Alright. Well, good afternoon, everyone. Welcome. We're really pleased to have you join us today. Thanks for coming. We're excited about today, this this webinar that we're holding today, so thank you for making the time. We are gonna record this so everybody know that, you'll be, getting this via email, after we're done. And if a quick ask is to use the q and a function in Zoom today, that'll help me keep track of any questions that come up along the way, and I will make sure to, to alert Ross to that as we're going. We'll have some dedicated time at the very end for questions, and we'll keep an eye on that question cube as we go. So, again, thank you guys all so much for joining today. We really appreciate and are excited about it. So, next slide, if you would, and I will go through just a real quick introduction. So, Ross Ross Rosenzweig is going to present today. He's the director of sales engineering technology specialist group for Arctic Wolf. We're really lucky to have him today. He's gonna go through and, present to us. I'm your host today. My name is Chris Scully. I'm a, strategic client manager lead here at Innerworks, and I'm joined by one of my partners, Russell Parker, who's an account executive at Innerworks as well. So, again, we are your host today. We appreciate you guys coming, and, we're excited to hear, Ross' presentation. Next slide. Just a quick word about, Arctic Wolf and InterWorks. So our partnership goes back quite a ways. We've had fantastic success. It's certainly one of the the, best solutions that we always lead with with our, clients. We've had tremendous feedback. Arctic Wolf is one of the biggest names in the industry in this topic, and so, it's been a pleasure to work with those guys. We're really happy to have Ross again today to to walk us through this. And, and, again, we're really excited. So after this is over, feel free to reach out to me or Russell or Ross directly, if you wanna learn more or talk more about this solution, we would be happy to visit with you. So, again, we're just pleased to have, that partnership. Just a quick word about InterWorks. If you're not familiar with us, and I think most everybody on the phone probably is today, but, we've been around about twenty five years now. We're we're based out of, Stillwater, Oklahoma. We've got offices in Oklahoma City and Tulsa, but we actually have a global and national footprint. But we are an end to end solution provider. So we're people focused. We do everything from, delivering solutions to consultant to heavy on services. So, basically, anything that you may need in this realm, we are there for you. We specialize in our services. We specialize in customizing solutions that work for our clients. And so we would love to talk to you more if we haven't already, and that's really who we are. So next slide, just a quick breakdown of all the things that we do. I won't read that to you, but you can see it's everything from IT to solutions, data analytics, experience platforms, and enablement. So, again, we're happy to bring you this webinar today with one of our best partners in Arctic Wolf. Thank you guys for coming, and we will get started. So with that, Ross, I'm gonna turn it over to you and, and, looking forward to the conversation. Wonderful. Thank you so much, as am I. And, hello to everyone. You know, before I begin, just on behalf of, you know, the Arctic Wolfpack and, and myself as well, I just wanna say thank you to Innerworks for, you know, hosting us today. And, you know, of course, thank you for all of you, for being here. Those of you who are familiar with Arctic Wolf will know that, you know, as the slide indicates, you know, our mission is to is to end cyber risk. And we do this through a combination of our platform, our concierge services, as well as our security journey. And so in the spirit of that security journey, you know, as the threat lamp threat landscape continues to evolve, you know, some some must that journey as well. And so I'm really thrilled to, you know, to be here to introduce you to, to Arctic Wolf's Aurora endpoint security platform, where we make we make security work. As, as was mentioned, we are gonna we are gonna have some questions at the end, but feel free to place those within the, you know, in the in the chat with the Zooms, and and we can make sure that we get those, those questions answered. And so, you know, as we begin, you know, again, my name is Ross, but, I'm I'm new to Arctic Wolf. I've been around Arctic Wolf now for about six weeks, but I'm not new to the technology that we're gonna talk about today. So I've been around the Cylance technology for about seven years. I joined Cylance when they were an independent company about in, two thousand and and seventeen, at a time when Cylance really was disrupting the industry. And, you know, our mission was really to prove to the world that prevention was possible and really to change the way an industry operates. And the reason for that is that largely, you know, at that time, and I'd argue that still in in many ways today, you know, cybersecurity was, you know, very reactive. And, you know, our approach and our belief has been, that it's better to stop the attacks before they begin. Right? And if we can do that, then we avoid all all the downstream effects that follow. So silence was a very disruptive technology, and it's been on a journey of its own. I was with silence when it, when it was acquired by BlackBerry where there's some some massive investments in in artificial intelligence, really enhancing the pedigree, that Cylance began being really the pioneer of introducing cybersecurity or artificial intelligence and machine learning, to cybersecurity. And now we're just really thrilled, of course, to have this Cylance technology, the new innovations that we're all the benefactors of, you know, back into the arms of a of a true cybersecurity company. So welcome home, Cylance. But it's also, in fact, you know, a little bit personal for me. You know, I'm just thrilled to, you know, to be here as well and to and to share some of this, with all of you. One thing I'll point