GRYPHON's behavioral engine uses a purpose-built transformer model to detect malicious activity — paired with inspectable rules and explainable verdicts.
Explore the technologyGRYPHON's behavioral engine uses a purpose-built transformer model to detect malicious activity — paired with inspectable rules and explainable verdicts.
Explore the technologyAgent-based advanced Defense and Incident Response toolkit designed to complement EDR/XDR and strengthen a multi-layer resilience strategy.
GRYPHON is the first Defense and Incident Response (IR) toolkit that stops ransomware and sophisticated cyber attacks, recovers any files damaged during an attack, and gives your team everything needed to investigate and resolve an incident - all in a single piece of software, developed by IstroSec, a European cybersecurity company.
Built-in Incident Response
“One agent, one console, one license. And when an incident starts, the same agent handles response.”
A single tool that stops an attack as it happens, cleans up the damage, and lets your team investigate what occurred - without switching between multiple products or calling in outside help.
Behavioral ransomware defense. Integrated anti-malware. Protected file recovery.
GRYPHON blocks ransomware - even types that have never been seen before - without relying on internet connectivity or regular signature updates and based on behavioral analysis. If anything slips through, it automatically restores the affected files from a protected backup. The same software then gives your team a full picture of what happened.
“Built for the moment the breach is already happening.”
When the breach is already in progress, most tools give up. GRYPHON starts there.
The first incident response toolkit designed to deploy inside a compromised environment, stop the attack, quarantine the malware, recover what was damaged, and help you regain control.
For fifteen years, endpoint security split into two camps
Traditional security tools each handle one part of the problem. Some detect threats. Some scan for known malware. Others investigate incidents after the fact. But when an attack is happening, none of them do everything - leaving your team to stitch together multiple products and manage the response manually.
GRYPHON brings all three approaches into one product.
GRYPHON watches for threats in real time and scans files for known malware simultaneously. When it detects something, your team can immediately access the affected computer remotely, investigate what happened, isolate it from the network, and push any additional tools - all from the same console. No switching between systems. No extra vendors.
Built on two decades of real-world incident response experience, GRYPHON is a self-contained product that can be deployed even into environments that have already been compromised.
“Behavioral ransomware defense. Integrated anti-malware. Protected file recovery. One agent.”
Blocks ransomware. If anything gets through, GRYPHON recovers the encrypted files from backups ransomware cannot delete.
Blocks ransomware. If any files are encrypted, GRYPHON recovers them from backups ransomware cannot delete.
No signatures. No cloud. Catches zero-day strains.
Most security tools rely on known lists of threats. If ransomware is new, they miss it. GRYPHON works differently - it watches how software behaves, not its fingerprints.
GRYPHON monitors everything process on your device and identifies the patterns that encryption attacks follow - such as large numbers of files changing at once, backup deletion, or unusual system activity. Everything happens on the device itself, with no internet connection required, so it works even on isolated or air-gapped systems. Because it looks for behavior rather than known threat names, it catches attacks that no one has seen before.
Layered on top, GRYPHON enforces a set of ransomware-specific protections:
“Two detection engines. One console. Zero cloud dependency.”
GRYPHON replaces your antivirus. And goes further.
GRYPHON combines two layers of protection in one product: one that detects threats as they happen based on how software behaves, and one that scans files for known malware just as a standard antivirus would. Both run at the same time, and every alert shows which layer caught the threat.
Detection capabilities at a glance
Detection alone does not save the business. Recovery does.
“Blocked at 3%, damage rolled back inline - not ‘blocked at 3%, restore from backups’.”
Almost every ransomware attack follows the same pattern: first, delete the backups; then encrypt the files. When organizations want to recover, the backups are already gone. Most incidents end with a slow restore from an off-site copy that can take hours or even days.
GRYPHON closes this loop on the endpoint:
Backup deletion is blocked in real time: an attacker cannot delete your recovery points before GRYPHON stops them.
Stops threats before they complete.
“Detection in real time. Response in real time. Recovery on the endpoint.”
Most security tools spot a threat and then take action - but even a short delay gives an attack time to cause damage. GRYPHON acts at the same moment it detects something, before the threat has a chance to do anything.
Extensible rule system developed for analysts Your security team can write, read, and adjust GRYPHON’s detection rules without specialist knowledge. Rules cover everything happening on the device - programs launching, file changing, network activity, and more. When a rule is triggered, GRYPHON can block the threat, alert your team, run a response action, or any combination. Rules can apply to specific types of machines and can be imported from standard formats.
Detection in real time. Response in real time. Recovery on the endpoint.
Designed to offer protection even in offline mode
GRYPHON is installed as a small piece of software on each device, managed from a central dashboard. The same software and the same level of protection apply everywhere - only the location of the management dashboard changes depending on your setup:
GRYPHON does not need an internet connection to protect your devices. Detection, blocking, antivirus, and file recovery all run directly on the device, so a computer that is offline or disconnected remains fully protected.
Platform coverage and agent footprint
“Windows 7 through 11. Every version your environment actually runs.”
Stops ransomware, auto-recovers your files, and gives your team one tool to investigate — even on offline / air-gapped endpoints.
GRYPHON’s incident response console provides a single view for any active incident: endpoint state, process activity, network context, user context, file changes, and alerts, all in one place.
Containment and Eradication in an active breach
Most security products are designed to be installed before a problem occurs. GRYPHON is designed for when you are already in one. When attackers are active, files are being encrypted, and existing tools may have been disabled, you cannot afford to wait through a setup or calibration period. GRYPHON was built for exactly this scenario:
LOLBin defense and process manipulation
GRYPHON runs two protection layers side by side, one that watches behavior in real time, and one that scans files for known threats. Alerts from both appear in the same dashboard, clearly labelled by source. Attackers often misuse legitimate Windows tools to avoid triggering standard security alerts. GRYPHON blocks this with configurable protection across four levels, from minimal to full lockdown, with a recommended setting tailored to ransomware defense. GRYPHON blocks advanced attack techniques used to hide malicious activity inside legitimate programs, run unauthorized code, steal login credentials from memory, and disguise malicious files as safe ones.
Remote access protection
Two detection engines. One console. Zero cloud dependency.
File Integrity Monitoring and Zero Trust
File Integrity Monitoring runs as part of GRYPHON’s Zero Trust module, using the same event pipeline as the detection engine. Every file creation, modification, rename, permission change, and ownership change on a monitored path generates a tamper-resistant record.
Why it’s part of the toolkit, not a separate tool:
GRYPHON is designed to work alongside the security and IT tools your organization already uses.
You cannot protect devices from unknown software. GRYPHON gives your team a complete, up-to-date inventory of everything running across your organization, covering five areas:
Custom firewall: process-aware network control
Standard firewalls control network traffic based on addresses and ports. GRYPHON’s built-in firewall goes further - it can apply rules based on which program is connecting, who is running it, and what it is doing: