TropiGuard is a lightweight endpoint detection & response tool for Windows that watches for threats at the thread level — and keeps your data on your machine. Local-first, no kernel driver, AI strictly opt-in.
Most endpoint security asks you to send your machine’s activity to someone else’s cloud, install a kernel driver, and trust a black box. TropiGuard takes the opposite stance: detection runs entirely on-device, it stays in user mode — no driver — and nothing about your processes or memory leaves the machine unless you explicitly turn on a cloud AI provider.
It isn’t trying to be the next billion-dollar platform. It’s a focused, transparent tool for people who want real thread-level visibility, AI triage they control (local Ollama or your own API key), and response actions that are gated so they can never touch a critical or trusted process. Honest about being alpha, honest about what it sends, honest about what it can and can’t do.
A layered, user-mode pipeline: spot the anomaly, understand it, remember it, and act on it safely.
Inspects running threads for shellcode patterns, code injection, inline hooks, stack pivots, and RWX / unbacked-execution memory — the techniques real intrusions actually use.
Optional AI classification via local Ollama or your own key (Claude, OpenAI, Gemini, OpenRouter). Cloud providers are off by default; keys are encrypted at rest with Windows DPAPI.
When a thread is judged malicious — or a program crashes — TropiGuard fingerprints the offending code so the next encounter is caught faster and cheaper.
Persistence scanning (run keys, scheduled tasks, services), registry & file-integrity watchers, process-creation monitoring, memory scanning, a YARA-subset engine, and crash capture from the event log.
Suspend, terminate, or isolate — every destructive action is checked against a whitelist and a critical-process guard, so it can never act on system or trusted processes. Every action is audited.
Forward threat events to your own dashboard, SIEM, or ticketing webhook — each carrying the machine name, so a fleet of endpoints reports to one place. Built for MSP deployments.
TropiGuard is in early alpha. We’re onboarding a small group of testers to shape what ships next — security tools earn trust one honest release at a time.
An elevated installer with a Start-menu shortcut, optional run-at-startup, and a clean uninstall. The alpha build is self-signed, so Windows SmartScreen will warn about an unknown publisher — a purchased code-signing certificate is the next milestone.
TropiGuard is security software in early alpha. Here’s a straight account — the same standard we hold our consulting work to.
Detection. Per-thread analysis (shellcode signatures, code injection, process hollowing, inline hooks, stack pivots, RWX and unbacked-execution memory), WMI process-creation monitoring, persistence enumeration (run keys, scheduled tasks, services, IFEO, Winlogon, COM hijacks), live registry and file-integrity watchers, a memory scanner with wildcard pattern matching, a self-contained YARA-rule-subset engine, and crash capture from the Windows event log.
Triage & response. Optional AI classification (local Ollama or bring-your-own key) with per-risk model tiers, response caching and rate limiting, and learned threat memory that fingerprints offending code. Response actions — suspend / terminate / isolate — run through a non-overridable guard that refuses to touch critical, system, or whitelisted processes, with every action audited.
Operations. A system-tray app with a dashboard, a first-run setup wizard, configurable risk thresholds and presets, a process whitelist, and webhook alert forwarding for central / MSP visibility. The core logic ships with an automated test suite.
It’s alpha, and it’s security software — expect false positives. Heuristic detection can flag legitimate programs that legitimately do unusual things (JIT compilers, debuggers, packers, anti-cheat). We whitelist common runtimes and let you tune thresholds and add your own trusted processes, but you will see noise. The build is self-signed, so SmartScreen warns. TropiGuard needs Administrator to inspect threads in other processes; without elevation it runs in a clearly-flagged reduced-scope mode. Threat-intel feeds and a multi-endpoint console are infrastructure-complete but not yet enabled.
Local-first, user-mode. Detection runs entirely on your machine. There is no kernel driver. Cloud AI is opt-in and off by default — with it disabled (or using local Ollama), no process or memory data leaves the device. When you enable a cloud provider, the first run discloses exactly what gets sent (process name, suspicious code bytes, detection indicators) before anything is transmitted. API keys are encrypted at rest with Windows DPAPI. It’s your endpoint; TropiGuard treats it that way.
Every signed release publishes the installer’s SHA-256. Verify in PowerShell with
Get-FileHash tropiguard-setup-<version>.exe -Algorithm SHA256.
If the hash doesn’t match what’s published, don’t run the installer. Report anything broken to bugs@tropibyte.com.
TropiGuard ships incrementally. Here’s the work on the path to a public release.
Hardening the detection pipeline, reducing false positives, and expanding the test suite from real-world feedback.
A purchased Authenticode certificate so the installer runs without SmartScreen warnings — the gate to wider testing.
Free IOC / signature feeds wired in, plus a headless run-as-service mode for unattended and managed deployments.
A central view for fleets — the MSP story — built on the per-endpoint webhook already shipping in the alpha.
TropiGuard is being shaped by its early users — especially false-positive reports, which directly improve detection. Bug reports go to a dedicated address; general notes go to hello@tropibyte.com. We read everything.
