Dedun: Practical Reflections on Advanced Threat Defense in the AI Era

Coinciding with April 15 National Security Education Day, as the term “security” once again becomes a hot topic in society, for governments and enterprises riding the wave of AI, it is no longer a vague concept but a series of real offensive and defensive challenges laid out before us.

Recently, several topics in the cybersecurity industry are particularly worth examining together.

One is the ongoing discussion sparked by the OpenClaw “Crayfish” craze. For the first time, many people have intuitively experienced how AI Agents and automation tools are bringing revolutionary changes to our work and lives. However, when applied to the cybersecurity field, they have also elevated the generation, iteration and concealment capabilities of attack chains to a new level.

Tasks that previously required a certain technical threshold can now be accomplished with significantly lower organizational costs, thanks to models, tools and ready-made environments.

Another is the Claude Code source code leak incident. In a dramatic way, it reminds enterprises that security risks do not only occur at the moment of external intrusion. Source code management, permission boundaries, release processes and internal collaboration—these links that were often dismissed as “management issues”—are frequently the actual sources of security risks.

An even more alarming development: Anthropic’s latest Claude Mythos large model has discovered thousands of critical 0day vulnerabilities in mainstream operating systems, web browsers and general-purpose software. The capability boundaries of large models are being continuously broken through, and their iteration speed far exceeds industry expectations.

These three events precisely hit the core anxiety of government and enterprise cybersecurity today: when AI makes attacks more automated, more covert, lower-cost and more powerful, and when advanced threats are no longer large-scale “indiscriminate fishing” but targeted “precision sniping”—can our traditional security protection systems still hold up?

In the era of AI evolving at an exponential rate, this question will flash through our minds countless times until it becomes a collective anxiety of contemporary people: Devices are deployed, platforms are built, and security construction has not been neglected. Yet when truly going head-to-head with advanced threats, we still easily get stuck at fatal points—threats are invisible, samples cannot be captured, and it is difficult to fully trace attacks after they occur.

Most of the time, it is not that there are no alerts, but that it is hard to answer clearly: Where exactly does the risk come from? What links has it passed through? Where has the impact spread? And how can it be quickly remediated?

Ultimately, the problem is not whether enough security products are used, but that many traditional protection ideas are no longer sufficient today.

For a long time in the past, many security capabilities were built on a relatively clear logic: first know what a threat looks like, then discover it through signature matching, rule matching and sample library hits. In essence, it is a passive game of always chasing attacks. While this approach has its value, it also has very obvious limitations. When facing unknown Trojans, fileless attacks, in-memory malware, 0day vulnerability exploits, or attackers who actively erase traces, traditional approaches relying on signature databases and known samples will become increasingly passive. Because they are actually waiting for a “known answer” to appear before judging whether a risk exists.

But the most intractable problem is that today’s threats no longer easily leave “standard answers”. From this perspective, what makes the Dedun product system noteworthy is not just the addition of a certain detection point or the superposition of a functional module, but a more critical shift in its judgment logic: it no longer only looks at “whether it resembles a known threat”, but further examines “what exactly it is doing”.

This may sound like a technical statement, but it actually corresponds to a change in the entire security mindset.

Because once the judgment logic shifts from “signature recognition” to “behavior recognition”, many problems that were originally difficult to capture can be handled in another way.

On the endpoint side, Dedun ADS continuously collects kernel-level, fine-grained behavior data through lightweight Agents, and persistently monitors key information such as processes, files, registries, network behaviors and module loading. It does not just judge whether a file hits a blacklist, but observes whether a series of actions are abnormal, and thus determines whether a behavior chain is established.

The importance of this lies in the fact that unknown threats do not appear in the form of “standard malicious files”. They are more like hidden in a series of seemingly normal actions. Looking at any single step alone may not be conspicuous, but once these actions are put back into a complete chain, the problem begins to emerge.

In other words, the core we need to identify is not just an isolated object, but how an attack intent is executed step by step. This is also an increasingly critical difference between advanced threat detection and traditional antivirus.

If the endpoint side solves the problem of “seeing behaviors”, then the network side solves the problem of “pulling out the complete chain”. Many attack flaws are not exposed on the host surface, but in communication behaviors. Abnormal outbound connections, plaintext transmission, backdoor callbacks, unauthorized access and covert data flows cannot be fully restored by single-point static detection.

The value of Dedun lies in extracting those easily overlooked network anomalies through traffic modeling and full-traffic session retention, supplementing the context for the attack chain. What the endpoint side sees is “what it did”, and what the network side adds is “how it connected out, how it spread, and how it completed the transmission”.

And for today’s advanced threats, these two perspectives are indispensable.

Because many attacks today are no longer a straight line, but a complex path across endpoints, networks and permission boundaries.

Looking at only one part often generates alerts; but to truly form a judgment, these scattered signals must be reconnected into a complete attack chain.

Dedun – Defense Logic

More intractable than “failing to detect” is “detecting too late”. This problem becomes particularly acute when facing high-confrontation threats such as self-destructing specialized Trojans and in-memory malware. Many malicious programs only exist in memory. Once the system restarts or attackers perceive detection actions, they will quickly self-destruct, making subsequent analysis almost untraceable. By the time the security team actually starts investigating, the scene has often been thoroughly cleaned up.

