Funded R&D Initiative

Attack Prevention
Matrix

Live POC data from our core research team. Engineering prevention-first security architectures. 105+ attack techniques mapped and analyzed.

Coverage by Status

Threat Categories - Coverage Matrix

8 techniques

13 techniques

3 techniques

15 techniques

7 techniques

6 techniques

8 techniques

6 techniques

16 techniques

7 techniques

16 techniques

105 Techniques

Process Injection (Standard)

Strips PROCESS_VM_WRITE

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Process Hollowing

Strips Write rights to suspended process

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

DLL Injection

No CreateRemoteThread / WriteProcessMemory

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Reflective DLL Injection

Cannot allocate remote memory

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Thread Execution Hijacking

Strips PROCESS_SUSPEND_RESUME & SET_CONTEXT

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Process Doppelgänging

Initial Create intercepted. Payload redirects to Sandbox

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

SandboxAI

Process Herpaderping

Write masking prevents payload placement on real disk

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

SandboxAI

Process Ghosting

Prevents interaction with real delete-pending binaries

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

SandboxAI

Atom Bombing

Uses Global Atom Table (Shared Kernel Object)

Category

Process Injection & Manipulation

Status

Evaded

Mitigation

None

Extra Window Memory (EWMI)

Uses SetWindowLong via User32

Category

Process Injection & Manipulation

Status

Evaded

Mitigation

None

APC Injection

Requires Handle with THREAD_SET_CONTEXT

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

TLS Callback Injection

Modifying PE Header redirects to Sandbox copy

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

SandboxAI

VDSO Hijacking

Kernel/Memory modification blocked

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Parent PID Spoofing

Cannot open handle to spoofed parent

Category

Process Injection & Manipulation

Status

Blocked

Mitigation

Object Sentinel

Function / API Hooking

Can only hook self. Others are unreachable

Category

Process Injection & Manipulation

Status

Neutered

Mitigation

Object Sentinel

IAT Hooking

Can only hook self

Category

Process Injection & Manipulation

Status

Neutered

Mitigation

Object Sentinel

DLL Side-Loading

evil.dll drops to Sandbox. Loader checks Real path

Category

DLL & Linking Attacks

Status

Neutered

Mitigation

SandboxAI

DLL Hijacking (Search Order)

System32 masked; cannot see target locations

Category

DLL & Linking Attacks

Status

Blocked

Mitigation

ZMView

DLL Preloading

Hides non-essential paths from search

Category

DLL & Linking Attacks

Status

Neutered

Mitigation

ZMView

Registry Run Keys / Startup

Filesystem Virt. doesn't cover Registry

Category

Persistence

Status

Evaded

Mitigation

None

Scheduled Task / Job

RPC/COM to Task Scheduler Service allowed

Category

Persistence

Status

Evaded

Mitigation

None

Windows Service Creation

SC Manager (RPC) allowed

Category

Persistence

Status

Evaded

Mitigation

None

BITS Jobs

COM/RPC allowed

Category

Persistence

Status

Evaded

Mitigation

None

WMI Event Subscription

WMI (RPC) allowed

Category

Persistence

Status

Evaded

Mitigation

None

Logon Scripts

Registry/AD based

Category

Persistence

Status

Evaded

Mitigation

None

Screensaver Hijacking

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

IFEO Injection

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

COM Object Hijacking

Registry (HKCR) based

Category

Persistence

Status

Evaded

Mitigation

None

AppCert / AppInit DLLs

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Winlogon Helper DLL

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Time Providers

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Port Monitors

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Print Processors

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Netsh Helper DLL

Registry based

Category

Persistence

Status

Evaded

Mitigation

None

Web Shells

Dropped to disk -> Sandbox. IIS can't see it

Category

Persistence

Status

Neutered

Mitigation

SandboxAI

Masquerading

Renaming allowed, but context remains isolated

Category

Defense Evasion

Status

Neutered

Mitigation

ZMView

Obfuscation / Packing

Code executes, but remains isolated

Category

Defense Evasion

Status

Neutered

Mitigation

Object Sentinel

Indicator Removal (Wiping)

winevt folder is Hidden/Read-Only

Category

Defense Evasion

Status

Blocked

Mitigation

ZMView

Subverting Trust (Signing)

