Website: https://reclusesecurity.com
Recluse is a closed-source Windows endpoint security platform designed to surface stealthy monitoring, advanced surveillance, and covert intrusion behavior. It achieves this through deep behavioral intelligence, system-wide telemetry analysis, and forensic-grade correlation.
It is engineered for users and organizations demanding visibility and context, not broad-spectrum antivirus heuristics.
Recluse focuses on sophisticated anomalies and behavioral chains, moving beyond simple signature matching.
- Rare Executables: Identifies rare or previously unseen executables, with special attention to age, metadata, and origin.
- Irregular Process Spawning: Detects unusual process trees, irregular spawning patterns, and unexpected persistence mechanisms.
- Suspicious I/O: Monitors I/O behavior โ flagging heavy I/O, suspicious file operations, or filesystem activity from untrusted binaries.
- High-Risk Automation: Observes high-risk scripting, automation, or administrative-class behavior (e.g., WMI, scripting engines, command invocation) that deviates from baseline system norms.
- Packing & Obfuscation: Uses structural heuristics and entropy-based evaluation to flag packed, obfuscated, or high-entropy binaries often characteristic of covert loaders or instrumentation tools.
- Comprehensive Trust Profile: Evaluates signature status, publisher reputation, execution path, and file metadata to build a comprehensive local trust profile โ enabling distinction between benign software and potential implants or stealthy tools.
Recluse provides a holistic view rather than isolated alerts:
- Holistic Correlation: Correlates across process behavior, network activity, registry changes, persistence artifacts, listener creation, and more.
- High-Confidence Findings: Detects multi-signal cascades (e.g., a suspicious executable + unusual network listener + registry autorun + unusual script execution) โ consolidating them into high-confidence "findings."
- Historical Baseline: Maintains a historic baseline of system behavior: first-seen binaries, prevalence distributions, execution and persistence norms, network and listener history, and known trusted artifacts.
- Deviation Flagging: Flags events based on temporal deviation: first-time occurrences, rare patterns, or behavior diverging from the historical baseline โ dramatically reducing false positives and raising detection fidelity.
- Contextual Risk Scoring: Uses a weighted, multi-signal risk scoring engine to produce alerts with severity, context, and evidence โ not just raw "suspicious file detected" noise.
| Recluse IS | Recluse IS NOT |
|---|---|
| A forensic-level detection and analysis tool for surveillance, intrusion, and stealthy behavior. | An antivirus or malware removal tool. |
| A visibility engine โ surfacing suspicious behavior and offering context, evidence, and clarity. | A real-time threat blocker or quarantine system (v1). |
| A complementary asset to antivirus/EDR, focusing on detection of non-signature-based, stealthy threats. | A tool that modifies system behavior or compromises user control. |
| A local analysis engine โ all analysis and storage remains local (no telemetry sharing). | A telemetry-sharing cloud tool. |
- Compromise Investigation: Investigating whether a machine has been compromised by unknown or custom surveillance tools.
- Proactive Monitoring: Monitoring high-risk systems for suspicious or anomalous behavior, without relying on signature databases.
- Incident Response: Forensic review and incident investigation โ seeing how suspicious behavior unfolded, not just that โsomething happened.โ
- Stealth Implant Visibility: Gaining visibility into stealthy implants or covert tools (e.g., loaders, script-based monitoring, stealth network listeners, persistence implants) that AVs often miss.
Recluse lets you see whatโs really happening on the system, with clarity, context, and evidence.
| Version | Focus | Key Capabilities |
|---|---|---|
| v1 (Current) | User-Space Behavior & Static Analysis | User-space detection, behavioral and static analysis, telemetry correlation, baseline modeling, forensic findings. |
| v2 (Planned) | Kernel-Level Endpoint Detection & Response | Deeper telemetry, richer event capture, improved real-time coverage, extended threat-hunting capability. |
Recluse is still a work in progress, however when released you can see product details, UI screenshots, technical comparisons, and licensing at: