Reinventing Endpoint Defense for Critical Systems

Following major global disruptions, organizations across defense, banking, and critical infrastructure are increasingly seeking solutions that do not compromise business continuity and digital sovereignty. In this interview with the team behind Sparta Defend, we explore how the idea for a new-generation EDR platform emerged — one built without kernel drivers, fully deployable on-premise, and designed to deliver security without sacrificing system stability.

How the idea for Sparta Defend originated

Behind Sparta Defend stand years of work on mission-critical systems, primarily in the military sector. In that class of environment there is a clear and unfilled gap: there is no serious EDR that can operate exclusively within the client’s own infrastructure, without sending telemetry to someone else’s cloud and without kernel drivers that introduce systemic risk. Defense ministries, banks and critical infrastructure operators have for years been forced to choose between solutions that violate their regulatory and sovereign boundaries and solutions that respect those boundaries but lack modern detection. Sparta Defend was built precisely to close that gap, as an EDR that by architecture lives inside the client’s perimeter, with a modern behavioral engine, without kernel drivers and without any obligation for data to leave the organization.

The turning point

The CrowdStrike incident of July 19, 2024 was a crystal-clear inflection point. A single faulty kernel update, 8.5 million Windows machines down, hospitals disrupted, banks halted, aircraft grounded. That was not an isolated failure but the structural consequence of a philosophy in which the EDR lives in the kernel and holds the authority to bring down the operating system. When a security tool can cause more damage than the threat it is meant to defend against, it ceases to be a defense and becomes a source of systemic risk. For someone coming from a mission-critical background, this is not a theoretical debate but a red line that defines the entire architectural approach.

Operational stability as a central pillar

Operational stability is not a marketing message, it is a precondition for the verticals Sparta Defend was built for. National defense systems, banks and critical infrastructure operators have contractual and regulatory SLAs in which every minute of unavailability is quantified in risk, money and accountability to the regulator. Our approach relies on built-in Windows mechanisms for telemetry and network control, which enables full behavioral detection without a single kernel driver. The position is captured in one sentence: “the kernel observes, we analyze.” The kernel remains stable, we do our work from user-mode, and no error on the part of our agent can trigger a BSOD or halt production, which in those environments is the only guarantee that carries any real value.

Differentiation

Three points, each technically measurable and strategically aligned with the client profile. First, zero kernel footprint – the entire platform runs in user-mode, which by design eliminates the class of risk witnessed in July 2024. Second, on-premise deployment as a first-class option, not a retrofit on top of a cloud-first product; defense ministries and banks legally cannot and operationally will not send endpoint telemetry into someone else’s cloud, especially not across borders. Third, surveillance-free trust guarantee – we do not read document content nor profile users, we track only process and network behavior, which is technically sufficient for detection and at the same time fully aligned with NIS2, DORA, GDPR and the Cyber Resilience Act. That combination does not currently exist in the portfolios of the major EDR vendors.

Balancing detection and operational risk

The starting point is architectural, not operational. When a tool by design cannot bring down the system, the balance ceases to be a compromise between security and availability and becomes purely a question of detection quality. Our behavioral engine runs entirely from user-mode, with a broad spectrum of detection categories, full MITRE ATT&CK coverage and a confidence model that ranks signals rather than treating each one as an alarm. This brings false positives down to an operationally acceptable level, while techniques that have historically bypassed classical EDRs, including kernel-level attacks such as BYOVD and syscall manipulation, remain in sharp focus through indirect behavioral signals that the attacker cannot hide, no matter how deep they descend. The anti-tamper layer is additionally engineered to survive manipulation attempts without blocking legitimate traffic, so the agent may be targeted or temporarily offline while the system neither stops nor stays exposed.

The future of endpoint detection

Three directions are, in my reading, inevitable. First, regulated verticals will gradually phase out kernel-based EDRs under pressure from regulators and the insurance market, because the risk they introduce is disproportionate to the protection they deliver, and that process already began after July 2024. Second, ML and automation are moving onto the endpoint itself, with centralized model training and distributed real-time inference, which we already run with negligible impact on system performance. Third, data sovereignty and privacy are becoming a commercial argument, no longer just a compliance checkbox; clients ask where their telemetry goes before they ask about the price. The winners of the next five years will not be those with the loudest AI marketing, but those who can demonstrate a measurable guarantee that their tool cannot become the reason for a system outage. That is the market Sparta Defend was built for.

Redefinisanje endpoint zaštite za kritične sisteme

Nakon velikih globalnih poremećaja, organizacije iz sektora odbrane, bankarstva i kritične infrastrukture sve više traže rešenja koja ne ugrožavaju kontinuitet poslovanja i digitalni suverenitet. U ovom intervjuu sa timom kompanije Sparta Defend istražujemo kako je nastala ideja za EDR platformu nove generacije — razvijenu bez kernel drajvera, u potpunosti primenjivu u on-premise okruženju i osmišljenu da obezbedi visok nivo zaštite bez narušavanja stabilnosti sistema.