We don't check signatures

Category

Defense Evasion

Status

Ignored

Mitigation

N/A

Living off the Land (LOLBins)

cmd, powershell, certutil are Not Found

Category

Defense Evasion

Status

Blocked

Mitigation

ZMView

Fileless Malware

Cannot persist or migrate. Dies with process

Category

Defense Evasion

Status

Neutered

Mitigation

Object Sentinel

HTML Smuggling

Downloads payload to Sandbox. Cannot exec/invade

Category

Defense Evasion

Status

Neutered

Mitigation

SandboxAI

Timestomping

Modifies timestamp of Sandbox file only

Category

Defense Evasion

Status

Neutered

Mitigation

SandboxAI

Binary Padding

Doesn't affect isolation

Category

Defense Evasion

Status

Irrelevant

Mitigation

N/A

Software Packing

Doesn't affect isolation

Category

Defense Evasion

Status

Irrelevant

Mitigation

N/A

Sandbox Evasion

Permanent Cage concept

Category

Defense Evasion

Status

Irrelevant

Mitigation

N/A

Virtualization Detection

Malware detects trap and quits

Category

Defense Evasion

Status

Allowed

Mitigation

N/A

Disable Security Tools

Cannot open handle to AV process

Category

Defense Evasion

Status

Blocked

Mitigation

Object Sentinel

Token Manipulation

Strips TOKEN_DUPLICATE / TOKEN_ASSIGN_PRIMARY

Category

Defense Evasion

Status

Blocked

Mitigation

Object Sentinel

Indirect Command Exec

pcalua.exe, forfiles.exe hidden

Category

Defense Evasion

Status

Blocked

Mitigation

ZMView

LSASS Memory Dumping

Strips PROCESS_VM_READ from lsass.exe

Category

Credential Access

Status

Blocked

Mitigation

Object Sentinel

Keylogging

GetAsyncKeyState works globally in User32

Category

Credential Access

Status

Evaded

Mitigation

None

Credential API Hooking

SetWindowsHookEx monitors messages

Category

Credential Access

Status

Evaded

Mitigation

None

Kerberoasting

Network attack

Category

Credential Access

Status

Evaded

Mitigation

None

AS-REP Roasting

Network attack

Category

Credential Access

Status

Evaded

Mitigation

None

DCSync

Network attack

Category

Credential Access

Status

Evaded

Mitigation

None

NTDS.dit Extraction

File access blocked/Hidden

Category

Credential Access

Status

Blocked

Mitigation

ZMView

Pass the Hash

Network auth usage

Category

Credential Access

Status

Evaded

Mitigation

None

Pass the Ticket

Network auth usage

Category

Credential Access

Status

Evaded

Mitigation

None

Man-in-the-Browser

Cannot inject into Browser

Category

Credential Access

Status

Neutered

Mitigation

Object Sentinel

Stealing Web Cookies

Access to Cookies DB virtualized/hidden

Category

Credential Access

Status

Blocked

Mitigation

ZMView

Brute Force

Network login attempts allowed

Category

Credential Access

Status

Evaded

Mitigation

None

Password Spraying

Network based

Category

Credential Access

Status

Evaded

Mitigation

None

UAC Bypass

File-based bypass blocked. Registry works

Category

Privilege Escalation

Status

Partial

Mitigation

SandboxAI

Token Impersonation

OpenProcessToken blocked

Category

Privilege Escalation

Status

Blocked

Mitigation

Object Sentinel

Path Interception

Write to system paths redirected

Category

Privilege Escalation

Status

Blocked

Mitigation

SandboxAI

Unquoted Service Path

Write to root path redirected

Category

Privilege Escalation

Status

Blocked

Mitigation

SandboxAI

Service Registry Perms

Registry based

Category

Privilege Escalation

Status

Evaded

Mitigation

None

AlwaysInstallElevated

Registry based

Category

Privilege Escalation

Status

Evaded

Mitigation

None

Sudo Caching

Unix concept

Category

Privilege Escalation

Status

N/A

Mitigation

N/A

Standard Protocols

No Network filtering

Category

Command & Control

Status

Evaded

Mitigation

None

Data Encoding

Can encode before sending

Category

Command & Control

Status

Evaded

Mitigation

None

DGA

DNS requests allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Web Service / Cloud C2

Allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Multi-Stage Channels

Allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Protocol Tunneling

Allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Traffic Signal

Allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Steganography

Allowed

Category

Command & Control

Status

Evaded

Mitigation

None

Spearphishing Attachment

Attachment opens in isolated process

Category

Initial Access

Status

Neutered

Mitigation

Object Sentinel

Spearphishing Link

Browser opens URL (Browser is isolated)

