Xcitium: most solutions detect threats — we prevent them

Protection built on detection is inherently late. Antivirus checks files against a database of known malware, EDR adds behavioral analysis — but both must first recognize a threat to stop it. Against a genuinely new attack (zero-day — a threat for which there's not yet a single record in protection databases) or a technique disguised as normal activity, a window remains — the industry calls it dwell time, and per independent data it's measured not in minutes but in days. In that time ransomware manages to encrypt, and an attacker to dig in. The problem isn't that the detector is bad — it's that detecting before damage is done isn't always possible. We close exactly that window: the unknown is isolated before a verdict, so it has nowhere to do harm.

This is assembled, supported protection on the Xcitium (Dragon) platform — a single agent and a cloud console. The core is kernel-level containment (Windows and Windows Server; for macOS and Linux, an EDR/antivirus agent). On top of that: EDR visibility, web protection and a firewall, rule tuning for your software fleet, and a managed 24/7 SOC run by Xcitium MDR (the vendor operates the SOC; we package the service and remain your single point of accountability). Payment is in manat by bank transfer, with a contract and closing documents. The full composition and the line of responsibility for each layer are in the table below.

In practice, an "unknown file" is something quite recognizable: a "reconciliation_statement.exe" email attachment, a contractor's USB stick, a downloaded "activator" for some software, or a macro in a forwarded Excel file. Antivirus lets these through if there's no signature yet — and that's where the window of risk opens.

Xcitium containment (the ZeroDwell technology) closes that window. The protection runs as a funnel of five steps:

1. Detection — the system sees an unknown executable object.
2. Containment — isolated in under a second, before the object does anything (per the vendor).
3. Virtualization — runs in an isolated environment; its access to the file system, registry and system calls is virtualized, never touching the real machine.
4. Analysis — the cloud issues a verdict (AI + SOC experts), usually in under a minute (per the vendor).
5. Verdict — "safe" (released) or "quarantine" (deleted with all its "changes").

Figuratively: the stranger is neither thrown out nor let near the valuables — he's seated in a glass room where he "works" without breaking anything while it's being figured out who he is. (How the mechanism is built more deeply, and how it differs fundamentally from ordinary EDR — in the article "dwell time and containment".)

Per the vendor, a verdict on the vast majority of unknown files is issued in under a minute; rare complex cases are escalated to a human analyst, and the stream itself runs to hundreds of millions of files a day. We cite these as vendor-stated figures — but even while a verdict is pending the file is already isolated, so verdict speed affects convenience, not protection. The key idea: to protect, you don't first need to prove a file is bad. It's enough that it isn't proven good.

Two arguments set Xcitium apart from any classic EDR — and these are the two to look at first:

1. Not a single successful breach in its entire history. The "isolate before a verdict" logic means an unknown file has nowhere to do harm — even if it's a new ransomware strain no one has seen yet. Xcitium is so confident in the model that it backs it with a financial guarantee — Breach Warranty: with protection properly configured, the vendor guarantees no successful breach. No detection-based EDR can offer that in principle — detection inherently misses 1–5% of unknown threats, and per IBM Cost of a Data Breach 2025 each breach averages $4.44M in damage, with the full attack lifecycle to identification and containment averaging 241 days.

2. The lowest price per endpoint among competitors. For a comparable — and against unknown threats, stronger — result, Xcitium protection per endpoint costs less than CrowdStrike, SentinelOne, and Microsoft Defender — in both delivery models: self-managed and under the vendor's SOC (Xcitium MDR). You don't pay a "market-leader brand" premium, and response is already included in the subscription — without a costly separate add-on like CrowdStrike's Falcon Complete. The exact price is on request: it depends on the number of endpoints and the set of modules, and is fixed at the free assessment.

Add both points to payment in manat by bank transfer — and Xcitium closes not just the technical task but the procurement one too.

This isn't a "box with a license," but assembled and supported protection. What exactly you get and who is responsible for each layer:

Layer	What it does	Who is responsible
Containment (Xcitium ZeroDwell)	Isolates unknown files until a verdict	Xcitium technology, setup — us
EDR visibility (Xcitium)	Attack timeline, events on devices	Xcitium platform + our analysis
24/7 SOC (Xcitium MDR)	Monitoring, alerts, response	Vendor SOC; packaging and support — us
Web protection and firewall	Traffic filtering, network control	Setup and support — us
Rules for your software	So rare/in-house software doesn't break	Us, at the implementation stage
Procurement in manat	Contract, bank transfer, closing documents	Us as the exclusive distributor of Xcitium

How containment differs from ordinary EDR by the very approach — the discussion and the "isolation-first vs detection-first" table are in the dwell time article; a direct comparison with a specific vendor is on the CrowdStrike alternative page.

