The architecture behind autonomous mobile defense.
How Cyber Guardian scores Android risk on-device, correlates four detection lanes, and routes forensic evidence to the validation scope behind every claim on the homepage.
Real-time protection. Zero cloud dependency.
Every detection lane runs locally on the handset. Cloud paths are reserved for federated model updates and signed evidence routing, not first-line decisions on user data.
- App, DNS, file, and behavior detection score independently then correlate.
- Quarantine and containment happen on-device, even offline.
- XDR-grade evidence with MITRE ATT&CK Mobile mapping for every alert.
- Federated learning keeps detection sharp without centralizing raw telemetry.
Four detection lanes that score independently, then correlate.
Each lane is built around local runtime analysis. Lanes score on their own and feed cross-modal correlation into the threat timeline, producing XDR-quality evidence without cloud dependency.
-
01
App lane
App Monitor evaluates installed apps for suspicious permissions, masquerading, and unauthorized behaviors. Vetting happens locally. App contents never leave the device.
-
02
DNS lane
On-device DNS scoring catches malicious domains, DGA traffic, and command-and-control beacons in real time. Detection happens via a local VPN, no cloud proxy required.
-
03
File lane
Local file analysis flags packed, obfuscated, masquerading, and zero-day artifacts. Suspicious files are quarantined with full forensic context for analyst review.
-
04
Behavior lane
Runtime behavior is correlated against MITRE ATT&CK Mobile techniques to expose multi-stage attacks that look benign in isolation.
Forensic-grade timelines, mapped to MITRE ATT&CK.
Every detection produces an analyst-ready record: detection signals, file metadata, URI, recommended action, and ATT&CK mapping. Suspicious files are quarantined locally with full context. Findings flow into auditable timelines for review, policy enforcement, and XDR correlation, without exfiltrating raw user content.
- Local quarantine with full detection rationale.
- Threat timeline with severity, frequency, and trend analysis.
- Signed, auditable export paths for enterprise SIEM/XDR.
- Privacy-aware redaction before any data leaves the device.
Built, tested, and internally validated.
The numbers behind the platform: what each one means, and how it's measured.
Scenarios from T1 (trivial) through T5 (nation-state APT-modeled), gated independently so success at lower tiers cannot mask failure at higher tiers.
Controlled runtime samples spanning real-world Android malware families and benign-but-noisy software for false-positive tuning.
Algorithmically generated variants used to test resilience against signature evasion and code-rewriting attacks.
Coverage across the MITRE ATT&CK Mobile matrix, mapped to forensic evidence so every alert is analyst-ready.
Curated profiles of known mobile malware families with behavioral fingerprints, not signatures.
Adversarial test suites covering common evasion techniques: packing, obfuscation, double-extension masquerading, and more.
False-positive suppression tests passed across legitimate-app categories including password managers, MDM, parental controls, VPN, banking, and messaging.