This is why Dedun’s Freeze Analysis System is particularly critical. Its approach is not to wait for the attack to “end” before analyzing slowly afterwards, but to completely preserve the scene as quickly as possible at critical moments. Information including physical memory, process running status, threads, modules, registries, disk file systems and startup methods will be fully mirrored, cloned and solidified.

It can be understood as taking a security snapshot of the compromised host before attackers have time to erase their traces.

Dedun – Freeze Analysis System

The significance of this step is not just to “preserve a little more data”. More crucially, it enables enterprises to no longer stay at the vague judgment of “something seems to have happened” when facing advanced threats. Instead, they have the opportunity to restore the attack chain, extract samples, analyze startup methods, and even provide more complete support for subsequent tracing and forensics.

For the government and enterprise sectors, the importance of this capability is often only fully realized after encountering complex attacks. Because in high-confrontation scenarios, alerts are just the starting point. Evidence determines the depth of remediation, and the attack chain determines the efficiency of response.

From an overall logical perspective, Dedun does not emphasize the absolute leadership of any single-point capability, but attempts to reconnect several capabilities that were easily fragmented in the past.

After the three work together, what is formed is not a simple “superposition of functions”, but a more practical closed loop: not only to defend against attacks, but also to detect them; not only to detect them, but also to trace them back and verify them clearly.

Dedun – Core Architecture

This is also the more essential difference between Dedun and many single-point alert products. Today’s advanced threats are simply not problems that can be completely solved by one device, one rule or one module. If there is only interception without attack chains, only detection without evidence, only alerts without context, what is ultimately left to customers is often more information to process rather than actionable judgments.

In the face of increasingly diverse security threats, what we lack is not one more protection concept, but several more practical capabilities.

First, the capability for real offensive and defensive environments. Whether product capabilities are truly designed around actual combat is far more important than paper parameters when facing high-confrontation scenarios such as APTs, vulnerability exploits, self-destructing Trojans and covert communications.

Second, the capability to truly implement complex capabilities. Many advanced threat products are not weak, but they have too high a threshold and rely too heavily on security experts, resulting in customers being unable to truly form continuous remediation capabilities even after purchasing the capabilities. Dedun’s emphasis on automated detection, automated analysis and visual presentation is essentially to lower the threshold for using advanced capabilities as much as possible.

Third, systematic capability. Security effectiveness and construction standardization should no longer be understood separately. Protection, detection, tracing, forensics and compliance should all be viewed within the same framework.

This is why, for today’s government and enterprise sectors, what really matters is no longer just “whether there is a certain function”, but whether there is a mechanism that can see, understand and fully comprehend unknown threats when they truly arrive.

If cybersecurity construction in the past was more like continuously reinforcing a wall, then today’s security construction is more like continuously operating an evolving defense system.

Dedun – Response Process

AI is making attacks more automated, lower-cost and more covert. Traditional models that rely on fixed rules, single-point matching and post-incident response are increasingly unable to keep up with the speed of attack evolution. In the future, government and enterprise security protection will definitely shift from “passive interception” to “active prediction”, and from “single-point products” to “systematic collaboration”. Whoever can truly combine unknown threat identification capabilities, full-chain correlation capabilities and forensics capabilities will be more likely to take the initiative in the next round of confrontation.

From this perspective, Dedun’s subsequent technical layout—whether it is continuing to strengthen the AI intelligent detection engine, deepening the linkage between endpoints, networks and freeze forensics, or further adapting to localization and complex business environments—all stem from the same judgment: the competition of security products will ultimately not stay at the level of function stacking, but will increasingly depend on collaboration efficiency, practical closed loops and real implementability.

When talking about cybersecurity today, what most needs to be updated is perhaps not just a certain technical term, but a way of understanding. Security is no longer a one-time procurement, one-time deployment and one-time acceptance project, but increasingly a continuous operational capability building. Threats are changing, attack methods are changing, and enterprises’ own system boundaries, collaboration methods and asset exposure surfaces are also changing. If we still pin our hopes on a single-point product, we will ultimately only get more and more isolated alerts and higher and higher remediation costs.

A truly valuable security system should at least accomplish several things: see abnormal behaviors, pull out complete attack chains, preserve critical evidence, and support subsequent remediation. And this is perhaps what makes products like Dedun truly worthy of serious discussion. It does not just answer “is there a risk”.

What it wants to answer more is:

When risks truly become complex, do enterprises still have the ability to handle them completely.

FundeAI is committed to becoming a provider of digital economy infrastructure and an enabler of industrial intelligent development. Based on the technical foundation of “Artificial Intelligence + Dynamic Ontology” and centered on “algorithms, computing power, data and security”, we serve multiple industries including finance and insurance, energy and chemical engineering, health management and smart government. Starting from cutting-edge scenarios, we transform technology into implementable business results, helping with risk control, efficiency improvement and intelligent decision-making. We believe that the value of digital intelligence lies in solving complex problems in the real world.