The approach has two blind spots, and it's fairer to name them up front. Containment catches unknown executable files — but not attacks that operate through already-trusted programs (the built-in PowerShell, scripts), and not work in memory, where there's no new file on disk. Plus rare or in-house software without a verdict runs isolated at first — until we add it to the trusted list. The conclusion is one: containment is a layer, not a replacement for everything. So we deploy it paired with monitoring (EDR + SOC): each layer covers the other's blind spot. Anyone selling an all-in-one endpoint agent is hiding these two.

This doesn't contradict our own open-source cybersecurity — these are different layers, and we use the best tool for each. Monitoring and SIEM (where the open stack is mature and removes licensing fees) we build on open-source. Endpoint protection we take as a best-of-breed product where it has a unique patented advantage: there simply is no open-source equivalent to kernel-level containment. Paying for a license makes sense where it gives you something the open market doesn't — and not paying where an open solution is just as good. We draw that line honestly, tailored to your infrastructure.

Gartner's categories are built around detection (antivirus, EDR, XDR), and Xcitium removes the dependency on detection itself — there's no ready-made category for that yet, and it appears only after the technology proves itself. A line in a report doesn't protect an endpoint; the result does, and it's verified on your infrastructure. The full discussion of this objection is on the CrowdStrike alternative page.

We work the "10% Path": a free assessment of your device fleet and requirements → we fix the price → we deploy and support. Licenses and support — in manat by bank transfer, with a full set of closing documents (contract, invoice, act, VAT invoice). As the exclusive distributor of Xcitium in Azerbaijan, we make purchasable under corporate and government procedures the protection that's hard to pay for directly with a foreign vendor. The cost depends on the number of devices and the set of modules; it's calculated at the assessment. More — how we work.

This is the scenario where containment wins most: you have something to lose, but no round-the-clock security team triaging alerts. Containment neutralizes most threats — including unknown ransomware — before they become an incident, and the 24/7 SOC covers the rest; you don't need to hire a staff of analysts. Most often these are financial companies, government bodies, healthcare, and retail — organizations with customer personal data and under data-protection and critical-information-infrastructure (CII) requirements, where downtime and a leak cost the most.

When it isn't the main priority: if you already have a mature SOC with a strong team and your primary concern is not file-based threats but credential theft and attacks on cloud services — the emphasis shifts to other layers, and we'll say so plainly. We tailor protection to your real attack surface, rather than selling one technology as the answer to everything.

An organization has no security team of its own, but does have a requirement to protect against ransomware — while quotes from leading EDR vendors arrived with a premium price tag and card-in-dollars payment that can't be run through procurement. How this is usually solved with us: a review of the device fleet and requirements → deployment of containment-based protection on servers and workstations → rule tuning for the software in use → connection to the 24/7 SOC for monitoring and response → contract and payment in manat by bank transfer. The goal — to close both the ransomware risk and the procurement rules, without hiring an in-house security team.

• We already have antivirus — why Xcitium? Antivirus and EDR catch the known and must first recognize a threat; against a new or disguised file, a window of days remains. Xcitium doesn't replace antivirus — it closes that window: an unknown file is isolated at once, without waiting to be identified.
• What operating systems does Xcitium run on? Kernel-level containment — on Windows and Windows Server; for macOS and Linux there are EDR/antivirus agents under the same cloud console. We confirm the exact coverage of your OS mix at the free assessment.
• Do we need to remove the current antivirus, and how does the migration go? Not necessarily at once: Xcitium can run alongside your existing protection or replace it — the order and compatibility are decided at the implementation stage. Rollout is centralized, by agent, without manually touching every machine.
• Will it slow things down or get in the way? Known trusted software runs freely — only the unknown goes into a container. "Restricted" doesn't mean "frozen": the program launches and works, but its changes (for example, saving settings or writing to its own files) go into an isolated area until a verdict. For most business software this is invisible; specific or in-house software we add to the trusted list in advance during setup.
• Will this close the ransomware risk? Yes, and it's the main scenario: even unknown ransomware with no signature yet launches in isolation and never reaches real files until a verdict is assigned. We still consider a tested backup a mandatory last line of defense.
• What is Xcitium? A platform for endpoint protection with patented ZeroDwell containment (patent US 10,951,644), heir to Comodo Cybersecurity — on the market since 1998. viasoft is its exclusive distributor in Azerbaijan across the entire line.
• How much does Xcitium cost? Price is on request: it depends on the number of endpoints and the set of modules, fixed at the free assessment; payment in manat by bank transfer. Per endpoint, Xcitium comes out cheaper than comparable EDRs, and response is already included in the subscription. A direct comparison with CrowdStrike is on the CrowdStrike alternative page.
• Who will triage alerts if we have no security team? The vendor's 24/7 SOC (Xcitium MDR), which we connect and support. Containment neutralizes most threats in advance, so there are fewer alerts, and response is included in the subscription — you don't need to hire your own analysts.