The security agent that watches while you work.
19 monitoring modules. LLM-powered threat reasoning. Privacy-first by architecture. Your machine, your data, your control.
19 modules watch your network, files, camera, processes, and more. Corvus detects what's happening on your machine — from ransomware encrypting files to an unknown device joining your Wi-Fi.
An LLM brain analyzes every event. Not pattern matching — actual reasoning. Corvus explains threats in plain language: what happened, why it matters, what to do about it.
A Decision Cache remembers every analysis. By month two, 90%+ of events are handled locally — no cloud calls, no cost, no data sent anywhere. Your agent gets smarter every day.
Each module is self-contained, clearly documented, and can be enabled or disabled at any time.
Monitors file changes across your system with ransomware detection
Five-layer ransomware detection: catches encryption at 1-3 files, not 50
Protects cryptocurrency wallet files from unauthorized access
Captures and analyzes all network connections with threat intel matching
Detects ARP poisoning and man-in-the-middle attacks on your local network
Catches DGA domains, DNS tunneling, and NXDOMAIN floods
Identifies unknown devices appearing on your network
Validates TLS certificates — catches expired, self-signed, and MITM
Identifies processes making periodic callbacks to external servers
Learns your normal bandwidth patterns and flags deviations
Alerts when apps access your camera or microphone with TCC verification
Code signing verification, parent chain analysis, and baseline tracking
Detects new USB devices including potential BadUSB attacks
Monitors for processes hooking keyboard input APIs
Watches for new persistence mechanisms in LaunchAgents, cron, systemd
Detects unauthorized screen recording with sensitive app awareness
Verifies Corvus's own files haven't been tampered with
Detects clipboard hijacking targeting cryptocurrency addresses
Identifies unknown Bluetooth devices and pairing attempts
The LLM reasons about patterns, never content. A strict Data Minimization Layer sits between your events and the AI.
process: /Users/you/Downloads/report.app/helper
destination: 185.234.xx.xx:8443
args: --callback https://185.234.xx.xx/beacon
pid: 4521
parent: /Applications/Preview.appprocess: helper (unsigned)
location: downloads_directory
destination: THREAT_INTEL_MATCH (c2)
pattern: periodic, interval ~52s
severity: HIGH (beaconing + network)Every Corvus agent contributes to a global threat intelligence network. When your agent detects a malicious IP, it shares the indicator — stripped of all identity — with other agents worldwide. When 10+ agents independently confirm the same threat, every Corvus installation is protected.
No profiles. No browsing history. Just anonymous signals in, corroborated warnings out.
Every module, every line of the sanitizer, every encryption routine — auditable by anyone. Security through transparency, not obscurity.
View on GitHub