out to you all, as we kinda get in here, one of the things that you're gonna hear me talk a lot about today, is prevention. And so I'll say that silence was a brand. It was a play on it was a, you know, the name of of our products, but it was also a play on words. Right? And that through good security, we can establish silence, in in your environment. And so with that said, you know, we take sort of the protect the prevent, detect, and respond approach, to defending the endpoint. And it really begins with that prevention first approach to EDR. If we can stop those attacks before they begin, right, with high levels of efficacy, we can really reduce that noise to signal ratio. We can establish that silence within your environment and really open our eyes, right, allow us to to detect with focus, right, to those things that really matter. One of the things that I want you to be aware of as we as we go through this conversation as well, is there's a lot of automation, that we're building into the platform, really with the intention of, you know, obviously, improving your mean time to respond, reducing the dwell time, but enabling you to respond with consistency, while we give you the additional tooling that's required to conduct those those additional, you know, forensic investigations. So prevent, detect, and respond. Right? A prevention first approach, to to EDR. Now Aurora managed endpoint defense really combines, two core disciplines. Right? Endpoint protection as well as endpoint detection and response. Within our platform, as I had mentioned, we were the pioneers in bringing artificial intelligence and machine learning to cybersecurity. And this is still at the very core, of what we, of what we do. Our engines are powered by, predictive models, that are trained in the cloud, and then they're delivered, down to the endpoint. And that allows us to protect those devices, even when they are, in fact, offline. We're gonna talk a little bit about how the artificial intelligence works. But to just lay out sort of what the capabilities of the platform are, we leverage artificial intelligence on the left side of the screen. I apologize for that. On the left hand side of the screen, to really provide what I always refer to as as a fire blanket. Right? Smother the environment with prevention, so we can avoid all of those downstream effects. So we lever leverage artificial intelligence to do things like prevent malicious content from executing on the endpoint. So what is content? Right? Content can be a a piece of software that executes in the environment, like a piece of malware, a potentially unwanted program, maybe those dual use tools that many of you have, on your own systems, as you conduct your your daily activities. We are we perform, you know, static analysis against those files and make a pre execution decision as to whether they are safe or not. If they're unsafe, we prevent their execution, and we quarantine the file. But content doesn't just have to be, you know, a binary. Right? It could be a process running in memory, and Aurora managed endpoint defense is there to defend those processes and prevent, a threat actor from exploiting them, as well as ensuring that only safe, and authorized scripts or commands can execute, within the environment. And even some other more preventative controls that are focused on, you know, other vectors where malware can be introduced, like device control. Right? Ensuring that only approved USB mass storage devices can be can be inserted into the environment. On the right hand side of the screen, we can see our, capabilities around endpoint detection and response. Obviously, the left endpoint EPP, you know, feature sets are all pre execution. Right? So in in in EDR side of things, we're really looking at things more behaviorally. We have a behavioral detection engine also driven by AI that's delivering really high fidelity detections, with very little noise. And we're gonna talk about that, in in terms of friction here in in just a section second. But as I had mentioned, the goal here is to drive those automated, use cases. Right? To automate the response, so that we can really focus our attention on those things that matter and improve, you know, our mean time to respond as I as I had mentioned before. In addition to all of the automation, we also have, you know, a lot of tooling as I'll call it, that is available to the SOC, as well as all of you depending on how you're consuming the technology that allows you to conduct those remote investigations, interact with those devices directly from the console, even isolate devices on the network as you conduct your methodology based and intelligence based threat hunts, and conduct those, those forensic, those forensic investigations as well. Now managed Aurora endpoint defense, is offered, as both a product only capability as well as a managed platform. So when the when the in in the Aurora managed endpoint defense world, right, not only are we providing these amazing security outcomes, but we're also, you know, onboarding the systems into the environment. We're performing all of the threat tuning and blocking, in order to silence the noise within the environment, and we're right there with you along of the way, making sure that you're maintaining those best practices configurations, and avoiding any, any drift that that comes along with the environment. As we begin to introduce the twenty four by seven by three sixty five monitoring, and active triage alert, by by our SOC here at at Arctic Wolf. Now I mentioned I was gonna talk about, friction. And in doing all of this, that's a really important thing to think about. Endpoint security controls in introduce many different types of friction. Right? Cost friction is one of those, but control friction, is is another. And we eliminate a lot of the friction, with with our, capabilities, you know, specifically around things like full system scans. We eliminate all of those. Right? We don't necessarily need to perform those recursive full system scans because we are a pre execution technology. Now initially, when we deploy the product, we