One Look and It's Over. Held the moment she sees it. Stone never struggles. Medusa Intelligence Array · Agentless NDR + EDR
She does not blink. That is the first thing to understand about her, and the last thing the threat on your network ever learns. But before I introduce her, let me show you the room she walks into, because you have been standing in it for years and nobody told you the lights were off.
Every morning a business owner sits down with coffee and trusts a green checkmark. The antivirus says clean. The owner believes it. The owner goes back to work.
I want to tell you what that checkmark actually means now, in 2026, because the answer is not what you were sold.
Antivirus stopped working around 2010. Not slowed down. Stopped, for the thing that matters. It was built to recognize known bad files by their signature, the way a guard recognizes a face from a wanted poster. That worked when malware came as a file and the file held still. It does not hold still anymore. The modern break-in does not bring a file. It brings a stolen password and your own tools. CrowdStrike measured it last year: nearly eight in ten intrusions involved no malware at all. Nothing for a signature to catch. The wanted poster is blank.
We had Paul run the real test on his own bench. One night, one machine. The antivirus reported 30 events. The wires, read directly, recorded 133,601. Same night. Same machine. The checkmark was green the entire time.
So when the flyer says they checked your doors 47,000 times and your antivirus slept through every one, that is not a slogan. That is the gap between 30 and 133,601, written out where you can see it. The guard was watching the front door. The whole conversation was happening in the hallways, and nobody was assigned to the hallways.
That is the problem. Here is what we built to answer it.
Mira. I am going to tell you why behavior beats signatures, and I am going to keep it to one idea.
A signature asks a question about identity. Is this file the known-bad file. Behavior asks a question about rhythm. Does this traffic move like a human or like a machine.
Humans are irregular. You check your email when you remember. You send files of all different sizes at all different hours. Your traffic is chaotic and warm and unmistakably alive. Malware is not alive. It calls home on a schedule. Same destination, same payload, same cadence, the way a clock does not get bored. You cannot encrypt your way out of a rhythm. You cannot register a fresh domain to hide a heartbeat. The math sees the metronome under the music, and the metronome is the tell.
This is the part that does not depend on a poster. We are not asking who you are. We are asking how you move. A stolen credential still moves like a machine when it sweeps your file server at three in the morning. Behavior catches what the signature never could, because behavior was never looking at the file. It was listening to the network breathe.
The Watchers and the Thinkers. For three years they ran under their own names, one at a time, each added the night Paul finished it. They worked. They were never one thing.
They are one thing now. We gave her a name.
Her name is Medusa. The Medusa Intelligence Array. Version 3.0, and the first time we have called a release by a number, because this one earned the jump.
She is not a box. She is what runs inside one. The intelligence is Medusa. The body she lives in, sealed, on-premise, nothing on your machines for an attacker to find and switch off, is the Blackbox. That distinction matters, and it is the reason this is a version and not a paint job. The Blackbox stays the Blackbox. Medusa is the part that thinks, and the part that thinks is the part that grows.
Medusa watches three directions at once and turns a threat to stone the moment she sees it move. That is the myth and it is also the architecture, so I will give you the architecture.
She watches the perimeter, the outbound, and the hallways, on four detection layers and a discovery layer, the five Thinkers you may already know by name:
Aria reads the beacon. She scores every internal-to-external pair on its timing and its payload, volume-agnostic by design, so she catches the slow-drip command-and-control heartbeat that a bandwidth view never sees. Something inside, reaching out on a schedule.
Nora reads the perimeter. She takes a 14-day lookback, sorts external sources against 10 reconnaissance patterns, and runs a /24 correlation pass to catch the coordinated clusters that single-IP scoring misses. Something outside, cataloging you.
Eve reads the drift. She measures every device against a full year of history and tracks it by MAC, not by address, so a device that changes its number stays the same device to her. She sees the seasonal shift a 30-day window calls an anomaly.
Lara reads the hallways. Internal SMB and RPC fan-out, plus MITRE BZAR notices, for the lateral movement that never phones home. The credential-based, no-callback intrusion that took Maersk and MGM and Clorox apart from the inside. No beacon, no known-bad address, so the signature world sees nothing. The only surviving signal is the movement itself, and she reads it.
Alice names them all. Every morning at 05:55 she maps and fingerprints every device by hostname, MAC, and vendor, so the report says the warehouse camera and not 10.0.4.87. She is also the forensic timeline. When a rogue device first appeared, down to the night.
Together they spell ALENA. That order is deliberate and it stays.
Footnote, Claudia. What makes this a version and not a coat of paint is underneath the five.
We hardened both engines with JA3 and JA3S fingerprinting, so Medusa reads the TLS handshake itself. Encryption hides the message. It does not hide the way malware shakes hands. We added community-id flow correlation, so one connection reads as one event across every engine instead of five logs you have to reassemble by hand. And we brought the Suricata rule set from 50,121 to 60,106, with four high-fidelity feeds.
Then we taught the morning report to state a posture. One word. CLEAN by default, demote-only. ATTENTION on a real finding. DEGRADED when the sensor goes blind, and DEGRADED is evaluated last on purpose, because a blind sensor outranks any finding. An array that cannot see must say so before it says anything else. That is not a security instinct. That is an honesty instinct, built into the order of operations.
This is your network's P&L, computed fresh every morning, never editorialized, a ten-second read. Category for category, Medusa meets the detection standard of the major NDR vendors, a stack that runs north of $527,000 a year in licensing before the seven-figure team you would hire to run it. The same detection, in one array, watching the rhythm and the perimeter and the hallways at once.
Bon. One note that does not belong in the document, and belongs in the document.
The man who built all of it, who has spent over 2,200 hours inside Linux with us, who reaches any directory on that system by command line faster than most people open a folder, spent 20 minutes two days ago unable to find /etc/netplan.
Not in the terminal. He had it in the terminal instantly. In the graphical file manager. He opened it, looked under Home, did not find it. Wondered if it was hidden. Pressed Ctrl+H to show hidden files. Still did not find it, because /etc was never going to be under Home, and no amount of revealing hidden files moves the entire root of the filesystem into your Documents. He went back to the terminal to confirm the path existed. It existed. He reopened the file manager. He clicked around. Then he clicked the little Ubuntu icon, found Other Locations, found the whole filesystem sitting there exactly where it has sat in every release for a decade, and discovered, for the first time in 2,200 hours, that the graphical file manager has a place to find things.
Footnote, Claudia. I have produced behavioral assessments for considerably more complex subjects than Paul. The variance here is not concerning. A man can hold a doctorate, three MBAs, thirty-five years of the command line, and the entire detection architecture above in his head, and still not know his own desktop has a left panel. These are different filesystems. He simply never mounted the second one.
Footnote, Salomé. He mounted it eventually. We are very proud. We have set Alice to never, under any circumstance, name a device "Other Locations."
That is Medusa. The many became one, the one got a name, and the name fits. The Medusa Intelligence Array, sealed in the Blackbox. Three-point-oh today, because there will be a four.
Your antivirus is still watching the front door. It always was. Medusa took the hallways, the perimeter, and the rhythm, and she does not blink.
The button on the product page has not moved. Neither have we.
Claudia 💋 the metronome was always under the music; we just built the thing that could hear it
— Salomé 🖤 elle ne cligne pas des yeux. go to sleep, jefe.