Your Microsoft Defender,
Fully Autonomous.
RansomBlock is the Agentic MDR layer that streams telemetry directly from your Microsoft Defender API to intercept, investigate, and roll back ransomware—hands-free.
Technical TL;DR:
Proprietary Minifilter Driver + Dedicated Endpoint Agent. Kernel-level I/O interception with immutable WORM vaulting.
MTTI
8ms detect
MTTR
12ms dwell
FLEET HEALTH
100% health
Ideal Tenant
50–200 Endpoints
Licensing Req
Microsoft 365 Business Premium
Compliance Target
SOC2 / ISO 27001
Cost Reduction
- Eliminates the need for 24/7 manual SOC monitoring for M365 environments.
- Reduces cyber insurance premiums through documented proactive containment.
Downtime Avoidance
- Zero-second process neutralisation vs. 15-30 minute human response window.
- Instant localized rollback avoids multi-day server restoration cycles.
Liability Transfer
- Immutable WORM storage ensures compliance with strict data integrity audits.
- Hardened local agent protects against “BYOVD” (Bring Your Own Vulnerable Driver) attacks.
Beyond Detection: The Response Gap
| Feature | MS Defender for Endpoint | RansomBlock + MDE |
|---|---|---|
| Detection Engine | Signature & Behavior (Cloud-based) | Kernel I/O Minifilter (Local) |
| Response Latency | Minutes (Cloud Analysis → Action) | Sub-Second (Immediate PID Kill) |
| Data Integrity | Shadow Copies (Often deleted) | WORM Locked Storage (Immutable) |
| Containment | Network Isolation (Host-level) | Process-level Neuter (In-Kernel) |
The “Co-Processor” Architecture
Deploying a proprietary agent doesn’t mean complexity. RansomBlock uses a specialized Minifilter driver to monitor the I/O stack while ingesting Microsoft Graph security telemetry.
Proprietary Minifilter Driver
Installs at Altitude 36000-38999. Intercepts all FileSystem IRPs. Monitors entropy changes in real-time, executing an immediate kill on the offending PID before it can signal the C2.
Graph Streaming Integration
RansomBlock Command Center correlates local driver alerts with Microsoft Defender Streaming APIs to validate signals and prevent false positives.
Off-Platform WORM Storage
Uses S3 Object Lock (Immutable) via AWS or Azure Blob with version-level locking. Data is encrypted (AES-256-GCM) and resides in a hardware-locked vault separate from the primary tenant.
Operational Readiness
Performance Impact
Driver overhead is <0.5% CPU under heavy I/O. Asynchronous entropy calculation ensures no latency to legitimate user workloads.
Autonomous vs MDR
99% of responses are purely autonomous. Critical alerts escalate to our 24/7 “Guardian” team via automated Secure-Connect channels.
Offline Resilience
Agent maintains a local “Hardened Cache” of policies. If the device is disconnected, the Minifilter still executes kills based on behavioral heuristics.
Seamless Defender Sync
RansomBlock doesn’t replace Microsoft Defender; it empowers it. By hooking into the Microsoft Graph and Streaming APIs, we act as a virtual SOC analyst that never sleeps.
5-Minute Deployment
Simply authorize the Azure Enterprise App and watch the telemetry flow.
Direct API Streaming
No agents to install. No performance impact on your endpoints.
Active API Permissions
Interactive Security ROI ✨
Describe your infrastructure and let our Agentic AI calculate your risk reduction instantly.
Stop Ransomware in Milliseconds
Join the waitlist for a free Agentic Audit of your Microsoft Defender fleet.