do perform one full system scan. But when I explain to you how the artificial intelligence works, one of the things that you're gonna realize is that it's mathematically based. Two plus two will always be four. So in the example of a binary, if we've already scanned that one binary, we don't need to scan it again unless that file has changed, or unless a new file is is introduced. And so we are scanning pre execution those files before we allow them to to execute. One of the other challenges within the industry as well is also making sure that your content is up to date. And we don't have frequent updates, at all. Now years ago, when we first began, we updated our models about every twelve to eighteen months. Now, we're we're updating those models even even less frequently, and we're achieving higher and higher levels of efficacy, in in spite of that. Right? So really kind of turnkey, and eliminating a lot of the friction that's typically associated with, with endpoint security controls as I as I had mentioned. Now how do we train our models? One of the things that I wanna make clear here and this is a, you know, a really interesting, you know, concept, and I'll try to make this as simple as possible for those that may not be familiar, with statistical analysis and contextual, like, adaptation, other types of sort of, you know, predictive modeling, disciplines, if you will. But we don't train our models, in your environments. I just wanted to make that perfectly clear. We have a massive compute environment up in AWS, where we have multiple models that are constantly con competing for the highest levels of efficacy and the lowest levels of false positives. Now I mentioned that our first use case, for applying machine learning to cybersecurity was for unsafe content, executing on the endpoint or to prevent that. But you can see, you know, over the years, we've been iterating, and now you we're introducing a number of of additional signals, that we're training our models against. Right? Runtime process behavior, user access events, and the others that you see here on the left hand side of the screen. Now the visualization that you see in the center of the screen, is where we're combining both supervised and unsupervised, machine learning techniques. We leverage unsupervised machine learning to cluster those features, and you could sort of see that represented in that three-dimensional map. We're clustering those features so that we can understand, what are the features and characteristics that are shared by the known bad files in our corpus that we began the training with, as well as those known, those features and characteristics that are shared by the known good files, in the corpus that we've trained it with. We began our corpus with about eight or nine petabytes of known bad juxtaposed with eight or nine petabytes of known good. So a massive corpus that's only been growing over the last more than a decade. Then we bring in the humans in the loop. Right? This is where the supervised training comes in so that we can classify, each of those features so that ultimately, we can automate the use cases and the outcomes that you see on the screen here. Stop those attacks pre execution, identify and block that malicious behavior, isolate the hosts or log out the users, and more. You know, this is just a, you know, a sampling of the things that can be automated within the environment. Now you might be surprised. In fact, maybe I'll I'll ask the audience here. We'll we'll ask for some audience participation. If everybody wouldn't mind just placing into the chat, how many features and characteristics you think, there might be in any given binary, for example, an executable, a DLL file, a SIS file, or something like that? And I'll just pause for maybe ten seconds if you just wanna pop the numbers into your chat, and then maybe, you could share with me some of the answers that we that we received. Do we have any guesses? Okay. Well, there are six million unique features and characteristics, and I'm sure you're and combinations of those, and I'm sure that you're shocked by that. You know, in a binary, some of the things that we're looking at are things that us as human beings would be able to interpret, you know, the header, the compiler, resources, keywords, the signature that was used to sign the file, but also things that us as human beings would never be able to interpret. Things like, you know, entropy between sections of the file. Right? And so as we train these models, they're becoming very effective at being able to understand those features and characteristics and are able to make decisions very quickly. When the models are are finished being trained, we have a model that merges as a as a winner as I had mentioned before. When that model emerges as a winner, we miniaturize or we generalize it first, and then we mineralize it and we place a copy of it locally, on the endpoint. Once again, what that means is that we have the detection capability and the response actions locally on the endpoint so that if that device ever goes offline, it is still, of course, fully protected. Now Alpha AI for the endpoint is what we call this detection engine, and it is the longest running continuously improving predictive AI in the market. As I had mentioned, we were the very first, to do this, within the industry as we kinda drove some of the innovation and some of the changes that, you know, you all see now within the industry. But having a a model that's been running so long and it's been continuously improving for so long, for those of you that are aware of, you know, sort of machine learning techniques, you'll know that the maturity of these models, matter and offer a lot. And when you achieve a certain level of maturity, you can achieve those really high levels of efficacy, but eliminate a lot of the noise. Right? We're eliminating the noise, on one hand, because we're preventing these attacks from happening before they start. Right? So we're reducing the amount of signal, that's coming into the environment. But the models from an efficacy perspective, you know, also have to