus scanning - runs directly on the device. GRYPHON can be installed in environments with no internet access whatsoever.
Yes, it was designed for exactly that situation. GRYPHON starts protecting immediately after installation, with no setup or calibration period. It works safely even when other security tools on the same device have been tampered with. New installations are also not automatically trusted, which prevents an attacker from registering a fake agent on your dashboard.
Windows 7 SP1 and Windows Server 2008 R2 through current releases. 64-bit systems only. Minimum 2 GB RAM and 2 GB disk.
Yes. GRYPHON is built for managed service providers running multiple customer environments. Each customer is kept entirely separate, with their own licensing, users, and access controls. Login requires two-step verification, and GRYPHON connects to security monitoring systems on a per-customer basis.

Incident Response

GRYPHON’s incident response console provides a single view for any active incident: endpoint state, process activity, network context, user context, file changes, and alerts, all in one place.

  • Incident Response Console: A single view for any active incident: endpoint state, process activity, network context, user context, file changes, and alerts, all in one place.
  • Kernel-level detection and response: GRYPHON detects threats and acts on them at the same instant - before any damage can be done.
  • Integrated antivirus: Full antivirus capability: scanning files, isolating threats, running scheduled checks, and vetting scripts; all within the same product.
  • Protected autonomous file recovery: Keeps backups safe, creates them automatically, and restores damaged files when an attack is detected; all working together to undo encryption damage.
  • Remote Desktop and remote PowerShell terminal: Connect to a compromised device remotely and see exactly what the attacker sees. Both visual desktop access and command-line access are available, and all activity is logged.
  • Remote File Manager: Retrieve files from a device, push investigative tools onto it, or examine evidence directly - all through the same GRYPHON agent.
  • Remote Process Manager: See every program running on any managed device in real time, including details about what each one is doing and whether it is trusted.
  • Custom response scripting: Run custom response scripts across one device or thousands simultaneously, with structured output your team can work with.
  • Customizable endpoint isolation: Cut a compromised device off the network with a single click, while keeping specific connections, such as your security tools, active.
  • Third-party tool deployment: Deploy any supporting tools or utilities to a device remotely, through the same GRYPHON agent.

Containment and Eradication in an active breach

Most security products are designed to be installed before a problem occurs. GRYPHON is designed for when you are already in one. When attackers are active, files are being encrypted, and existing tools may have been disabled, you cannot afford to wait through a setup or calibration period. GRYPHON was built for exactly this scenario:

  • Self-contained: GRYPHON installs and runs on devices you do not fully trust, with no additional requirements.
  • Active from the first moment: GRYPHON starts protecting as soon as it is installed. There is no learning period before protection begins.
  • Safe onboarding: newly installed instances are kept in a restricted mode until your team explicitly approves them, preventing an attacker from registering a false device.
  • No internet required: everything runs on the device. GRYPHON can be deployed in environments with no external connectivity.
  • Recovery starts immediately: from the moment GRYPHON is installed, it begins protecting your backups and creating restore points.

Advanced Defense

LOLBin defense and process manipulation

GRYPHON runs two protection layers side by side, one that watches behavior in real time, and one that scans files for known threats. Alerts from both appear in the same dashboard, clearly labelled by source. Attackers often misuse legitimate Windows tools to avoid triggering standard security alerts. GRYPHON blocks this with configurable protection across four levels, from minimal to full lockdown, with a recommended setting tailored to ransomware defense. GRYPHON blocks advanced attack techniques used to hide malicious activity inside legitimate programs, run unauthorized code, steal login credentials from memory, and disguise malicious files as safe ones.

Remote access protection

  • Blocks unauthorized remote access to administrative network locations.
  • Blocks remote access to local drives from other devices on the network.
  • Blocks programs from being run directly from network locations.
  • Blocks programs from running via internal system routing paths often exploited in attacks.
  • Blocks programs from being run directly from synced cloud storage folders such as OneDrive.

Two detection engines. One console. Zero cloud dependency.

Zero Trust

File Integrity Monitoring and Zero Trust

File Integrity Monitoring runs as part of GRYPHON’s Zero Trust module, using the same event pipeline as the detection engine. Every file creation, modification, rename, permission change, and ownership change on a monitored path generates a tamper-resistant record.

Why it’s part of the toolkit, not a separate tool:

  • Compliance records: full audit trails for sensitive files, generated within GRYPHON itself, no second tool or vendor needed.
  • Threat detection: catches unauthorized file changes that attackers use to maintain access or establish a foothold, such as swapping legitimate files for malicious ones.
  • Incident investigation: during or after an attack, your team can see exactly what changed and which program made each change - directly in the GRYPHON dashboard.
  • Insider risk: administrative changes are recorded by GRYPHON independently, so they cannot be hidden or altered by the person who made them. File monitoring is fully integrated with GRYPHON’s response capabilities. If a protected file is changed without authorization, GRYPHON can alert your team, block the responsible program, isolate the device, or automatically restore the original file.

Integrations

GRYPHON is designed to work alongside the security and IT tools your organization already uses.

  • Security monitoring integration: GRYPHON can send alerts to your central security monitoring system, or your monitoring system can pull them on demand.
  • Real-time alert forwarding alerts can be pushed to your monitoring system as they happen, via standard protocols.
  • Custom threat rules: GRYPHON supports standard YARA rule files, so existing threat intelligence can be imported directly.
  • Script scanning: all scripts are checked for threats before they are allowed to run.
  • Remote tool deployment: investigative and response tools can be pushed to any device through GRYPHON, without additional remote access software.
  • Secure access: every user logs in with a personal security certificate and a one-time code, not just a password.
  • Multi-organization support built for managed service providers and large organizations with multiple business units - each with fully separate data, users, and licensing.
  • API access: GRYPHON can be integrated with other systems programmatically, using access keys with configurable expiry and revocation. GRYPHON is designed to complement your existing tools, not replace them. It has been deployed alongside the most widely used security platforms on the market, including Microsoft Defender for Endpoint, SentinelOne, Sophos, Palo Alto Cortex XDR, ESET, Bitdefender, and others.

Assets & Network

You cannot protect devices from unknown software. GRYPHON gives your team a complete, up-to-date inventory of everything running across your organization, covering five areas:

  • Software inventory: all installed applications across every device, including version numbers and any known security vulnerabilities.
  • Known vulnerabilities: a full list of security weaknesses found across your devices, with severity ratings and links to the affected software and machines.
  • Missing updates: all outstanding software updates across your devices, with a list of which machines are affected.
  • Persistence mechanisms: any software or configuration that has been set up to survive a reboot or reinstallation, which is a common sign of compromise.
  • Process reputation: for every piece of software running across your devices, GRYPHON shows whether it is signed, how common it is in your environment, and any associated threat intelligence.

Custom firewall: process-aware network control

Standard firewalls control network traffic based on addresses and ports. GRYPHON’s built-in firewall goes further - it can apply rules based on which program is connecting, who is running it, and what it is doing:

  • Standard mode: the normal set of rules that applies to all devices during regular operation.
  • Isolation mode: activates automatically when a device is isolated. All network access is blocked by default, but you can selectively allow specific connections - such as to your security tools - to remain active. GRYPHON’s firewall can target specific programs, verify that software is from a trusted publisher, apply rules to groups of devices, and choose whether to block, allow, or just log each connection

Contact Us

Cernysevskeho 10, 851 01 Bratislava, Slovakia
[email protected]
[email protected]