By now, I hope you have had a chance to learn about the first-of-its-kind, groundbreaking solution we recently announced: Cisco Hypershield.

As I covered in my previous blog, the unique architecture of Hypershield makes two powerful initial use cases possible: Distributed Exploit Protection and Autonomous Segmentation.

Distributed Exploit Protection helps tackle the problem of the growing number of reported vulnerabilities (over 1000 Common Vulnerabilities and Exposures or CVEs per week) that teams are just not able to keep up with. This use case prioritizes vulnerabilities that might be directly affecting an organization and then recommends, tests and deploys compensating controls to protect the workload from exploit, all while keeping the application running. This immediate response closes the exploit gap between vulnerability disclosure and patching, giving teams time for a comprehensive response.  

But these reported CVEs are the known vulnerabilities. What about the yet-to-be-announced and even yet-to-be-discovered vulnerabilities, the unknown vulnerabilities? Cisco Hypershield can help protect organizations against those as well. Hypershield’s unknown vulnerability protection can help detect and block unknown vulnerabilities within runtime workload environments. In addition, suspected workloads can be isolated to limit the vulnerability’s blast radius. This is made possible with:

  1. Deep visibility and surgical control at the workload level
  2. The use of machine learning and analysis of the relationships between the application process, file and network operations against Common Weakness Enumeration (CWE) database, which is a classification system for hardware and software security weaknesses
  3. Analysis of the application process graph and known application behaviors to classify suspicious or malicious activity

Expanding Hypershield’s Distributed Exploit Protection to include detection and containment of unknown vulnerabilities can enhance the protection of workloads against new security threats.

Deep workload and application visibility and enforcement

Attacks exploiting unknown vulnerabilities are much harder to detect compared to known vulnerabilities, because defenders don’t have any documented signals usually defined in CVEs that enable detection. And even beyond detection, it is necessary to have options of graduated granular responses for complete remediation. This is where Hypershield’s deep workload visibility and enforcement comes into play, keeping in mind that an application may span multiple workloads. Let’s review how the solution is architected to understand that better.

A core component of Cisco Hypershield is the Tesseract Security Agent, which runs on the workload. This could be a virtual machine running Linux or a Kubernetes environment. Both private and public clouds are supported; in fact, Hypershield can provide unified policy and management across the domains. The Tesseract Security Agent interacts with workload processes via the operating system’s kernel using extended Berkeley Packet Filter (eBPF). eBPF is an open-source, cloud-native capability and is becoming the de facto standard for high-performance, non-invasive visibility and security in hyperscalers. Any time a process reads a file or opens a network connection, the eBPF code placed in the kernel by the Tesseract Security Agent is executed. Hypershield uses this technology in new ways to bring together a larger system that provides visibility and control across workloads and networks.

The Tesseract Security Agent uses eBPF to provide exceptionally deep visibility by sitting in the middle of each process invocation within the workload. The Tesseract Security Agent can also step in and enforce when it detects anomalous or malicious activity. This enables Hypershield to create an application behavior graph and an application fingerprint. The application behavior graph captures the relationships of the process and the invocations such as file reads, child process launches, and network opens. As that application adjusts and is updated, Hypershield can move in lockstep, recommending policy changes and a security stance.

Figure 1. High-confidence application behavior graph and application fingerprint from deep workload visibility provided by the Tesseract Security Agent.

Advanced methods for unknown vulnerability protection

Hypershield uses various methods to detect and contain unknown vulnerabilities. Some of the examples are below. Once detected, there are graduated responses to contain the vulnerability, extending to isolating the workload if needed.

Common Weakness Enumeration (CWE) analysis and protection

CWE is a classification system for hardware and software security weaknesses. A CWE can describe the type of vulnerability or the underlying weakness that leads to specific vulnerabilities listed in Common Vulnerabilities and Exposures (CVEs). For example, a CVE might detail a particular instance of a software flaw in a specific program, and the underlying type of flaw could be classified under a relevant CWE entry. Thus, while CVE focuses on specific vulnerabilities, CWE addresses the broader types of weaknesses that those vulnerabilities may exemplify. For example, the path traversal CWE is common to about 3000 CVEs in the last two years. A single CWE mitigation may prevent multiple (known and unknown) CVEs generically and might be considered a more robust solution. Therefore, to get ahead of the high incoming rate of CVEs, we need to understand CWEs better. 

One of the key components of Hypershield’s unknown vulnerability protection is its deep analysis of the CWE databases and its updates. This analysis, along with an application’s unique fingerprint and process graph, is used to identify weaknesses in the specific application and Hypershield can suggest monitoring and blocking constraints to protect the application in runtime. This analysis is not just for the application development team but also a crucial part of Hypershield’s AI, designed to understand and address weaknesses in near real time without the need for code access.

Application-specific behavior classifications

As described above, one method Hypershield employs to identify unknown vulnerabilities involves contrasting CWEs with the application behavior graph. Furthermore, Hypershield also utilizes the application behavior graph in a different analytical approach to enhance detection techniques.

Applications monitored by Hypershield have tailored profiles that detail specific behaviors and associated risk classifications. For instance, the Apache (httpd) application-specific profile is relevant across various customer environments. This profile integrates with an environment-specific application behavior graph to provide detailed insights and assessments.

Hypershield monitors applications and classifies new behaviors as valid, suspicious or malicious based on the defined application profile and historical context. Typically, most actions are valid, involving routine behaviors like reading from low-risk, benign files and writing to designated files and network connections. Occasionally, new and potentially suspicious behaviors may emerge, which are flagged for further analysis.

Hypershield applies several analytical techniques to determine if a behavior is malicious. One effective method involves tracking the sequence of suspicious behaviors to ascertain malicious intent. For example, in the Apache web server application, the analysis might follow these steps:

a. Detection of a payload identified as a web shell

b. Observation of the payload writing to the PHP directory

c. Execution of shell commands by the payload

In this scenario, writing to the PHP directory (step b) rapidly reclassifies the behavior from suspicious to malicious due to the context and sequence of actions.

Beyond file and network operations, Hypershield’s behavioral detection capabilities extend to any actions undertaken by the application. The comprehensive nature of the Hypershield application behavior graph, coupled with AI-driven analysis, enables robust protection across applications. This system identifies and blocks adverse actions and can isolate the application if necessary, ensuring enhanced security and operational integrity.

CWE Analysis and application-specific behavior classifications
Figure 2. CWE Analysis and application-specific behavior classifications.


CWE analysis, protection, and application-specific behavior classifications are essential for defenders to address increasing vulnerabilities effectively, especially unknown ones. These strategies enable Hypershield to help provide protection for organizations broadly, rather than focusing on individual vulnerabilities as they arise.

In increasingly complex and distributed environments, modern enterprises face a growing number of security threats. Cisco Hypershield addresses this by offering a holistic security solution for applications, workloads, and networks, enhancing existing infrastructures. Hypershield employs AI analytics that utilize deep visibility telemetry and external information to deliver actionable insights and policy recommendations. We are committed to building trust by granting operators access to underlying data, enabling them to review and interact with our AI assistant. Moreover, operators can safely test policy recommendations using Hypershield’s dual data plane on live traffic, ensuring production environments remain unimpacted. This approach significantly accelerates our ability to defend applications confidently and effectively. Shields up!

Want to keep up-to-date on Cisco Hypershield?

For more information on Cisco Hypershield availability, product announcements, demos and more, please visit our Hypershield page.

Are you at RSA Conference 2024? Our booth team is ready to talk all things Cisco Hypershield! Come visit us at:

  • North Hall #5845
  • South Hall #926


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels



Craig Connors

VP and CTO

Security Business Group