How does Agger Labs work?
Detect
Agger’s approach goes far beyond traditional detection methods such as signatures or IOC-based rules. At its core, Agger employs a Pre-Encryption Anomaly Detection engine, operating at the OS kernel level. It passively monitors and interprets low-level OS telemetry and behavioural patterns, building dynamic thresholds of normal versus anomalous activity in real time. Rather than waiting for files to become encrypted or compromised, Agger proactively detects and interrupts ransomware operations at the earliest stage, often before the first byte of encryption is even written.
The detection logic is embedded directly in a lightweight, high-performance driver, minimizing latency to mere milliseconds. This zero-latency detection ensures ransomware is stopped before significant data loss occurs, including previously unseen zero-day variants. Additionally, the Agger agent runs entirely locally. No telemetry or sensitive data is transmitted externally, enhancing privacy and reducing external dependencies.
Decept
The Deception Engine works by creating hidden, carefully crafted bait files scattered strategically across the filesystem. These files mimic sensitive, valuable data attractive to ransomware, including documents, images, database files, and backups. However, these bait files are invisible and indistinguishable from legitimate files at a system level, there are no recognisable indicators or flags visible even in detailed forensic analysis.
When ransomware attempts to encrypt or alter these decoy files, Agger’s kernel-mode monitoring instantly triggers, confirming a positive identification of malicious intent. This approach significantly reduces false positives by requiring clear, confirmed interaction with bait assets, ensuring accuracy in threat detection and neutralization
Defend
Scutum is integral to Agger’s Self-Defending Architecture, deliberately engineered to resist sophisticated attacker attempts to disable security components, even under elevated privilege scenarios. It functions as a kernel-mode watchdog, hardening the Agger agent, securing critical internal communications, and implementing a multi-layered trust model to protect essential system processes.
In addition to protecting Agger itself, Scutum proactively monitors and defends critical third-party tools like EDR, antivirus, backup software, databases, and virtualization platforms. It monitors attempts to terminate processes, unload drivers, suspend threads, or manipulate critical services. This ensures an early warning signal is triggered well before attackers escalate to ransomware deployment.
Should a threat manage to circumvent these protective layers (however unlikely), Agger’s Intelligent Data Recovery mechanisms activate, offering paths to swiftly restore critical files, reducing downtime and minimizing financial and operational impact.
Deny
While Agger already detects and kills ransomware early, the Deny layer adds another dimension: containment by design. It’s about proactively limiting what malware can access, encrypt, or tamper with if it gets past the first line of defence.
This includes techniques like microsegmentation, to isolate machines or users from one another, and strict access policies that stop ransomware from touching backups, shared folders, or key system processes. Combined with Scutum’s anti-tampering capabilities, Deny makes it dramatically harder for attackers to move laterally, escalate access, or cause widespread damage.
The goal is simple. Even if something slips through, it hits a wall, fast. Deny turns your network from an open floor plan into a locked-down maze, where ransomware has nowhere to run.