look at, that from the approach of a of a false positive. And we've been able to really kinda reduce the false positives, almost nearly to zero. I'm not gonna tell you all that we never have a false positive, but I'll suggest that you go up to the virus total intelligence pages and take a look at those. For those of you who aren't aware of the VirusTotal intelligence pages, there are many engines, our our own included, that are participating within VirusTotal. And the VirusTotal intelligence pages will show the number of false positives that have taken place across the industry, over the course of a of a of a seven day, seven day running average. Generally speaking, we're at the bottom of that list with zero. And oftentimes, you won't see us on the list at all because if virus total will actually drop you off the list if you, if you have zero false positives for more than three weeks. Now as I mentioned, we do have false positives occasionally. And so what we have found is that about a ninety day running average, we've seen about two point six, false positives, which is really, you know, a testament to the to the maturity of the of the models as I as I had mentioned before. Now one of the benefits of this technique, is that, you know, we are essentially doing mathematics on the endpoint. I've talked about predictive modeling, but it's really a mathematical model. And that mathematical model, when a, for example, a piece of software attempts to execute, it's gonna pause that execution. It's gonna extract those features and characteristics, and it's gonna run those through that predictive model. And that model will cast a verdict for or against that file in about thirty milliseconds. So as I'm talking to you here today, it takes me about sixty milliseconds to blink my eyes, just to give you a little context around around how fast that is. But at the end of the day, we're doing math. We're leveraging the CPU to do exactly what it was designed to do, right, to do math. And what that means for us is that we really have imperceptible overhead. At runtime, we use about one percent of the CPU, and about a hundred megabytes of RAM. So very lightweight, very performant, as we deliver that high efficacy and drive those security outcomes that you're that I talked a little bit about the event science and and how we, you know, apply that human in the loop training. It's combining that supervised and unsupervised training. But in that context, it's really important to understand that the it's really important to understand that the right model variation and the diverse datasets and attributes and and rightsizing those is really the only path to get to that very high level of efficacy and the low noise. Right? If you're looking at too many features, you it may take too long, right, to to drive pre execution prevention. If you're looking at too few features, well, then you're probably prone to a lot of false positives. It shows sort of the immaturity, of the models. Now I mentioned that we do have about six million unique features and characteristics in one of those binaries. We're no longer looking at all six million, you know, features and characteristics and combinations of those. So through this experience and through the advanced data science, we've been able to identify just just the right number of features, that are really security relevant, really yet to drive those, those security outcomes. We're not just leveraging AI, though, you know, from a, from a predictive and a preventative perspective as well. But we're now also leveraging artificial intelligence, really to help provide, you know, the analyst as well as, you know, your teams as well potentially, you know, additional threat context and recommendations as to the detections, and the indicators that we're showing you within our platform. And so the AI assistant is sort of like a copilot that lives within our application, and could be interacted with, you know, from from the alerts and from the indicators as I had mentioned before, really to help make sense of what those things are and how you might go about, you know, mitigating or, you know, preventing those types of of, activities as well. The AI assistant is, also really useful. Like, I like to tell folks that, you know, one of the problems that we have in our industry, is really a a, a skills gap. Right? And as we bring on some more maybe junior resources, the AI assistant can really useful and help to, uplevel their skills as well, and help them contribute just alongside everyone else to that meantime to respond. So the AI assistant is a is a really unbelievable part of the platform, and it's something that I'll show you in just a few minutes. Now Alpha AI for the endpoint. I talked a lot about prevention, and its predictive capabilities. We're really talking about leveraging, you know, looking into the past, right, in order to predict the future. So I'm gonna take you on a very short walk down memory lane, before we talk about some more some more modern threats. But at silence in the early days, we had created a term that we call the temporal predictive advantage. We now call this the alpha AI, temporal predictive advantage or TPA for short. The way I'll define this for you is essentially a measure of how far ahead the models are of the adversary. So when Cylance was a brand new company, you know, WannaCry was, you know, was sort of the, you know, the the emerging threat at that time. And for those of you who are aware of what WannaCry was, back in, you know, two thousand and sixteen, WannaCry was shocking because it was so different from any of the ransomware we had seen before. It spread so fast all around the world and was so pervasive. And we were a brand new company with a model that was eight months old at the time. Not a not a single customer who was operationalized on our product was impacted by WannaCry. We prevented that on day zero, which is great. But what we had done was, we had gone back to our old older models. Now that was our first production model, eight months old. We went back and tested our prerelease models going back twenty months