1stProtect Emerges from Stealth with New Approach to Endpoint Security That Stops Data Theft in Real Time
Veterans of CrowdStrike, Symantec, and Cisco Unveil Platform That Verifies User Intent and Blocks Unauthorized Data Access and Exfiltration in Microseconds—Even Without Internet Connectivity
SAN FRANCISCO, March 19, 2026 /PRNewswire/ -- 1stProtect, a Silicon Valley-based cybersecurity startup founded by veterans of CrowdStrike, Symantec, and Cisco, today emerged from stealth with an industry-changing new endpoint security platform designed to stop modern cyberattacks before sensitive data can be stolen by monitoring system behavior and verifying user intent in real time.
The company will formally launch the platform during the RSAC 2026 Conference.
Why Existing Cybersecurity Tools Fail
For decades, enterprise security has relied on perimeter defenses and cloud-based analytics to detect threats after they occur. But as attackers increasingly use AI to generate novel attacks at an unprecedented pace and evade traditional detection methods, many security tools fail to identify breaches until long after sensitive data has already been accessed.
Modern attacks increasingly operate inside trusted systems—using legitimate processes or stolen credentials—making them difficult for traditional detection systems to identify until long after sensitive data is accessed. Traditional endpoint detection and response systems rely heavily on collecting telemetry and analyzing it in the cloud before making security decisions. This process can introduce significant delays, generate enormous volumes of data, and fail entirely when devices are disconnected from the network.
"We built this company around a simple idea: by the time most existing security tools detect an attack, the data is already gone," said Kervin Pillay, Chief Executive Officer of 1stProtect. "Instead of trying to identify malware after the fact, we verify every critical data access in real time and stop unauthorized activity before it becomes a breach."
A New Model for Endpoint Protection
Rather than sending threat data to the cloud for analysis before taking action, 1stProtect pushes the decision engine down to the endpoint. 1stProtect is an inline solution, enabling it to provide preemptive, rather than reactive, protection and stop threats before they occur. The platform operates as a runtime enforcement layer that monitors system activity and blocks malicious behavior directly inside the operating system, allowing it to terminate malicious processes in as little as 400 microseconds.
During early deployments, the platform has demonstrated the ability to detect and block threats significantly earlier and more comprehensively than traditional security tools. In one case, the system identified a memory injection attack 40 seconds before an established endpoint security product detected the activity. In another test, the platform identified and blocked a session-theft attack that existing security tools failed to detect entirely. Unlike traditional endpoint security—which analyzes an attack's source code, LLM prompt, or signature—1stProtect instead analyzes the attack's destination and intent in real time, enabling it to respond far more quickly than existing tools.
Because enforcement happens locally, the platform continues protecting systems even in disconnected or restricted environments. Once policies are synchronized, the endpoint can operate as a self-defending system—immune to network outages, DNS tampering, or cloud downtime. Built-in best-practice policy templates also enable immediate protection in fully offline environments without requiring policy synchronization from a server.
One Engine Instead of Many
Most modern security stacks rely on multiple independent engines—separate systems for endpoint protection, identity security, data loss prevention, and threat detection.
1stProtect replaces that fragmented model with a single user-space SIGMA engine capable of enforcing security policies across multiple attack categories in real time.
The platform's modular architecture currently includes 22 protection modules covering areas such as:
- Credential and Session Theft
- Ransomware and Destructive Attacks
- Data and Exfiltration
- Application and Browser Security
- Runtime Behavioral Attacks
- Identity and Active Directory Attacks
This unified architecture allows organizations to monitor and enforce policy across credential access, system processes, and data flows without deploying multiple separate tools.
On-Device AI Investigation
In addition to real-time enforcement, the platform includes an AI-driven investigator that runs directly on the endpoint.
The system performs forensic analysis locally using an on-device MCP server, allowing threat investigations and remediation to occur without sending sensitive data to the cloud.
This architecture enables local threat analysis, automated root-cause investigation, and response actions even when systems are offline.
Built by Security Industry Veterans
1stProtect was founded by a team with experience across some of the most influential companies in cybersecurity and enterprise infrastructure.
The company is led by Mr. Pillay, former Chief Technology Officer of Automation at Cisco, and Chief Technology Officer Rafel Ivgi, a highly decorated cybersecurity veteran with nearly three decades of experience, including senior positions at SentinelOne, CrowdStrike, Symantec and Forcepoint.
That combination of leadership across cybersecurity, infrastructure, and company building has shaped 1stProtect's approach from the beginning, helping the company design a platform intended to address the speed, complexity, and operational realities of modern attacks.
"What makes 1stProtect different is not just the architecture, but the team behind it," said Mr. Ivgi. "We've seen firsthand where traditional approaches break down—whether that's cloud latency, tool sprawl, or blind spots around credentials and data access. That collective expertise has allowed us to rethink endpoint protection from the ground up and build a system based around where existing tools fail and what organizations actually need when every second counts."
The company plans to focus initial deployments on mid-size enterprises and infrastructure operators that require strong security protections in both connected and air-gapped environments.
For more information, or to schedule a meeting with 1stProtect's founders at the RSAC 2026 Conference, please visit: www.1stProtect.ai
About 1stProtect
1stProtect is a Silicon Valley-based cybersecurity company building runtime security technology for the post-perimeter era. Founded by security veterans from Cisco, CrowdStrike, and Symantec, its platform enforces security policies directly inside operating systems to stop attacks—including credential theft, ransomware, and data exfiltration—in real time.
Its architecture combines a unified SIGMA enforcement engine, on-device AI investigation, and zero-cloud protection to enable security enforcement across cloud environments, enterprise infrastructure, and air-gapped systems. The company is headquartered in San Francisco.
Contacts
Investor and Customer Contact
1stProtect
[email protected]
Media Contacts
Scott Deveau / Nate Johnson
August Strategic Communications
[email protected]
SOURCE 1stProtect
Share this article