Vir2us, Inc.
Product Data Sheet
VMunity-AI
Powered by Vienna — The Kernel-Level Isolated Computing Controller
CCE/UCE Kernel Architecture · Class-of-Service Policy Matrix · AI Agent Session Mediation · Default-Deny Execution Enforcement
Patent Portfolio US 8,775,369 · 7,392,541 · 7,788,699
+ 8 additional granted US patents
Provisionals: A1–A9 · B · C (2026)
AU · CA · EPO · JP · KR · CN · IL
100% Efficacy
Default Deny
120M+ Users
25-Year IP Moat
▶  VMunity Live
Platform Performance
100%
Efficacy — DoD verified · Zero breaches across all deployments
<1%
CPU
Kernel overhead · 100× performance vs. legacy stack
120M+
Users protected globally across all deployments
70%
Total cost reduction vs. multi-vendor security stack
What Vienna Enforces
  • Shell command execution — per-COS allow table
  • File system access — path-level COS enforcement
  • OS feature calls — kernel API mediation
  • Network connections — per-process policy
  • Inter-process comms — isolated channel control
  • DLL / driver loading — chain-of-custody verification
  • AI agent tool calls — every API invocation mediated
  • Session state — destroyed at session termination
COS Range Types
COS 1–10
Known Good
User Apps
Unknown
Drivers
System DLLs
Active OS
AI Agents

Each COS range carries semantic meaning — the range number tells Vienna what type of process it is before any behavior is observed. Unknown programs receive a heavily restricted default COS automatically.

Platform Support
  • Windows · Linux · macOS
  • Cloud · Hybrid · On-premises
  • Virtual desktops (VDI)
  • Embedded systems
  • Air-gap / classified (FIPS 140-2)
  • Mobile (MDM-integrated)
  • OT/SCADA (via Citadel)
VMunity-AI is the Vir2us flagship endpoint security platform — the foundational layer on which CISO-AI, Citadel, and RoboTech-AI all operate. Powered by Vienna, the kernel-level isolated computing controller, VMunity-AI enforces a Class-of-Service policy matrix that governs every process, command, file access, and AI agent action from spawn to termination. Unauthorized code does not get detected and blocked — it cannot execute, because the COS table never authorized the operation it is attempting.
Why Legacy Security Fails — The Binary Checkpoint Problem

Legacy checkpoint security solutions ask one binary question: is this file known bad? Bypass the checkpoint once — with a zero-day, a supply-chain-poisoned update, a low-level exploit — and the attacker is inside with no further security standing between them and your data. The industry has spent 30 years building increasingly sophisticated ways to answer that binary question. AI-powered adversaries can now generate novel attack signatures faster than any database can be updated, making the question permanently unanswerable.

VMunity-AI eliminates the question entirely. Vienna asks thousands of continuous questions about every process: What is this process? What COS range does it belong to? What commands is it allowed to execute? What paths can it touch? What OS calls can it make? What network connections are permitted? If any single operation is not explicitly in the COS allow table, it cannot happen — not because it was detected as malicious, but because it was never authorized. This is the architectural difference between probabilistic security and mathematically provable security.

The Class-of-Service Policy Matrix — Visualized
Vienna COS Matrix — Simplified View · Each row = a process class · Each column = a permission category · ✓ = Allowed · — = Default Deny
Shell Cmds
FS Access
OS Calls
Network
IPC
DLL Load
AI Tools
Persist
COS 1–3 · Known Good
COS 4–6 · User App
COS 7–8 · Unknown
AI Agent COS
Driver / System Range
Allowed (Standard)
Allowed (AI Agent COS)
Allowed (System)
Default Deny
Not Applicable

An AI-generated polymorphic payload, a supply-chain implant, or a nation-state rootkit operating in the COS 7–8 Unknown range cannot execute a single command, access a single file, make a network connection, or establish persistence — not because it was detected, but because the COS table has no allow entries for its range.

Core Capabilities
Vienna — The Kernel-Level Isolated Computing Controller

Vienna serves up computing resources in sealed, isolated CCE/UCE environments — providing full session mediation of every process from spawn to termination. At session end, Vienna destroys the environment and all its contents, eliminating any persistence the session may have acquired. Threat actors cannot carry state from one session to the next. There is no foothold to build from.