and found, that we would have actually predicted and prevented WannaCry twenty months before it ever existed. Now for those of you who do live on the East Coast of the United States, you are probably very familiar with the Colonial Pipeline attack, that we call Darkseid. And Darkseid, was very impactful because it shut down the Colonial Pipeline, closing all the gas stations across the East Coast. As you can see, you know, we were able to predict and prevent dark side. We had a temporal predictive advantage that was about five years, before dark side existed. And the like the reason that I like to bring those two up together, is that the very same model that predicted and prevented WannaCry in two thousand and sixteen, also would have predicted Darkseid, you know, ten years later. And so one of the challenges that we see, you know, within the cybersecurity industry in general, is efficacy decay. This isn't a new concept. Right? It began all the way back with signatures, which is why signatures need to be updated so frequently because they update or they decay, so aggressively. Now our approach, really slows down that decay. As I had mentioned in the beginning, we only updated our models about every twelve to eighteen months. Now as you could look at some more modern threats, that's, you know, from some more infamous, you know, infamous malware campaigns, you can see that we are truly battle proven. Right? And we can deliver that autonomous prevention, blocking threats, with models that have been released years ago and that are able to predict things that we've never seen before, well into the future. And so I like to say this in the sense that, you know, our models actually aren't decaying. I would argue actually the opposite is happening. Those models are flourishing. And you can see some of these more modern infamous campaigns were approaching eighty months, from a from a temporal predictive advantage. Again, stopping the attacks early with less damage, but providing sort of that, that insurance policy and really removing a lot more risk from your environment, of of a of a cyber breach. Now in terms of, you know, efficacy testing, you know, Arctic Wolf acquired the Cylance assets about, you know, five weeks ago. And Arctic Wolf did their own due diligence, as they were talking to, I think, about sixty different, endpoint vendors. I'm sure many of you may not be aware that there are that many out there. I certainly wasn't. But Arctic Wolf, a number of years ago, acquired, the Vx intel corpus. And what I like the reason I like talking about the VX Intel corpus, is that most of the corpus you will not find in, in VirusTotal. And the industry largely uses VirusTotal as a measure of what's known to the industry. And, you know, during our due diligence, we found that Cylance detected and prevented ninety nine point two percent of all the known malware, and we all the unknown malware, I should say, and we did so pre execution. So, again, if we're thinking about behavior, if we're talking about artifacts of interest, that's not or indicators of compromise, I should say. That's not what we're doing here. By its very definition, if we're talking about those things, it's already happened. Right? So we're simply providing that static analysis, analyzing those features alone, and making those decisions as I had mentioned to drive those security outcomes. So within thirty milliseconds, we will block that behavior. We We will quarantine the file, and that file will never execute. So a very, very exciting, you know, value proposition. Now once we laid down that fire blanket, you know, built on a on a foundation, built on prevention as I as I had mentioned before. This is when we start to introduce some of those other capabilities, around, detection, response, you know, or visibility detection and response and control. And so we've, introduced a a behavioral detection engine, that as you can see on the slide, it provides that maximum effectiveness effectiveness out of the box and really drives a much more turnkey, outcome, when deploying the product into our customers' environments. With the behavioral detection engine, we produce really high fidelity detections. But like I was talking on the prevention side of things, we've really gone a long way to reduce that friction. Right? Remove the the false positives. And we've done a lot of the work in the front end in kinda building this, this, this engine that really improves, and simplifies the the configuration, you know, the configuration management, for those that are familiar with, you know, EDR technologies, which, you know, as an industry, I think that, you know, generally have a a false positive, you know, challenge. You know, as a as an innovation to our products, we've really made the exception and the exclusion frameworks really intuitive, and and interactive directly within the dashboard so that, you know, it becomes very easy, to tune out any noise that that does arise. The behavioral detection engine provides coverage across the MITRE ATT and CK framework as you would expect. And as I had mentioned, you know, sort of embedded within the behavioral detection engine is that Copilot I was talking about before, the AI powered silence assistant that provides that sense making that that we were referring to. One of the things that we've also done is we've embedded a, a that package engine, into, into our platform. The package engine is based on Python. So it's a Python, interpreter that's been embedded into the service of our agent, which allows us to deliver packages to the endpoint, change the configuration of a system, you know, collect forensic artifacts, but also automate and orchestrate your playbooks. Right? And so as a as detections are occur occurring, we can drive those automated response actions, log users off the system, you know, terminate process trees, suspend those, but also automate and orchestrate your pay playbooks in response, to a detection that we're seeing. And as I had mentioned before, we do, take those those detection capabilities and those response actions, both from a prevention perspective as