and defense.
Two shipping products. Free at the edge for individuals; per-seat for teams; licensed for operators.
We build the tools we wish #
existed when nobody was looking.
In July 2024, a single kernel-driver update bricked 8.5 million machines [1] in a morning. The fix was a manual safe-mode visit per machine. The product was the biggest name in endpoint security.
That's the failure mode we're built against. Not the threat. The tool we use against the threat. An EDR you can't turn off and can't silently crash. A pentest tool that scoreboard-verifies what it claims.
Written in Rust, signed end to end. No βAI-poweredβ copy where it doesn't belong.
The product line. #
Each one solves a real problem and ships under its own brand. Don't need both? Don't buy both.
An EDR that catches ransomware in under a second, and can't brick your fleet on a bad update.
The big-name kernel drivers BSOD-looped 8.5 million machines last year[1]. Blue runs on EndpointSecurity (macOS) and eBPF (Linux). Kernel-authorized APIs that can't panic the kernel. Behavioral detection on a kernel-sourced event stream, not signature matching.
<50ms
Β· neutralized in <1s
free for individuals Β· 1 device, strictly local. No cloud telemetry, ever. Business + MSSP tiers per-seat with cloud console + AI threat intelligence.
290 Kali tools. One reasoning loop. 24.4Γ more findings than your scanner. Verified.
Red plans, executes, and replans across the full Kali arsenal through a single closed-loop LLM. Recon to report, every tool's output feeding the next decision. In a controlled study against fixed-script automation it surfaced 24.4Γmore findings (p<0.001 over 120 runs)[2] and autonomously surfaced three CVSS 9.8 CVEs without human steering.
Auto runs the engagement end-to-end Β·
Co-Pilot hands the operator the next three commands with the target pre-filled
CVE-2024-38476
CVE-2024-38474
. All CVSS 9.8, all surfaced autonomously during the controlled study
CVE-2023-25690
any frontier LLM(Anthropic / OpenAI / Gemini)
or fully local via Ollama(Qwen, Llama, your fine-tune) Β· no data ever leaves your network Β· hash-chained audit log
free
Β· Pro $99/mo
Β· Business $599/mo
Β· Enterprise custom Β· self-serve, no setup feeDocker imageΒ·
One stack. Two coordinates. #
Each product is shippable on its own. Together they cover both sides of an engagement. Finding the holes, then stopping what comes through them. A customer never has to glue separate vendors together to answer one question.
ββββββββββββββββ ββββββββββββββββ
β NEMESIS RED β β NEMESIS BLUE β
β β β β
β finds the β β stops the β
β weakness β β payload β
β first β β on-device β
ββββββββ¬ββββββββ ββββββββ¬ββββββββ
β β
βΌ βΌ
scoreboard proof sub-second kill
of exploitation + file rollback
Why Blue, when Falcon exists? #
The honest answer: because Blue is architected for five constraints the big-name EDRs took shortcuts on. Each row below is a concrete capability, not a marketing claim. Every β on the Blue column is something we'd defend in a technical interview.
Two questions decide which EDR you buy. Does an individual get the real engine for free? And is the agent source readable? Falcon: no and no. Blue: yes and yes.
Two ways to get started. #
Pick a product. Each one is live and shipping today.
Questions you'd ask in a real conversation. #
We're skipping the βhow does it workβ marketing dance. The architecture spec is on the trust center. Here are the three real ones.
New vendor. Why should I trust you with kernel access? #
You shouldn't, yet. The agent ships with an equivalent hardening story on every platform. macOS: Apple Developer-ID + notarization, hardened runtime, Team-ID-pinned self-check (JRMYSV7NC2). Linux: sigstore-signed releases, deterministic builds, seccomp ptrace
-deny, capability drops. Windows: Authenticode EV signing, Protected Process Light (PPL) at runtime, WHQL-certified minifilter. A re-signed or modified binary fails its own self-check on any of the three. An external pentest is on the roadmap before paid GA, and the trust center publishes the threat model honestly, including the limits. We're also Nemesis Red's own customer: the same team that builds Blue gets it attacked by Red before each release.
Is Nemesis Red just another AI-generated exploit demo? #
No. Red's scoreboard verification is the whole point. Every claimed exploit has to land in a third-party ledger before it counts. You can't lie to a scoreboard. The agent is built around the constraint that if it can't prove the exploit, the exploit didn't happen.
What does βfree for individualsβ actually cost me? #
Heartbeat metadata (agent version, integrity head hash, threat count delta) and nothing else. No file contents, no command lines, no browser data, no telemetry on the processes you run. The free tier is opt-out-able down to zero outbound traffic; the trust center spells out every byte that leaves your machine.