CCE/UCE Isolated Computing Architecture

Every process executes inside a Containerized Computing Environment or Universal Computing Environment — a kernel-level isolated container with no ability to write persistent state outside its defined boundaries. A zero-day exploit running inside a CCE/UCE container can compromise only the container it runs in, which is destroyed at session end. The underlying system is structurally unaffected.

AI Agent Session Mediation (KASM)

The first kernel-level controller that mediates every action of an AI agent — every data read, write, tool invocation, API call, and command execution — from spawn to termination. AI agents operating under VMunity-AI cannot exfiltrate data, execute unauthorized commands, or establish persistence, regardless of what instructions they receive. Prompt injection, memory poisoning, and shadow AI are structurally neutralized.

Pre-Execution Kernel Interception (PKIC)

Zero-click exploits and pre-execution attacks are intercepted at the kernel boundary before any user-space process can be spawned. The PKIC engine enforces the CCE/UCE execution boundary at the moment of process creation — not after the fact. An exploit that never achieves process execution cannot compromise the environment, cannot escalate privilege, and cannot establish persistence.

US Patents 8,775,369 · 7,392,541 · 7,788,699 et seq. · Provisionals A1–A9 · B · C (2026)  ·  © 2026 Vir2us, Inc. · Confidential & Proprietary · Page 1 of 2
sales@vir2us.com
VMunity-AI™ PRODUCT DATA SHEET  ·  VIR2US, INC.  ·  Powered by Vienna
US 8,775,369 et seq. · Provisionals A1–A9 · B · C
Session Lifecycle
  • Spawn: Vienna assigns COS from policy table
  • Isolate: Process enters sealed CCE/UCE container
  • Mediate: Every action validated against COS allow table
  • Enforce: Unauthorized operations blocked at kernel
  • Terminate: Container destroyed — zero persistence
  • Report: Session logged to CISO-AI audit trail
Threats Structurally Defeated
  • Zero-day / unknown malware
  • AI-generated polymorphic attacks
  • Supply chain poisoning (SolarWinds-class)
  • Ransomware (CryptoLocker, REvil, etc.)
  • Nation-state APTs (Volt Typhoon, etc.)
  • Insider threats
  • Zero-click exploits
  • Prompt injection / AI memory poisoning
  • Shadow AI / unauthorized AI agents
  • Fileless / living-off-the-land attacks
Product Suite Integration
  • CISO-AI — autonomous CISO operations on top of VMunity telemetry
  • Citadel — multi-sector critical infrastructure command (OT/SCADA)
  • RoboTech-AI — autonomous kernel reconstruction & remediation
  • Vienna — the CCE/UCE controller embedded in every deployment
  • MOSES — Optistreams AI Operations Platform integration
Validated By
  • U.S. Dept. of Defense — 100% efficacy, 100× perf., 70% cost reduction
  • NSA — Michael Jacobs (Pres. Award): "game-changing technology"
  • Sandia / Lockheed Martin — 2014 Citadel partnership
  • U.S. World Airports — 15 mo., 7K eps., zero breaches
  • CA Office of Emergency Services (5G)
  • DARPA · MITRE · Pentagon · Pacific NW Lab
The Vienna Session Lifecycle
01
Spawn
Process creation intercepted · COS assigned from policy table · Range determines initial permissions
02
Isolate
CCE/UCE sealed container created · Process boundary enforced at kernel · No persistent write access outside container
03
Mediate
Every command, file access, OS call, network request validated against COS allow table in real time
04
Enforce
Operations not in allow table denied at kernel — no detection lag, no post-facto blocking, no false negatives
05
Terminate
Container and all its contents destroyed at session end — any compromise acquired during session eliminated
06
Log
Full session telemetry archived to CISO-AI audit trail · Anomalies surfaced for compliance & reporting
The Vir2us Platform — How VMunity-AI Powers the Full Suite
VIR2US PRODUCT SUITE ARCHITECTURE — VMunity-AI AS THE FOUNDATIONAL PLATFORM
APPLICATIONS
CISO-AI (A6)