well as a detection and response perspective, and we place those locally on the endpoint. That ensures that, again, once your if your devices go offline, we are still fully protecting them. You just won't see the alert in the dashboard, until those devices do, do in fact reconnect. Now for any of you that are, you know, an MDR, customer, you know, one of the other benefits that, that Aurora endpoint defense can provide in in the terms of driving those better security outcomes is introducing far more options in terms of what the what the granular capabilities are at the endpoint to deliver live response actions as well. So I had mentioned we're doing a lot of automation here. Right? Deleting the files, web registry keys, if necessary, logging those users off, suspending or terminating processes, and driving the automation, of those playbooks through our ability to, to script deployments. But we're also introducing on top of that the tooling. Right? The remote response console that allows us to interact with the endpoint, isolation of devices on the network, and more. So, again, you know, in in the spirit of that security journey, you know, we're trying to drive those those results, which really mean the better better security outcomes, for, for all of us. Now before we jump into, into any of the questions that that we'll have today, I thought I'd give you just a little bit of a tour, of the, of the platform itself. You know, as I come here to the, you know, to our dashboard, you know, we we we we come first to what we call, alerts. Right? The one alert dashboard. The one alert dashboard really is a, an aggregator. Right? It brings together, you know, all of the all of the alerting that's coming from all the security services of the platform. And when we combine the fact that, you know, this alerts dashboard does do some of the initial sort of grouping, and correlation for you, and you combine that with the reduction of noise, right, of reduction of signal that the prevention oriented components provide. What we've seen is about a ninety percent reduction in the amount of fatigue, driven into, into the into the environment or, you know, that the analyst needs to, to go ahead address. Right? Every false positive is something that needs to be investigated. Right? So we're trying to drive out a lot of that noise, consolidate the number of alerts, and really optimize, the investigations for, for you and for our analysts. Now as we look at any one of these detections, like the top one up here, you'll find that the the platform or the or the dashboard is very flexible, and sortable, but also is designed to really avoid, you know, having to really move around a lot as you conduct your investigation. So right here on the dashboard, we are gonna provide the key indicators, for, in this case, what that credential dumping via power dump alert is. Generally, there'll be, you know, at most three indicators here. Right? One that's based on a script, perhaps one that's based on a process, and the other that's based on a file. Now with each of those, we can get kind of the deep the full detail, of what that thread is. And you can see that this alert was actually generated resulting from this script payload, which as you could see is quite a mouthful. Now I've talked about that AI assistant before, and this is a great opportunity for the AI assistant to tell me what exactly is this particular payload doing. So by launching the AI assistant, it's actually going through the script. It's It's reading the natural language of that script. It's summarizing it for me. It's describing its activities. It's mapping it back to the MITRE ATT and CK framework, and it's, you know, providing some some guidance around how I might, you know, mitigate or remediate that particular type of activity. And you'll find the AI assistant is really every year everywhere, right, within, within the one alerts dashboard. You know, here, I'm launching the AI assistant from a, from a command line. Right? And we can see what the command line was from the key indicator. But when we launch the AI assistant, it's gonna summarize what that command line does. It'll break out each of the command line arguments and tell me what those do. And then like you saw before, what is the behavior? How does it map back to the framework? And and what are those mitigation steps that we can do to address that, in in the future? We can also sort based on any of these indicators. And the reason that I'd like to show this is that it does allow us to then really kinda chain together some of these events, almost, you know, introducing you into kind of a a a simple, you know, sort of threat hunting capability. Of course, we have a threat hunting engine as a part of the platform. But as we look at this, we could start to see some of the activities that were taking place, you know, on the endpoint. We can see that PowerShell was used to download. We can see some, you know, non RFC nineteen eighteen connections being established by the script. We can see some PowerShell executions before ultimately that credential dumping, you know, via power dump event occurs. Now as we look at the at the event, you'll notice that we are consolidating to further reduce the number of alerts that are being presented to the platform, all of the sort of sub techniques that we're observing as a part of this particular detection. Now if you aren't familiar with credential dumping via power dump means, just launch the AI assistant, and it will tell you, you know, what that means, help you make sense of the alert, and, like, always provide those those guided remediations. Now on the bottom of the screen here, we will see again what all those key indicators were. Right? These are all the key indicators that were common to all of the detections. In this particular example, we only see one device where this detection was found on, but we can kinda see what the uniqueness, right, of the detection was, by clicking on any one of those devices that would be found in in the center of the screen. If we wanna get some additional detail around this detection, we can launch