Product
ICU
Deep endpoint visibility with resilient local detection.
ICU is the hardened endpoint security agent that delivers deep host visibility, local threat detection, and anti-tamper resilience across modern enterprise environments.
- Deep host-level telemetry context
- Local detection before lateral impact
- Hardened anti-tamper runtime controls
Why ICU
Built for teams that need dependable endpoint security on the host.
ICU gives security teams real-time visibility and on-node detection where attacks actually happen. It combines rich endpoint sensing, local behavior analysis, and hardened anti-tamper protections into a lightweight, enterprise-ready agent for Windows and Linux.
Capabilities
What ICU delivers
Deep host visibility
See processes, file integrity, loaded modules, service state, startup persistence, interpreter execution, and operating system security posture with the host-level context security teams need.
On-host detection logic
Turn telemetry into actionable findings through on-host correlation, chain detection, heuristic scoring, ATT&CK hint mapping, and controlled finding surfacing.
Hardened anti-tamper resilience
Runtime integrity checks, watchdog supervision, config and state protection, anti-disable checks, and tamper scoring help defend the agent itself from interference.
Enterprise-ready operations
Deployment profiles, diagnostics bundles, maintenance windows, proxy and transport controls, and a local admin CLI support operational flexibility at scale.
What Makes ICU Different
Optimized for endpoint resilience and operational trust.
Deep endpoint sensing across critical system behaviors
Local detection logic for faster, smarter threat identification
Hardened anti-tamper controls for stronger agent resilience
Optimized performance for real-world environments
Supported on Windows and Linux, with conditional macOS coverage
Designed for enterprise rollout at scale.
ICU is lean by design and optimized for performance, avoiding third-party runtime dependencies while supporting enterprise rollout with minimal friction.
Validation Process
Validate endpoint fit before broad rollout.
ICU evaluations focus on host visibility depth, local detection quality, deployment controls, and operational manageability in production-like conditions.
Works Best With
ICU strengthens detection when connected to correlation and case operations.
How It Works
Endpoint visibility, local logic, controlled containment.
Step 01
Collect deep host telemetry
Observe process, module, persistence, and host integrity signals where endpoint behavior actually unfolds.
Step 02
Run local detection with context
Apply on-host detection logic to surface explainable findings before attack chains progress.
Step 03
Execute bounded response
Escalate high-confidence events to governed response workflows with verification and full action traceability.
FAQ
Questions teams ask before endpoint rollout.
Does ICU support mixed endpoint estates?
Yes. ICU is designed for enterprise rollout across Windows and Linux, with conditional macOS coverage based on operational constraints.
How is tamper resistance handled?
ICU uses runtime integrity checks, watchdog supervision, and anti-disable protections to harden agent behavior against interference.
Can ICU run standalone before broader platform adoption?
Yes. Teams can deploy ICU standalone first and connect it into SignalMind and Cogpit as correlation and operations needs mature.