Vali Cyber

What is it?

Vali Cyber’s ZeroLock is a runtime security solution for hypervisors, specifically VMware ESXi and Linux-based hypervisors like Proxmox and OpenShift. It’s the first hypervisor security product digitally signed and certified by VMware, deployed as a VIB (vSphere Installation Bundle) through vCenter like a standard ESXi update. ZeroLock’s core capabilities include MFA for command-line logins, virtual patching for exploit prevention (including VM escape attacks), behavioral detection for ransomware, and file restoration to pre-attack state if encryption is detected.

Why did they build it?

Hypervisors are getting attacked. Scattered Spider hit MGM and Marks & Spencer with ESXi ransomware. Nation-state actors compromised MITRE’s ESXi infrastructure in May 2024. Attackers recognize there’s no EDR on hypervisors. They provide a beachhead for long-term dwell time and a devastating attack surface if encrypted. A compromised hypervisor can take down an entire private cloud without any of the individual VMs being compromised.

VMware environments in particular lack basic security features. There’s no native MFA for SSH. Customers have been asking for years, but Broadcom hasn’t delivered. ZeroLock fills gaps that should arguably be built into the platform.

How is it deployed?

For ESXi: upload the VIB to vCenter, apply via VMware Lifecycle Manager like any other ESXi update. For Linux hypervisors: standard deb or RPM package installed with apt or yum. The agent protects the hypervisor OS itself rather than individual guest VMs (that’s what EDR in the VMs handles).

The solution runs entirely in user space with no kernel modules or hooks, prioritizing stability and performance over deep kernel instrumentation.

What attacks does it stop?

Credential theft is the most common TTP. Attackers steal admin credentials and SSH directly into hypervisors. Vali’s MFA feature prevents simple credential compromise from granting full hypervisor access. Failed MFA attempts generate alerts indicating potential breach attempts.

Ransomware attacks follow a pattern: shut down VMs to unlock VMDK files (virtual hard disks), then encrypt. ZeroLock detects file encryption behavior, blocks it, kicks off the attacker, and can restore encrypted files to pre-attack state.

Escape-to-host exploits, where attackers compromise a guest VM and use a CVE or zero-day to gain hypervisor access, are blocked through virtual patching.

Who’s buying it?

Governments, Departments of Defense, banks, financial institutions, healthcare: heavily regulated industries or those with high security requirements. Private cloud is growing (double-digit CAGR for both Broadcom’s VMware revenue and Nutanix). Broadcom is betting on private AI driving further growth as organizations want to run LLMs on infrastructure they control.

Risky Business appearances

Sources