the detection detail, which does allow us to do a number of different things. First of all, we can request focus. Right? Focus is, a process tree. Right? Allows us to sort of understand what was happening on the system at that given point in time. We can see the timeline of events and the processes that were involved. The legend down below describes what these, what these objects mean. But as we click on each of these, right, we can get some more detail around that what those objects were, right, including the payload. And this really does allow us to step through and understand what was happening on the endpoint, as we as we conducted that. Really helping us develop that root cause, what was happening on the endpoint at that given time, and how did this thing get into the environment in the first place. Now I also mentioned that we do have a bunch of tooling, that's available within the platform as well beyond the automation. And and that includes things like being able to deliver packages I had mentioned before, isolate a device on the network, either a full device isolation or one that allows us to maintain command and control from the console, but also that remote response console that I that I had referred to before, open up a native shell to the endpoint. In this case, I'm connecting to, you know, to a a Windows system. Oops. To a Windows system. So I'm I'm opening it up with a a command shell. If this was a Mac or a Linux device, and we do support Windows, Mac, Linux, iOS, Android, Chromebooks, we open up a shell that's that's native. So Mac and Linux, for example, would be a a bash shell. So you'll see that I can even, you know, come in here. I can launch PowerShell. I can interrogate the system to understand, you know, what services are on that system, what their current state is, and run commands that can can change that, can terminate process, terminate service, and so on. You'll you'll find us commonly using this for kinda cleaning up, you know, offending files, crypto miners, those sorts of things. But it is a native shell to the endpoint that allows us to, you know, to interact with the endpoint directly here, from from our console. Before I open it up for for some questions, for all of you, I did wanna show you as well the behavioral detection engine. The behavioral detection engine, as I mentioned, provides that coverage across the MITRE ATT and CK framework. And each one of these, we'll call them cards. Right? Each one of these cards, allows us to control the types of events that we wanna enable detection alerts for and just those that we wanna continue to receive the telemetry for so that we can add context to the alerts that we are seeing. We can determine when we wanna deliver an automated response, right, if the alert is a high priority, or or higher, a medium priority or higher or a low priority or higher. And then as I had mentioned before, for each of these, we can configure the appropriate response actions. Right? Go ahead and delete files, log users off, display a notification on the endpoint, terminate process and process trees, as well as automate and orchestrate those playbooks. So I'll I'll stop it there for now. I'd love to open it up for for any questions, that you all might have. Feel free to go ahead and post those in the chat, and we'll be looking for those, if there aren't any already. So I'll toss it back to you for a second to see if there are any questions so far. Yeah. Thank you, Ross. And while while everybody's, thinking about some questions, like I said, go ahead and put it in the q and a box. I did receive a few that I wanna relate to you real real quick, Ross, while folks are still thinking. First one here is what is Aurora endpoint defenses performance impact on an endpoint? That's yeah. That's a great question. Yeah. As I mentioned before, you know, the our our model is really to leverage mathematics on the endpoint. And we we aren't leveraging a lot of the con this sort of, computationally expensive detection techniques that are looking for patterns and those sorts of things. We're using a mathematical model. Right? So the model is able to make decisions very quickly and able to maintain that real performance because we aren't combining, you know, a bunch of different detection capabilities in order to achieve the type of efficacy that we do. So that very lightweight predictive model really produces only about one percent utilization of the system resources. Really lightweight, very performant. So the answer is about one percent. Outstanding. Another question we had was, we have many endpoints with older operating systems like Windows XP. Are these legacy OSs supported? Yes. That's a great question. I'd like to frame that maybe a little bit differently and say that we are very good at protecting the things that are difficult to protect. One of those things is legacy operating systems, and that's been a part of our, you know, our platform, from the beginning. So we go back to, you know, Windows XP and Windows Server two thousand and three, as we as we defend the endpoints and we provide legacy support across all of the platforms that we provide support for. And what's really, interesting about that is I had mentioned before that, you know, the the models aren't really updated every, you know, all the time like like many other detection engines. And what that means is that even with VR running those those legacy agents, you know, they do have the ability to run the the current model. So by running an older agent against an older operating system, you're still protected with a modern model, which is, which is gonna be differentiating, you know, for us. But in in the spirit of the things that are difficult to protect, in addition to legacy operating systems allowing you to provide coverage there, maybe extend the life of that of those of those platforms, we also can protect the difficult to protect in the sense of those devices that maybe don't directly face the Internet as well. So we do have a hybrid deployment capability that allows us to deploy a, essentially, a proxy within the environment. We call it hybrid. And