OPSWAT launched MetaDefender Aether, a decision-making engine that security teams are positioning as a way to make faster decisions on files that may contain never-before-seen malware.
This product targets so-called zero-day threats that can evade traditional detection methods. Aether returns one verdict per file with a confidence score and context that security operations center teams can use for response and automation.
MetaDefender Aether is designed for use at the perimeter, where organizations ingest files through multiple channels, including email attachments, file transfers, removable media, cloud storage, and web traffic. Inspect files before they reach users, devices, and internal systems.
peripheral focus
Many established tools are built for endpoint protection rather than large-scale perimeter inspection. OPSWAT argues that deploying endpoint-class antivirus and sandboxing technologies at gateways creates operational friction that can lead to queue backlogs, inconclusive results, and alert fatigue.
Attackers are also changing their approach, using AI and machine learning to generate obfuscated or evasive threats that evade static and signature-based analysis. This change puts increased pressure on perimeter controls that must handle large volumes of files without slowing down business workflows.
MetaDefender Aether combines multiple analysis layers into a single pipeline, integrating threat reputation, dynamic analysis, machine learning-based threat scoring, and similarity-based threat hunting. OPSWAT said internal benchmarks showed “99.9% zero-day detection effectiveness.”
Layered analysis
Aether begins with a threat reputation check against OPSWAT’s threat intelligence database. At this stage, you can immediately block known malicious files and quickly track trusted files. The OPSWAT test showed an effectiveness of 48.7%.
Files that require more scrutiny are escalated to dynamic analysis. OPSWAT describes it as an adaptive sandbox that uses instruction-level CPU and operating system emulation rather than virtual machines. According to OPSWAT, this approach triggers execution paths across more than 120 file types, exposing potentially hidden behavior when malware detects a VM. Cumulative efficacy after this tier is stated as 83.4%.
Layer 3 applies a machine learning engine to generate a structured risk score based on behavioral signals, anomaly patterns, and indicators of compromise. OPSWAT reported a cumulative efficacy of 99.3% at this stage.
The final layer performs a similarity search against a repository of over 100 million analyzed malware samples. It aims to associate suspicious files with known threat families, campaigns, and toolkits. OPSWAT reported a cumulative effectiveness of 99.9% once this phase was completed.
According to OPSWAT, the staged model reduces computing consumption by sending only a subset of files for deeper analysis. Almost half of threats can be resolved at the first reputation layer.
Efficiency claims
Sandboxing remains a key element of malware analysis, especially for detecting new threats, but it can consume large amounts of resources. According to OPSWAT, Aether combines instruction-level emulation and layered pipelines to be 100 times more resource efficient than VM-based sandboxes.
This design also focuses on operational decision-making rather than telemetry collection. Many security teams need to correlate output from separate tools such as sandboxes, reputation services, and threat intelligence platforms. OPSWAT positions Aether as an alternative to these fragmented steps, providing a single pipeline and unified output.
Jan Miller, OPSWAT’s global CTO, said the market needs clearer results from perimeter inspection systems.
“Traditional sandboxes weren’t built for large-scale, AI-driven threats. Security teams don’t need more telemetry. They need definitive answers. MetaDefender Aether does what sandboxes weren’t designed to do: AI that transforms isolated analysis into a single, reliable verdict that SOC teams and automation platforms can immediately act on, right before a file reaches the network. Replace with native pipeline.
Deployment and integration
According to OPSWAT, MetaDefender Aether can operate in cloud, hybrid, and air-gapped environments. It also supports various regulatory and security frameworks, including NERC CIP, NIS2, SWIFT CSP, CMMC, IEC 62443, GDPR, and HIPAA.
Integration is central to product positioning. According to OPSWAT, the output is structured for SIEM and SOAR workflows, and Aether is integrated across the broad MetaDefender portfolio, including core, cloud, email security, MFT, ICAP, storage, kiosk, and cross-domain.
According to OPSWAT, Aether feeds the results of dynamic analysis back into the threat reputation layer. It also said that every file analyzed contributes to a global intelligence graph, and that it expects detections to improve over time as more files pass through the system.
