Architecture Overview
Three-layer autonomous containment: endpoint agent, ML governance cloud, and enterprise tenant isolation
System Overview
QuickSecure is built on a three-layer architecture: endpoint agent (user-mode only), ML governance cloud (model registry, drift monitoring, safe deployment), and enterprise tenant isolation (hybrid model registry, per-tenant metrics).
Endpoint Agent
User-mode monitoring, on-device ML inference, multi-stage detection, confidence-gated containment
ML Governance Cloud
Versioned model registry, drift monitoring, safe deployment with rollback, fleet-wide learning
Tenant Isolation
Per-tenant data boundaries, dedicated model support, isolated metrics and governance
ETW Monitoring (Windows)
QuickSecure uses Event Tracing for Windows (ETW) for real-time system monitoring without kernel drivers.
Why ETW Instead of Kernel Drivers?
| Aspect | Kernel Driver | ETW (QuickSecure) |
|---|---|---|
| System Stability | BSOD risk on crash | Process-level isolation |
| Installation | Requires reboot | No reboot needed |
| Updates | Complex, risky | Hot update possible |
| CPU Overhead | Variable | < 0.1% |
| Attack Surface | Kernel-level exploit target | User-mode containment |
Local AI Engine
The local AI engine runs entirely on your device, providing instant threat detection without network latency.
Model Specifications
- Format: Industry-standard ONNX, cryptographically signed
- Size: Optimized for edge deployment (~5MB)
- Inference Time: <15ms per sample
- Memory: ~20MB working set
Static Analysis
- PE header anomalies
- Section entropy scoring
- Import table analysis
Behavioral Analysis
- Process tree patterns
- API call sequences
- File system behavior
ML Classification
- Neural network scoring
- Feature embedding
- Composite risk score
Inference Fallback Chain
Three-stage resilient inference pipeline. If the primary model fails or confidence is insufficient, fallback stages engage automatically.
ONNX Edge Model
Primary neural network inference. If confidence ≥ policy threshold, decision is final.
Random Forest
Secondary ensemble classifier. Activated when ONNX returns low confidence or fails to load.
Rule-Based Heuristics
Deterministic rules for known threat patterns. Always available, zero ML dependency.
Autonomous Decision Engine (Auto-Pilot)
The Auto-Pilot system supports three progressive trust modes: Shadow, Supervised, and Full Autonomous.
Auto-Approval Criteria (Full Autonomous)
In Full Autonomous mode, the system applies multiple validation gates before auto-approving a containment action. These include AI confidence scoring, risk assessment, global prevalence checks, and false-positive history verification. Exact threshold values are configurable per deployment and documented in the enterprise deployment guide.
Grey-Zone Handling
Detections in the grey zone (below the auto-approval threshold but above baseline) are routed to multi-factor analysis including global prevalence, severity scoring, known-threat database matching, and MITRE ATT&CK correlation.
Collective Defense Network
When a threat is confirmed on one endpoint, all QuickSecure endpoints worldwide receive the IoC within seconds via Protobuf delta sync.
Propagation Timeline
Threat Detected
Endpoint A detects and quarantines suspicious file
Report Sent
Threat telemetry with feature vector uploaded to Corxor cloud
Analysis Complete
AI Judge confirms threat. TP/FP label generated. IoC created.
Global Protection
All endpoints receive the IoC via delta sync. Hash is blocked fleet-wide.