if those devices aren't directly facing the Internet, we can provide protection to those by allowing them to communicate with that hybrid appliance and that brokers that communication to our cloud infrastructure, allowing you to sort of get the benefits of being somewhat air gapped, but take advantage of the value of the cloud. But, yes, you know, we do we do provide support for legacy operating systems is the is the short answer of it. Perfect. Here's another one. What is Aurora's endpoint defense? Oh, sorry. I already asked that one. Can the Aurora endpoint defense isolate a device on the network? We can. And, you know, like I mentioned in the cons we in the schedule, we do have two ways of doing that. And I'm glad you asked the question because, like I mentioned, we have two ways. We can isolate the device fully on the network, which means that it can't talk anywhere in your environment or out, which means that it also can't talk to our cloud infrastructure. Right? So that's, you know, a a very sort of, you know, card isolation. But we also have a part partial device isolation capability. And with partial device isolation, we maintain that command and control. So, right, we can continue to receive the telemetry. We'll receive the alerts. We can use the remote response console during a device isolation. The device just can't communicate anywhere else. What I wanna add to that, though, is that we have we have, lockdown profiles is what we call them. So if you have any other tooling within the environment that needs to be operational, to that device during a device isolation, we can enable or essentially safe list, those applications as well. So they will function during a device isolation as well. But, yes, we have those two forms of device isolation, total, or partial, which allows us to maintain that command and control. Very good. And the last one I've received here is how does Alpha dot ai stay ahead of evolving threats compared to the competition? So do the models require updates? Yeah. So, I mean, as I mentioned, they the models require updates, less and less frequently. In fact, while we while I mentioned that we did start, you know, updating those models every twelve to eighteen months, we've achieved a sort of new level of, maturity, with the seventh generation of the model, which means that we really haven't had to update the model, for, about three years now. And as you can see on the slides that I was showing you before, the model is continuing to be more and more effective. And the reason for that is kinda around the temporal predictive advantage talk that we had a little while ago. We're learning from the past in order to predict the future. Right? We're not watching the behavior. We're not looking at those indicators. We're looking at the DNA of that file and telling you where the cancerous cells are essentially. Right? And so when you look at it from that perspective, you would be surprised at how similar from an architecture perspective, software is. Right? And so, you know, we've been able to identify what are those features and characteristics that are really relevant to security. And through that supervised and unsupervised training, as I mentioned before, the outcome of that is is a predictive capability that allows us to stop things that we've never seen before far into the future. And not all AI is created the same, and that's really important as well. Right? We all use AI differently within the industry. Many cases, we're leveraging AI, you know, to take an event that occurs to a patient zero, and benefit everyone else in the world. Right? We chose that we wanna eliminate the patient zero. Right? And in doing so, we develop this predictive capability, that delivers those types of temporal predictive advantages that I was talking about before. We do update the models occasionally. It's very, very rare, but we do that, through something that we call a centroid. A centroid allows us to essentially adjust features and characteristics or maybe add additional features and characteristics if perhaps a new malware fail family emerges that's leveraging features and characteristics that we hadn't trained our models against. Again, that happens really infrequently, but it can happen from time to time. And and in doing so, we screen those, those little content updates down to the model, directly from directly from the cloud. But the models, again, are updated, very, very frequently. Outstanding. Well, thank you, Ross. That's actually all the questions I see. I don't see any others in the in the chat either. So, with that, Ross, we really appreciate your time today. Great job. We really, enjoyed this. Folks, everybody that joined, if you've got further questions, feel free to reach out to myself or to Russell Parker or to Ross directly. We would be glad to continue the conversation or even set up a meeting to, discuss your needs based upon what we talked about today. So thank you guys all for joining. You will receive an email with the copy of today's session in it, and I do wanna remind everybody to join. We will have three lucky winners that will be, picked from our attendees today. It'd be a Traeger Ranger portable grill, which is our top prize. You'll see a steak lever box with an assortment of premium steaks as well as a specialty bottle of bourbon. So if you won, we'll be reaching out to you soon to let you know that, and we'll begin the process of sending your items or delivering those to you. So, again, we really appreciate everybody for coming today. Ross, any last, any last points before we close? You know, like I said, earlier, I just wanna say thank you so much to all of you at Inter InterWorks on behalf of the Arctic Bolt team, and and so many thanks to all of you. And and I do hope that you'll reach out. I do hope we get to continue the conversation and and deliver, you know, prevention across your environments as well. So thank you very much. Yeah. Thanks to you, Ross. We really appreciate the partnership. Well, thank you everybody for joining today. Hope this was value add, and, hope to talk to you again soon. Have a wonderful day.