1stProtect Emerges to Stop Data Breaches in Microseconds, Even Offline

SAN FRANCISCO, CA – March 19, 2026 – A new cybersecurity firm founded by veterans from industry giants Cisco, CrowdStrike, and Symantec has emerged from stealth today, claiming a revolutionary approach to endpoint security that could shift the industry's focus from post-breach detection to real-time prevention. The company, 1stProtect, is introducing a platform designed to stop data theft and ransomware by making security decisions directly on the endpoint in microseconds, a stark contrast to the cloud-dependent models that dominate the market.

The startup, led by former Cisco CTO Kervin Pillay and cybersecurity veteran Rafel Ivgi, plans to formally launch its platform at the upcoming RSAC 2026 Conference. Its core premise challenges a fundamental weakness in modern security: the time lag between an attack's execution and its detection.

The Problem of a Delayed Response

For years, the cybersecurity industry has relied on collecting vast amounts of telemetry from endpoints—laptops, servers, and other devices—and sending it to the cloud for analysis. This model, while powerful, has an inherent latency. As attackers leverage AI to launch novel and rapid attacks, that delay can be fatal. By the time a threat is identified in the cloud and a response is pushed back down to the device, sensitive data may have already been accessed or exfiltrated.

"We built this company around a simple idea: by the time most existing security tools detect an attack, the data is already gone," said Kervin Pillay, Chief Executive Officer of 1stProtect. "Instead of trying to identify malware after the fact, we verify every critical data access in real time and stop unauthorized activity before it becomes a breach."

This problem is exacerbated as modern attacks increasingly use legitimate system processes and stolen credentials to operate, blending in with normal activity. Such techniques can evade traditional detection systems that are looking for known malware signatures or overtly malicious code. The result is a reactive security posture where organizations are often cleaning up a breach rather than preventing it. Industry performance benchmarks, such as the annual MITRE ATT&CK Evaluations, consistently highlight the race for faster detection and prevention, a race many organizations feel they are losing.

Shifting Security to the Endpoint Core

1stProtect's answer is to push the decision-making engine out of the cloud and directly onto the endpoint. The platform operates as an "inline" runtime enforcement layer deep within the operating system. Rather than analyzing an attack's signature or source code, it scrutinizes the destination and intent of an action. This allows it to identify and terminate a malicious process in as little as 400 microseconds.

During early deployments, the company reported that its system blocked a memory injection attack a full 40 seconds before a leading, established endpoint security product even detected the activity. In another instance, it reportedly stopped a session-theft attack that existing tools missed entirely. This on-device architecture provides two critical advantages.

First, it enables preemptive, rather than reactive, protection. By blocking unauthorized actions before they can complete, it aims to shut down attacks at their earliest stage. Second, it decouples protection from connectivity. Once security policies are synchronized, the endpoint becomes a self-defending system, immune to network outages or cloud downtime. This offers a solution to a significant vulnerability for organizations with remote workers or devices that are frequently offline.

Securing the Unconnected Frontier

The ability to operate without a constant cloud connection makes 1stProtect's platform particularly relevant for sectors that have long struggled with the limitations of mainstream cybersecurity tools. Critical infrastructure operators—managing energy grids, water treatment plants, and transportation systems—rely heavily on Operational Technology (OT) that often runs in isolated or "air-gapped" networks.

The increasing convergence of IT and OT networks has exposed these sensitive environments to new threats, yet their disconnected nature makes cloud-based security unfeasible. A security solution that runs autonomously on the endpoint, using pre-loaded policy templates for offline environments, directly addresses this critical market need. Furthermore, the platform's on-device AI investigator performs forensic analysis locally, allowing for root-cause investigation without sending potentially sensitive operational data to an external cloud, a key consideration for organizations concerned with data sovereignty.

This focus also extends to mid-size enterprises, which are frequent targets of cyberattacks but often lack the large security teams and budgets of their larger counterparts. For these organizations, the complexity and alert fatigue generated by a sprawling collection of disparate security tools is a major pain point. Industry analysis confirms that many businesses are juggling dozens of security products, creating operational friction and security gaps.

An All-Star Team Tackles 'Tool Sprawl'

1stProtect aims to solve this problem of "tool sprawl" by consolidating multiple security functions into a single, unified engine. The company's user-space SIGMA engine includes 22 protection modules covering everything from credential theft and ransomware to data exfiltration and application security. This integrated model promises to replace a fragmented stack of separate tools for endpoint protection (EPP), detection and response (EDR), data loss prevention (DLP), and identity security.

The concept of a consolidated, on-device platform is gaining traction in the industry, with other specialized vendors like HarfangLab developing air-gapped EDR solutions to meet similar demands. This trend reflects a market-wide desire for more efficient and effective security architectures.

The credibility of this ambitious vision is bolstered by its leadership team. CEO Kervin Pillay previously served as Chief Technology Officer of Automation at Cisco, while CTO Rafel Ivgi brings nearly three decades of experience from senior roles at cybersecurity powerhouses including SentinelOne, CrowdStrike, and Symantec.

"What makes 1stProtect different is not just the architecture, but the team behind it," stated Mr. Ivgi. "We've seen firsthand where traditional approaches break down—whether that's cloud latency, tool sprawl, or blind spots around credentials and data access. That collective expertise has allowed us to rethink endpoint protection from the ground up."

As the company prepares for its formal debut at RSAC 2026, it plans to focus its initial deployments on the mid-size enterprises and infrastructure operators that stand to benefit most from its offline capabilities and unified architecture. The industry will be watching closely to see if this new model of preemptive, on-device enforcement can deliver on its promise to stop attacks before the damage is done.