How TrustPipe works

Building TrustPipe involved three phases.

For detailed information about the discoveries that inspired these patented processes, read the white paper from our Founder and Chief Scientist.



Distillation phase summary:

  • Starts with petabytes of expert-classified malicious conversations
  • Distiller creates purely digital taxonomy of malicious “species”
  • Each species is defined by a single, compact Marker Set
  • Marker Set covers all members, past and future; can’t be evaded

Our core breakthrough lies in discerning the distinctive sets of markers that bind the elements of a dataset together.

For the dataset, we started with hundreds of millions of conversations between computers that human experts deemed to be malicious, across dozens of human categories. We also included a large set of “good” conversations — ones where nothing bad happened.

Our patented Distillation process transformed the data, combining it into different subsets until it found a purely digital taxonomy in which every conversation is represented, and where each subset of conversations has digital markers in common — ones that are not found outside the subset. Conceptually, then, each of these subsets is actually a digital “species."

The Distillation process was computationally expensive, as it requires multiple passes to discover these digital species. But it only needed to happen once, because the Marker Set for each species is valid even as that species evolves. Collectively, the hundreds of millions of malicious conversations distilled into fewer than 6,000 species.

The end result is the collection of Marker Sets that define malicious network activity, which we refer to as the Traffic Set. Not only is it authoritative — each Marker Set represents 100% confidence — but also remarkably compact, at less than 1.5MB.



TrustPipe is deployed alongside the packet-handling system of the OS, parsing traffic in real time as it flows into and out of the system.



The set of markers required to detect all classes of threats is remarkably compact. The entire TrustPipe dataset is less than 1.5 MB.

TrustPipe transforms every conversation, inbound as well as outbound, in the same way that occurs during Distillation. However, in sharp contrast to the Distillation phase, when TrustPipe is evaluating network traffic at runtime, the process of looking for known Markers in a conversation between two computers is remarkably lightweight, requiring trivial amounts of CPU and imposing a negligible penalty on throughput.

When a Marker Set match happens, TrustPipe has 100% confidence that the conversation is malicious and can take appropriate action to protect the system and the user.

TrustPipe deployments are managed through a TrustZone Authority, which is an extension of proven DNS technology that is lightweight, resilient and scalable to millions of endpoints.



Because TrustPipe operates at the set-binding level rather than at the signature or behavioral level, it is immune to the obfuscation techniques that most technologies are forced to treat as “new” threat types.

The entire TrustPipe engine can be updated on-the-fly when we release a bug-fix or add new functionality. This allows us to keep every computer secure, and the user safe, long into the future.

On rare occasion, however, something truly new and unacceptable emerges. In those cases (there have been fewer than two per year since 2012), TrustPipe will not detect the attack itself, but it will detect the effect of the new attack - what we call a "Death Rattle".

When that happens, TrustPipe moves to protect the impacted device, and at the same time creates a new Marker Set to inoculate itself against a recurrence of the attack – all of which happens within minutes, without human intervention.

This revolutionary capability is the subject of our second core patent (here).

Further explanation of the research, discoveries and technology behind TrustPipe from our Chief Scientist, Kanen Flowers

Read the deep dive

Perfect so far. But...

We've been around long enough to know that no technology is perfect. So, while TrustPipe has performed remarkably well so far, we assume that there will be issues in the future.

At the same time, we are absolutely confident that when (not if) that happens, the essential simplicity and dynamic nature of the TrustPipe technology will enable us to respond quickly and effectively.

We'd love to make nothing happen for you.

Get Trustpipe

Privacy Policy

Contact Us

TrustPipe, and the TrustPipe logo are trademarks of TrustPipe Security LLC.