Autonomous CISO function · Compliance orchestration · AI threat briefings · Board reporting
Citadel (A7)
Multi-domain OT/SCADA command · Cross-sector kill-chain detection · National EOC view
RoboTech-AI (A8)
Autonomous kernel reconstruction · User-state preservation · 3–8 min remediation
↑   All products operate on VMunity-AI kernel telemetry and CCE/UCE enforcement   ↑
INTELLIGENCE
VMunity-AI Platform
Real-time kernel telemetry · COS policy enforcement · Session mediation · AI agent governance · Audit trail generation
Vienna Controller
CCE/UCE container lifecycle management · COS table lookup · Process isolation · Session destruction
↑   CCE/UCE kernel enforcement — below OS, invisible to all above-OS processes   ↑
KERNEL
CCE/UCE Kernel Architecture — US 8,775,369 et seq.
Kernel-level isolated computing · KASM (A1) · COS matrix (A2) · PKIC (A3) · KCFCE (B) · KOCP (C) · Vienna/KCDDALCS (A9) · N-Dimensional Policy (A5) · FIPS 140-2 · <1% CPU · Air-gap capable
VMunity-AI vs. Legacy Endpoint Security
Capability Legacy AV / EDR (All Vendors) VMunity-AI / Vienna Outcome
Security model Binary checkpoint — known bad list, one question COS matrix — thousands of per-operation allow decisions ✓ No bypass possible
Zero-day defense ✗ No signature → no detection → no defense COS table has no allow entry → cannot execute ✓ Structurally immune
AI-generated malware ✗ Novel signatures defeat detection permanently Recognition not required — operation not authorized ✓ Structurally immune
Session persistence Malware can establish persistent foothold post-bypass Vienna destroys container at session end — zero persistence ✓ No foothold possible
Operating level Above OS — blind to kernel-level implants Below OS — Vienna operates at kernel boundary ✓ No blind spots
CPU overhead 26–90% CPU · Degrades endpoint performance <1% CPU · Performance improves post-deployment ✓ 100× faster
AI agent governance ✗ No mechanism — AI agents unmediated KASM (A1) mediates every AI agent action at kernel ✓ Only VMunity-AI
Breach record All major vendors breached during SolarWinds Zero successful breaches across all deployments ✓ Zero breach record
Technical Specifications
ArchitectureCCE/UCE kernel-level isolated computing · Vienna controller · Below-OS enforcement
CPU Overhead<1% · 100× performance vs. legacy · DoD lab verified
Core PatentsUS 8,775,369 · 7,392,541 · 7,788,699 · 6,880,110 + 8 more granted
ProvisionalsA1–A9 · B · C (all filed March 2026) · NP conversion ~March 2027
PlatformWindows · Linux · macOS · VDI · Cloud · Embedded · Mobile · OT
CryptographyFIPS 140-2 compliant · Kernel-secured telemetry channels
DeploymentOn-premises · Cloud · Hybrid · Air-gap · Classified environments
Scale120M+ users deployed globally · Unlimited endpoints · Multi-tenant
"Vir2us is unique, game-changing technology for cybersecurity in the U.S. Federal Government." — Michael Jacobs, Former Director of Information Security, National Security Agency  ·  Presidential Award Recipient  ·  Independent advocate for Vir2us technology within U.S. government for over a decade
Patent Position — 25-Year IP Moat
VMunity-AI is protected by 11 granted U.S. patents covering the CCE/UCE kernel-level isolated computing architecture (US 8,775,369 et seq., Largman et al.), with international coverage in AU, CA, EPO, JP, KR, CN, and IL. The 2026 provisional portfolio (A1–A9, B, C) extends protection to AI agent session mediation, COS governance, zero-click interception, container overlay integrity, orchestration control, temporal attestation, N-dimensional policy matrices, CISO automation, Citadel, RoboTech-AI, and Vienna/KCDDALCS. No commercially available alternative provides kernel-level isolated computing with CCE/UCE enforcement, Vienna session management, and AI agent COS governance. Sole-source justification available on request.
448 Ignacio Blvd., Suite 330 · Novato, CA 94949  ·  © 2026 Vir2us, Inc. · Confidential & Proprietary · Page 2 of 2
sales@vir2us.com