OPSWAT has introduced MetaDefender Aether, an AI-powered decision engine for fast zero-day detection, purpose-built for the perimeter.

Unlike sandbox or antivirus solutions designed for endpoint protection, MetaDefender Aether intercepts files at every entry point, e.g. file transfers, removable media, email attachments, cloud storage, and web traffic, to detect unknown threats before they reach users, devices, or internal systems.

Every file is processed through four progressively deeper AI-powered layers of threat reputation, dynamic analysis, threat scoring and threat hunting. By chaining them into a single pipeline, MetaDefender Aether delivers 99.9% zero-day detection efficacy, 100x greater resource efficiency than VM-based sandboxing, and a unified, confidence-scored verdict per file.

Perimeter security is a decision problem. Security teams must determine whether a file is safe, malicious, or suspicious, and then act with confidence. Antivirus and sandbox tools were never architected for this scale or complexity. Endpoint-class tools deployed at the perimeter create queue backlogs, inconclusive results, and alert fatigue. Modern adversaries now leverage AI and ML to generate evasive, obfuscated threats that bypass static and signature-based analysis.

MetaDefender Aether was designed specifically to solve this perimeter-scale challenge and improve operational performance inside SOCs:

Faster decision velocity: Pre-correlated verdicts with threat-family attribution arrive in near-real time, shrinking the gap between detection and response.

Higher-confidence automation: Structured outputs integrate directly into SIEM and SOAR workflows, enabling accurate automated response without manual pivots.

Reduced analyst fatigue: Unified verdicts eliminate fragmented tool outputs and false-positive overload.

Greater resource efficiency: Instruction-level emulation and intelligent pipeline layering reduce infrastructure demands compared to VM-based sandbox approaches.

Continuous AI-powered intelligence loop: Every analyzed file strengthens the global intelligence graph, ensuring detection improves over time.

By resolving nearly half of threats in the initial reputation layer and progressively escalating only what requires deeper analysis, MetaDefender Aether reduces unnecessary processing and prevents perimeter-scale inspection from becoming a bottleneck for business-critical file flows.

“Traditional sandboxing was never built for AI-driven threats at scale,” said Jan Miller, Global CTO of OPSWAT. “Security teams don’t need more telemetry. They need decisive answers. MetaDefender Aether delivers on what sandboxing was not designed to do: replacing isolated analysis with an AI-native pipeline that delivers a single, high-confidence verdict that SOC teams and automation platforms can act on immediately before any file reaches the network.”

How it works

Layer 1 — Threat reputation

Files are evaluated against OPSWAT’s continuously updated global threat intelligence databases. Known malicious files are blocked immediately, and trusted files are fast-tracked, preserving pipeline capacity for deeper analysis only when required.

Layer 2 — Dynamic analysis

Files that require deeper inspection enter MetaDefender Aether’s adaptive sandbox, which uses instruction-level CPU and operating system emulation vs. virtual machines to trigger the full execution path across more than 120 file types. This exposes evasive behavior that VM-aware malware often conceals. Newly discovered indicators of compromise (IOCs) are then fed back to Layer 1 while the file is sent for downstream AI analysis.

Layer 3 — ML-driven threat scoring

Multiple machine-learning engines analyze behavioral signals, anomaly patterns, and IOCs to assign structured, confidence-weighted risk scores. This transforms raw telemetry into high-clarity decisions, dramatically reducing false positives and analyst noise.

Layer 4 — AI-powered threat hunting

Similarity search maps behavioral fingerprints against a database of more than 100 million analyzed malware samples, automatically attributing files to known threat families, campaigns, and attack toolkits. Unknown files are converted into actionable intelligence, enriching both global and local detection models.

MetaDefender Aether replaces fragmented sandbox, reputation, and threat intelligence lookups with a single unified decision pipeline. After completing all four stages, it delivers a single, unified verdict per file, which is contextualized, confidence-scored, and structured for immediate consumption by SOC analysts, SIEM platforms, and SOAR playbooks. No file enters the network partially scanned or without a decision.

Enterprise scale and compliance

MetaDefender Aether operates across cloud, hybrid, and air-gapped environments and supports regulatory frameworks including NERC CIP, NIS2, SWIFT CSP, CMMC, IEC 62443, GDPR, and HIPAA. The solution integrates natively across the MetaDefender ecosystem, including Core, Cloud, Email Security, MFT, ICAP, Storage, Kiosk, and Cross-Domain.