What we are doing is monitoring the host for behavioral artifacts from privileged processes that indicate a possible way for adversaries to subvert the intended operation of that process. Essentially, it is a real-time, behavior-based access rights audit that focuses solely on activities occurring within a given host. Every host that has been in use for an extended period has a very extensive list of misconfigurations, but only those utilized by privileged processes are significant.

Our goal is to cover unknown vulnerabilities through our protection stack. We aim to prevent vulnerabilities from being exploited with the ‘DeepGuard’ component of WithSecure EPP, detect exploitation if it occurs with EDR, inform customers of exploitable vulnerabilities, and provide recommendations through Exposure Management. Essentially, we strive to protect our customers pre-zero day, meaning they would be safeguarded before any human is aware of the vulnerability's existence.

The method we discovered has proven to be quite fruitful. In fact, it has been so effective that we got around one hundred potential vulnerability discoveries to triage. We have been busy sorting out which ones are already known, and which appear to be novel, and we have been reporting the latter to vendors.

Last week, we reached a milestone with our first vulnerability, WITH-ZD-2025-0001, getting patched and announced by a vendor in their release notes. FileWave Version 16.0.2. This vulnerability applies only in specific configurations, highlighting the effectiveness of behavior-based verification and triage. Not only have we discovered a new vulnerability, but we are also capable of detecting it only on hosts where the vulnerability is in an exploitable state.

There are many more vendor notifications in the works, but having the first one publicly announced by the software vendor is a milestone worth celebrating.