Vedric LogoVedric

How Behavior Monitoring Works

Vedric Passive Protection is a behavior-based security system designed to quietly monitor activity on business computers and surface real risk signals. No noise. No interruptions.

This system does not rely on signatures, constant prompts, or aggressive lockdowns. Instead, it observes how a system behaves over time and detects patterns that indicate misuse, compromise, or insider risk. This approach is especially effective on business-floor computers, where normal activity is stable and deviations are meaningful.

What Vedric Monitors

Vedric monitors system behavior, not personal content. All data collected is technical telemetry required to understand system behavior.

Collected Signals (Metadata Only)

  • Process creation and execution chains
  • Script usage (PowerShell, wscript, cscript, mshta)
  • File activity related to executables and persistence
  • Persistence attempts (scheduled tasks, services, registry)
  • Outbound network connections
  • Device events (USB insertion, storage mounts)
  • Privilege usage attempts

What Vedric Does Not Do

  • Read file contents
  • Capture keystrokes
  • Monitor user communications
  • Record screens or audio

The Vedric Endpoint Sensor

Each protected computer runs a lightweight Vedric sensor as a background service.

Minimal Footprint

Low CPU and memory usage

Zero Interaction

No user prompts or popups

Offline Capable

Local buffering when disconnected

Tamper-Resistant

Protected against modification

Silent Operation

No workflow disruption

Secure Transport

Encrypted data transmission

The sensor listens to operating-system events and converts them into structured behavioral signals. These signals are batched, compressed, and securely sent to Vedric's backend for analysis.

From Events to Behavior

Individual events are not treated as threats. Vedric groups related activity into behavior chains that show how something happened, not just what happened.

Example Behavior Chains

Browser downloads an executable → executable runs from user directory → creates a scheduled task → contacts a rare external domain
Office document spawns PowerShell → PowerShell launches encoded command → outbound connection to unknown IP
Unsigned binary appears in a user-writable folder → executes under explorer.exe → attempts persistence

These chains provide context, which dramatically reduces false positives.

Risk Signal Engine

Vedric uses a risk signal engine, not simple alerts.

Detection Model

  • A library of behavior detectors identifies known abuse patterns (script misuse, persistence creation, suspicious process chains)
  • Each detector contributes a risk signal, not an immediate alert
  • Signals are weighted based on confidence, rarity within the environment, and correlation with other signals

Baselines

Vedric establishes normal behavior per:

  • Device group (e.g., business-floor PCs)
  • Application usage
  • Network destinations

Activity that deviates from these baselines increases risk, but never triggers action by itself.

Risk Scoring and Severity

Risk is scored over a short time window.

Low Risk

Logged for context

Moderate Risk

Surfaced to administrators

High Risk

Eligible for automated response

No single weak signal causes disruption. Only correlated, high-confidence behavior chains escalate.

Confidence-Based Responses

Vedric responses are designed to be safe, reversible, and proportional.

Possible Automated Actions

Terminate a malicious process tree
Temporarily block a suspicious outbound connection
Quarantine a newly created executable
Create an investigation case for IT teams

Aggressive actions such as full device isolation are disabled by default and only available for high-severity events.

Admin Visibility and Control

Vedric provides a clear, human-readable view of activity.

Administrators Can See

  • What happened, in order
  • Why it was flagged
  • Which behaviors contributed to risk
  • What action was taken (if any)

Controls Include

  • Adjusting risk thresholds per device group
  • Suppressing known-safe behavior
  • Allowing approved applications or domains
  • Reviewing historical behavior timelines

Optimized for Business-Floor Computers

Business-floor systems have characteristics that make behavior monitoring highly effective:

Stable Software Sets

Predictable application usage

Predictable Workflows

Consistent daily patterns

Limited Variability

Anomalies stand out clearly

This makes abnormal behavior stand out clearly, allowing Vedric to detect threats earlier and with far fewer false positives than traditional alert-heavy tools.

Summary

Monitors behavior, not signatures
Detects risk through correlation
Responds only when confidence is high
Runs quietly without interruptions
Built for real business environments
Observes first, acts when necessary