Category

Initial Access

Status

Neutered

Mitigation

Object Sentinel

Drive-by Compromise

Exploit runs in isolated Browser

Category

Initial Access

Status

Neutered

Mitigation

Object Sentinel

Exploit Public-Facing App

Web Server isolated. Shell cannot spawn

Category

Initial Access

Status

Neutered

Mitigation

ZMView

Supply Chain Compromise

Update installs, but new binary is isolated

Category

Initial Access

Status

Neutered

Mitigation

SandboxAI

Valid Accounts

Attacker with creds can log in

Category

Initial Access

Status

Evaded

Mitigation

None

External Remote Services

RDP/VPN allowed

Category

Initial Access

Status

Evaded

Mitigation

None

Hardware Additions

Physical access

Category

Initial Access

Status

Evaded

Mitigation

None

Account Discovery

net user blocked, but API allowed

Category

Discovery

Status

Evaded

Mitigation

None

Network Service Scan

Winsock API allowed

Category

Discovery

Status

Evaded

Mitigation

None

System Network Config

IP Helper API allowed

Category

Discovery

Status

Evaded

Mitigation

None

Process Discovery

OpenProcess enumeration blocked

Category

Discovery

Status

Blocked

Mitigation

Object Sentinel

File/Directory Discovery

Can only see ZMView / Sandbox

Category

Discovery

Status

Neutered

Mitigation

ZMView

Permission Discovery

AD/LSA APIs allowed

Category

Discovery

Status

Evaded

Mitigation

None

Virtualization Discovery

Malware sees it's trapped

Category

Discovery

Status

Allowed

Mitigation

N/A

Remote Services

Outbound connections allowed

Category

Lateral Movement

Status

Evaded

Mitigation

None

Lateral Tool Transfer

Can download tools to Sandbox

Category

Lateral Movement

Status

Evaded

Mitigation

None

Remote Session Hijack

RDP hijacking

Category

Lateral Movement

Status

Evaded

Mitigation

None

Windows Admin Shares

SMB allowed

Category

Lateral Movement

Status

Evaded

Mitigation

None

DCOM

RPC allowed

Category

Lateral Movement

Status

Evaded

Mitigation

None

SSH Hijacking

Network allowed

Category

Lateral Movement

Status

Evaded

Mitigation

None

Ransomware (Encryption)

Encrypts fake files in Sandbox

Category

Impact

Status

Neutered

Mitigation

SandboxAI

Disk Wipe (Wiper)

Raw Disk Access blocked

Category

Impact

Status

Blocked

Mitigation

ZMView

Data Destruction

Deletes Sandbox files only

Category

Impact

Status

Neutered

Mitigation

SandboxAI

Defacement

Defaces Sandbox files only

Category

Impact

Status

Neutered

Mitigation

SandboxAI

Endpoint DoS

CPU/RAM exhaustion possible

Category

Impact

Status

Allowed

Mitigation

None

Cryptomining

CPU exhaustion possible

Category

Impact

Status

Allowed

Mitigation

None

Status Definitions

Blocked

Attack prevented entirely. No execution possible in any context.

Neutered

Attack executes but cannot achieve objective. Neutralized by isolation.

Evaded

Current mitigations do not cover this vector. Requires research.

Allowed

Intentionally permitted for operational compatibility and use cases.

Joining our research

We are actively recruiting security researchers, threat analysts, and systems engineers to collaborate on next-generation prevention architectures.

Collaborate With Us Back to Home

Attack PreventionMatrix

Process Injection (Standard)

Process Hollowing

DLL Injection

Reflective DLL Injection

Thread Execution Hijacking

Process Doppelgänging

Process Herpaderping

Process Ghosting

Atom Bombing

Extra Window Memory (EWMI)

APC Injection

TLS Callback Injection

VDSO Hijacking

Parent PID Spoofing

Function / API Hooking

IAT Hooking

DLL Side-Loading

DLL Hijacking (Search Order)

DLL Preloading

Registry Run Keys / Startup

Scheduled Task / Job

Windows Service Creation

BITS Jobs

WMI Event Subscription

Logon Scripts

Screensaver Hijacking

IFEO Injection

COM Object Hijacking

AppCert / AppInit DLLs

Winlogon Helper DLL

Time Providers

Port Monitors

Print Processors

Netsh Helper DLL

Web Shells

Masquerading

Obfuscation / Packing

Indicator Removal (Wiping)

Subverting Trust (Signing)

Living off the Land (LOLBins)

Fileless Malware

HTML Smuggling

Timestomping

Binary Padding

Software Packing

Sandbox Evasion

Virtualization Detection

Disable Security Tools

Token Manipulation

Indirect Command Exec

LSASS Memory Dumping

Keylogging

Credential API Hooking

Kerberoasting

AS-REP Roasting

DCSync

NTDS.dit Extraction

Pass the Hash

Pass the Ticket

Man-in-the-Browser

Stealing Web Cookies

Brute Force

Password Spraying

UAC Bypass

Token Impersonation

Path Interception

Unquoted Service Path

Service Registry Perms

AlwaysInstallElevated

Sudo Caching

Standard Protocols

Data Encoding

DGA

Web Service / Cloud C2

Multi-Stage Channels

Protocol Tunneling

Traffic Signal

Steganography

Spearphishing Attachment

Attack Prevention
Matrix