Purpose-built · Windows · Open source

Stop Ransomware Before the First File Drops

A lightweight Windows agent built for one job — terminating ransomware before encryption begins. Score processes on-device, kill in under 100 milliseconds, forward every alert to your SIEM in parallel.

Download the Agent Watch the Demo
Local ML inferenceSub-100ms killRuns offlineWorks alongside EDR
Vaulty, the procSniper ransomware guardian mascot, front-facing pose

<100ms

Event → Kill

End-to-end response latency

3

Detection Modes

Rules, ML, or hybrid

0

Cloud Dependencies

Detection runs fully on-device

Open

Community

Read the code. Audit the model.

Why procSniper exists

Ransomware Isn't an Alert Problem. It's a Milliseconds Problem.

Generic endpoint security was built to detect a broad class of threats. Ransomware exploits every millisecond of that compromise.

1

It moves faster than your verdict.

Cloud-dependent EDR can take seconds to return a verdict. Modern ransomware uses that window to encrypt thousands of files — and the alert fires after the damage is done.

76%

of ransomware attacks resulted in data being encrypted in 2024.

2

It walks past your signature engine.

Signature AV is blind to ransomware it has never seen. Novel families, rebrands, and packers slip through unscored — and there is a new one every week.

$2.73M

average ransomware recovery cost per incident — downtime, data loss, and IR combined.

3

It outprices your security budget.

CrowdStrike, SentinelOne, and Defender for Business carry per-seat costs and operational overhead that lean SMB, MSSP, and SOC teams cannot justify — yet small teams are exactly who ransomware targets.

32%

of all reported breaches in 2024 involved ransomware or extortion.

Sources: Sophos State of Ransomware 2024 · Verizon Data Breach Investigations Report 2024

What's inside the agent

Precision Over Breadth.

procSniper is not a general-purpose EDR. It is a dedicated prevention layer engineered to catch encryption-stage ransomware in the milliseconds your existing stack needs to file an alert.

Built for the prevention gap

Local ML inference

A 14-feature behavioral vector is scored by an ONNX Random Forest model entirely on-device. No telemetry leaves the endpoint.

Sub-100ms process kill

Event capture to process termination in under 100 milliseconds — faster than any cloud verdict round-trip.

Behavioral detection

Catches novel and zero-day ransomware families by behavior, not signature. No reliance on known IOCs or vendor updates.

Canary file honeypots

Seeded decoy files across the filesystem trigger instant kills the moment ransomware touches them — before meaningful encryption.

Three detection modes

Run rules-only, ML-only, or hybrid. Start in audit mode, tune allowlists, then switch to protect — no pipeline changes required.

Wazuh & SIEM ready

RFC 5424 syslog drops straight into Wazuh, Elastic, Splunk, or any compliant receiver. Zero custom parsing or integration work.

Offline-first architecture

Runs fully air-gapped. No telemetry, no cloud check-in, no kill switch. Protection survives network outages and isolated networks.

Community-driven

Read the code. Audit the model. File an issue. procSniper ships in the open — no vendor lock-in, no opaque black box, and a community that shows up.

How it works

Monitor. Analyze. Respond.

A three-stage pipeline that runs entirely on the endpoint, with no cloud dependency anywhere in the critical path.

01

Kernel telemetry

Monitor

The agent taps Windows ETW and Security event logs to capture process creation, file I/O, registry changes, and network events in real time — all on-device, all without a kernel driver of its own.

Vaulty actively watching with a plasma shield
02

On-device ML

Analyze

Each process is represented as a 14-feature behavioral vector and scored by a locally-loaded ONNX Random Forest classifier. No cloud round-trip. Verdict in milliseconds.

Vaulty analyzing telemetry on a laptop
03

Autonomous kill

Respond

When the score crosses threshold, the agent terminates or suspends the offending process before encryption spreads — and forwards the alert to Wazuh or your SIEM in parallel.

Vaulty raising an iron shield to block the attack

Watch it run

See procSniper Kill Ransomware in Real Time.

Two minutes. One ransomware sample. The agent catches it, scores it, and terminates the process before encryption begins.

procSniper demo video preview

Live demo · 2 min

▶ press play

Live demo · Windows 11 · default model · protect mode

Better together

procSniper + Your EDR.

procSniper is a prevention layer, not an EDR replacement. It plugs in alongside the stack you already trust — and closes the gap that generic endpoint security was never designed to cover.

Catches what your EDR misses.

Generic EDR is built to cover a broad threat surface. procSniper is built for one — encryption-stage ransomware. The behavioral model is trained only on ransomware patterns, so it scores faster and catches families your EDR has never seen.

Runs in parallel, not in conflict.

No kernel driver of its own, no signature engine to collide with, no hook chain to fight over. procSniper coexists with Microsoft Defender, CrowdStrike, SentinelOne, and Cortex — both layers watch different signals, and neither blocks the other.

Forwards everything to your SIEM.

Every score, kill, and canary trigger streams out as RFC 5424 syslog. Wazuh, Elastic, Splunk, or any compliant receiver picks it up alongside your EDR telemetry — one unified incident view, zero custom parsing.

Works with your stack

Drops Into Your SOC On Day One.

Wazuh

Native ruleset & decoder

Windows

10 · 11 · Server 2019 / 2022

RFC 5424 Syslog

Any compliant receiver

Elastic / Splunk

Via syslog forwarding

REST API

Roadmap · Q3 2026

Any RFC 5424-compatible receiver works out of the box — no custom parsing, no agent reconfiguration, no professional services.

Pricing

Start Free. Scale When Ready.

The Community edition is — and always will be — free and open source. Commercial tiers add management, support, and reporting for teams that need them.

Community

Free

For labs, individuals, and open-source SOC teams. No commitment.

Download on GitHub
  • Single-endpoint protection
  • Local ML + rules detection
  • Wazuh / RFC 5424 syslog
  • All three detection modes
  • Canary file honeypots
  • Offline operation
  • Apache-2.0 license
  • Community support via GitHub
Most Popular

Pro

$2/endpoint/mo

For SMBs that need signed installers, central management, and a vendor on the hook.

Start Free Trial
  • Everything in Community
  • Signed Windows installer
  • Central management console
  • Policy profiles & allowlists
  • Audit-only and protect modes
  • Email & Slack notifications
  • PDF executive reporting
  • Priority email support

MSSP

Custom

For MSSPs and MSPs managing multiple customer environments under one roof.

Talk to Sales
  • Everything in Pro
  • Multi-tenant dashboard
  • Customer grouping & tagging
  • Full REST API access
  • Co-branded reporting
  • Bulk SIEM export
  • Partner margin structure
  • Dedicated onboarding

SEA pricing available in IDR for Indonesian customers. Pro and MSSP tiers from 50 endpoints.

FAQ

Buyer Questions, Answered.

The questions security teams ask before deploying a new endpoint agent — and the answers we'd give in the first 20 minutes of a call.

Free · Community · No telemetry

Ransomware Does Not Wait. Neither Should You.

Deploy the agent to a single Windows endpoint in under five minutes. Run it in audit mode for a week. See what your EDR is missing — then flip the switch.

Download the Agent View on GitHub

Windows 10 / 11 / Server · Requires administrator privileges