Kako je nastala ideja o Sparta Defend-u

Iza Sparta Defend-a stoje godine rada na operativno kritičnim sistemima (mission-critical systems), pre svega u vojnom sektoru. U toj klasi okruženja postoji jasan i nepopunjen procep: ne postoji ozbiljan EDR koji može da radi isključivo unutar klijentove sopstvene infrastrukture, bez slanja telemetrije u tuđi cloud i bez kernel drajvera koji uvode sistemski rizik. Ministarstva odbrane, banke i operateri kritične infrastrukture godinama su prinuđeni da biraju između rešenja koja narušavaju njihove regulatorne i suverene granice i rešenja koja te granice poštuju ali nemaju modernu detekciju. Sparta Defend je napravljen upravo da zatvori taj procep, kao EDR koji po arhitekturi živi unutar klijentovog perimetra, sa modernim biheviorističkim engine-om, bez kernel drajvera i bez ikakve obaveze da podaci napuste organizaciju.

Prelomna tačka

CrowdStrike incident od 19. jula 2024. bio je kristalno jasna prelomna tačka. Jedan jedini neispravan kernel update, 8,5 miliona Windows mašina pada, bolnice paralisane, banke zaustavljene, avioni prizemljeni. To nije bio izolovan kvar, već strukturna posledica filozofije u kojoj EDR živi u kernelu i ima ovlašćenje da sruši operativni sistem. Kada bezbednosni alat može da nanese veću štetu od pretnje od koje treba da brani, on prestaje da bude odbrana i postaje izvor sistemskog rizika. Za nekoga ko dolazi iz mission-critical sveta, ovo nije teorijska debata već crvena linija koja definiše čitav arhitektonski pristup.

Operativna stabilnost kao centralni stub

Operativna stabilnost nije marketinška poruka, već preduslov za vertikale za koje je Sparta Defend napravljen. Sistemi nacionalne odbrane, banke i operateri kritične infrastrukture imaju ugovorne i regulatorne SLA u kojima je svaki minut nedostupnosti kvantifikovan u riziku, novcu i odgovornosti prema regulatoru. Naš pristup oslanja se na ugrađene Windows mehanizme za telemetriju i mrežnu kontrolu, što omogućava punu biheviorističku detekciju bez ijednog kernel drajvera. Pozicija je sažeta u jednoj rečenici: “kernel posmatra, mi analiziramo.” Kernel ostaje stabilan, mi svoj posao radimo iz user-mode-a, i nikakva greška na strani našeg agenta ne može da izazove BSOD ili zaustavi produkciju, što je u tim okruženjima jedina garancija koja nosi stvarnu vrednost.

Diferencijacija

Tri tačke, svaka tehnički merljiva i strateški usklađena sa profilom klijenta. Prvo, zero kernel footprint – čitava platforma radi u user-mode-u, što po dizajnu eliminiše klasu rizika koju smo videli u julu 2024. Drugo, on-premise deployment kao opcija prvog reda, a ne naknadna nadogradnja iznad cloud-first proizvoda; ministarstva odbrane i banke pravno ne smeju i operativno neće slati endpoint telemetriju u tuđi cloud, naročito ne preko granica. Treće, surveillance-free trust guarantee – ne čitamo sadržaj dokumenata niti profilišemo korisnike, pratimo isključivo ponašanje procesa i mreže, što je tehnički dovoljno za detekciju i istovremeno potpuno usklađeno sa NIS2, DORA, GDPR i Cyber Resilience Act-om. Ta kombinacija trenutno ne postoji u portfolijima velikih EDR vendora.

Balans detekcije i operativnog rizika

Polazna tačka je arhitektonska, a ne operativna. Kada alat po dizajnu ne može da sruši sistem, balans prestaje da bude kompromis između bezbednosti i dostupnosti i postaje čisto pitanje kvaliteta detekcije. Naš bihevioristički engine radi u potpunosti iz user-mode-a, sa širokim spektrom detekcionih kategorija, punim pokrivanjem MITRE ATT&CK-a i confidence modelom koji rangira signale umesto da svaki tretira kao alarm. Time se false positive svode na operativno prihvatljiv nivo, dok tehnike koje su istorijski zaobilazile klasične EDR-ove, uključujući napade na kernel nivou poput BYOVD i syscall manipulacije, ostaju u oštrom fokusu kroz indirektne biheviorističke signale koje napadač ne može da sakrije, bez obzira koliko duboko sišao. Anti-tamper sloj je dodatno inženjerski projektovan tako da preživi pokušaje manipulacije bez blokiranja legitimnog saobraćaja, pa agent može biti meta napada ili privremeno van pogona, a sistem pri tom niti staje niti ostaje izložen.

Budućnost endpoint zaštite

Tri pravca su, po mom čitanju, neizbežna.

Prvo, regulisane vertikale će postepeno povlačiti kernel-based EDR-ove pod pritiskom regulatora i osiguravajućeg tržišta, jer je rizik koji uvode neproporcionalan zaštiti koju pružaju, a taj proces je već započeo posle jula 2024. Drugo, ML i automatizacija sele se na sam endpoint, sa centralizovanim treniranjem modela i distribuiranom real-time inferencom, što kod nas već radi sa zanemarljivim uticajem na performanse sistema. Treće, suverenitet podataka i privatnost postaju komercijalni argument, više nisu samo stavka na compliance listi; klijenti pitaju gde im ide telemetrija pre nego što pitaju za cenu. Pobednici narednih pet godina neće biti oni sa najglasnijim AI marketingom, već oni koji mogu da demonstriraju merljivu garanciju da njihov alat ne može da postane razlog za pad sistema.

To je tržište za koje je Sparta Defend napravljen.

The End of Kernel-Based EDR?