Karma-X Blog

Karma, a groundbreaking innovation from Karma-X, is designed to help neutralize zero-day vulnerabilities and malicious code. Its intricate details remain under wraps, accessible only to commercial customers under NDA. Yet, its effectiveness in stopping zero-day attacks can be proven. But how can we prove that?

Disclaimer: We are not saying Karma is impenetrable, but follow along...

Enter "Post Exploitation Frameworks." Names like Cobalt Strike, Havoc C2, Sliver, Brute Ratel C4, Nighthawk, and Shellter Pro Plus often boast about their advanced capabilities to evade Endpoint Detection and Response (EDR) systems. There's a nuance here that deserves attention.

Why should we care? Because some of these frameworks don't publicly disclose their code. There's another important point: once defensive software is disclosed, these tools try to adapt, modifying their code to bypass known defenses. This process is offered to be on their terms, on their devices, and often leads to public shaming if they succeed in getting code execution.

You shouldn't hear me implying that everybody should drop everything and prove that they can get by Karma. So what am I trying to demonstrate? Simply put, Karma, as it exists today and certainly while it remains unknown to outsiders, can stop some large percentage of unknown attacks. Skeptics might argue, "You'll just change your code to counter my code." That's far from the truth. Over the weekend, I posted a tweet with a hash of Karma for the entire world to see. What does this mean?

Going to start posting hashes that current versions of Karma can likely stop future versions of BRc4, Cobalt Strike, Shellter, Nighthawk, Sliver, Havoc C2, etc. We will call it "Proof of Protection".

Any others want to be added to the list?… pic.twitter.com/CBDGPsYDer

— Nathan Landon 🛡️ (@studentofthings) May 19, 2024

This hash represents the fixed state of Karma, inviting any threat actor or emulator worldwide (except those under NDA) to test their skills. Despite any sophisticated shellcode obfuscation tricks they might employ, Karma, in its current state, is likely to thwart them. Note that I'm not making absolute claims—there are no absolutes in computer security. The point is, Karma provides a tangible advantage to customers today.

At some point in the future, we will conduct an independently validated third-party test using these tools. This test will prove to our customers that they possess a level of protection unmatched by any other tool. In the mean time, we are comfortable with making the challenge.

Non-Disclosure can be an advantage, and this is "Proof of Protection." Any third party can attempt to challenge, and any third party, including all these "threat emulators" could take us up on the offer.

Update 6/11/2024: The folks who publicly challenged us never provided any means to validate their claims. Now that a reasonable time has expired, we are withdrawing this challenge. As we are disclosing more about our platform, it of course will be more easy to find work arounds or bypasses, that is the nature of information asymmetry that non-disclosure provides. The point is that non-disclosure has its advantages and security is a brinksmanship game. We are hoping to bring cutting edge defense, from now until into the future that is hard to bypass. Will there be some things after full inspection of our code that can disable or bypass us? Yes, we acknowledge many things, but first and foremost we acknowledge that we don’t and cannot control every aspect of every system we protect. For the things we can control? You can count on cutting edge protection over and above our competitors. Cheers!

Protect your systems for free today! You can start by accessing Vitamin-K here! (after signing up and logging in)