Your Next Layer of Security

Detect the threats your prevention tools miss.

Prevention tools fail because


The endpoint is now the perimeter.

Distributed and mobile workforces increasingly connect to the Internet outside of the protection of a firewall.


Endpoint suites and antivirus only stop (some) malware.

Endpoint protection tools that rely on signatures, heuristics, and “next generation machine-learning math” take a limited view and require 100% confidence before stopping anything.


Attackers have moved beyond malware.

Modern attacks increasingly exploit legitimate tools without requiring malware.

The result: you have security gaps.

  • multi-stage attacks
  • abnormal user behavior
  • 0-days
  • Crimeware
  • advanced persistent threats
  • obfuscated executables
  • software with stolen certs
  • insider threats

You need an additional layer of security.

Red Canary

detects attacks your prevention tools miss and provides intelligence and tooling to defeat them.

Detecting threats requires looking at every process from many angles. Context about which angles led to detection helps you understand how far the attack progressed.
Responding to threats with Red Canary is simple. Isolate the endpoint to stop the bleeding then execute a response plan to kills processes, deletes files, removes persistence keys, etc.
The detection timeline details the progression of the threat. Each step explains what happened, relevant endpoint information, and annotations from our Endpoint Analysts.
Badges provide binary signing status, identify Indicators of Compromise, and provide links to research process activity in Carbon Black.

Are you ready to understand your threats?

Request a Demo

How Red Canary finds what prevention misses


We start by recording all endpoint activity.

A lightweight sensor continually collects millions of endpoint events each day including binary executions, network connections, registry modifications, file modifications, cross process injections, and more.


Our detection engine hunts through the activity.

Our engine automatically analyzes every endpoint event against multiple detection technologies, flagging potential threats.

Known Threats. MD5s, IP addresses, domains, and more are checked against threat intelligence from partners and threats detected in Red Canary customer environments

Similarity to Known Malware. Every binary that executes in your environment is examined using static analysis and cross-referenced against reputational and pedigree information.

Patterns of Behavior. An attacker must take several actions in order to accomplish their objective. Red Canary continually hunts for behaviors including:

  • Execution from abnormal filesystem locations
  • Modification of user accounts
  • Network connections to newly registered domains
  • Execution of a recently signed binary
  • Hiding processes from a logged-in user

Abnormal Activity. Red Canary builds and continuously updates a baseline of your environment. Every process execution is compared with the baseline to identify unusual activity such as user activity on new endpoints or at abnormal times of day.


Potential threats are reviewed and triaged by our analysts.

Red Canary Endpoint Analysts review every potential threat to remove false positives and provide context on confirmed detections.


You are immediately notified of the threat.

Detections present the essential intelligence you need and integrate into your existing workflow through email, SIEM connectors, syslog, webhooks, and a RESTful API.


You respond to the threat.

Remotely quarantine and respond to the threat using our point-and-click automated response tooling.

Ready to see what your prevention is missing?

Request a Demo