Request a Demo

Secure Environments for High-Stakes Work Instant. Isolated. Frictionless.

The world's first zero-trust isolated environments platform. Enable unrestricted innovation and conduct high-stakes work without sacrificing speed for security. Deploy secure isolated labs and workspaces in seconds—protected by our patented anonymous attack surface, enterprise observability, and comprehensive data controls.

Book A Demo

Innovation Moves Fast. Your Security Model Should Too.

Legacy security architectures create friction and slow strategic initiatives. With 82 percent of breaches involving cloud assets and 75 percent of employees adopting unsanctioned tech, traditional perimeter-based approaches either leave you exposed or grind innovation to a halt.

Replica delivers full computing environments that empower organizations to conduct high-stakes work—securely and behind an anonymous attack surface. Our patented zero-trust isolated environments eliminate traditional trade-offs between security and speed.

  • Full-Stack Isolation: Beyond browser—OS, network, applications, data protection end-to-end
  • Built-In Managed Attribution: Unattributable access to restricted content with realistic digital personas
  • SaaS-Delivered & Rapidly Deployable: Activate secure environments in minutes, not months
  • Collaboration Without Compromise: Cross-team, cross-agency partnerships with complete auditability
Book A Demo

Where Security Powers Innovation

Secure environments designed for innovation, mission-critical security, investigations, and operations.

Business Acceleration

Safely experiment with AI and test untrusted software, accelerate M&A workflows, enable secure third-party collaboration, and speed R&D innovation—all while protecting IP and maintaining compliance.

Fraud & Financial Crime Investigations

Uncover fraud and illicit activities by accessing hard-to-reach data worldwide. Gather evidence while maintaining compliance.

Dark Web Operations

Access and analyze content across dark web sources, closed forums, and restricted platforms while maintaining complete anonymity and chain of custody.

Advanced Malware Analysis

Isolate, detonate, and reverse-engineer malware and adversary infrastructure in a fully contained, disposable environment, without risking corporate networks or endpoints.

Isolation of Acquired Tech

Quickly gain control and oversight of technology and operations from mergers and acquisitions, ensuring seamless integration and maximized value.

Secure Investigation & Colab

Investigate threats across any platform anonymously – from mobile to restricted sources to closed forums. Automate collection and analyze safely without exposure.

And more

Deploy Instantly, Without Friction

Security without complexity. Operations without limits. Replica activates in seconds, eliminating IT bottlenecks and seamlessly integrating with existing security frameworks.

Zero-touch deployment and maintenance

Scale instantly from 5 to 10,000+ users

Eliminate multiple, fragmented security tools with a single, unified platform

Comply seamlessly with enterprise security policies, governance, and audit requirements

Transform High-Stakes Work with Control and Compliance

Replica enables high-stakes operations with uncompromising security, seamless collaboration, and full compliance, protecting critical assets while ensuring complete control.

Securely accelerate AI experimentation, M&A, R&D, and strategic initiatives

Ensure comprehensive audit trails and regulatory compliance

Protect proprietary research, confidential data, and critical assets

Enable secure, controlled collaboration on classified operations

Features & Integrations

Built to work with your existing tools.

Flexible Network Options

Open API Architecture

Networks

Orchestrated Hybrid Environments

Comprehensive Observability

Proxies

Jobs and Automation

Telephony

Enterprise Integrations

Advanced File Sharing

What Our Customers Are Saying

Trusted by Industry Leaders to Power Secure Operations

“Replica gave us access to the data we needed around the world. The secure environments were always available and super flexible.”

Intelligence

Customer

"We were manually creating, maintaining and securing hundreds of VM’s for every contractor. Replica automated that process but gave us so much more insight and control over those environments."

SLED

Customer

“In the past year, we were able to complete three data collections. In one week with Replica, we were able to complete 30. This is game changing.”

Telecommunications

Customer

“I appreciate that Replica is flexible — there are different ways to deploy it, it is scalable, it is deployable, it is responsive, mobile, and it serves multiple markets.”

DOD

Customer

Experience the Future of Secure Operations with Replica

Security shouldn’t slow you down. Eliminate barriers, protect critical assets, and accelerate your most sensitive work—without risk.

Discover how government, enterprise, and cybersecurity teams use Replica to operate with confidence and control.

Book A Demo
DSPM in isolated environments

DSPM Found Your Data. Who’s Accessing It Right Now?

Why data security posture management and session-level protection are solving different halves of the same problem. 

Your Data Security Posture Management deployment finished. You know where regulated data lives. You know which SaaS applications hold it, who has permissions, and which sharing settings are too broad. That’s real progress. 

Now ask a harder question: what happens when an attacker bypasses all of that by hijacking an active session? 

DSPM maps the static picture. It tells you where data sits and how it’s configured. What it doesn’t cover is the live session, the moment a valid user token gets intercepted, an OAuth consent gets manipulated, or an attacker operates inside a legitimate session wearing someone else’s identity. That’s a different risk surface, and it’s the one that adversaries are increasingly targeting because DSPM doesn’t see it. 

The session is the new perimeter 

Many SaaS security programs are built around a familiar model. Protect identities, enforce MFA, manage permissions, and monitor for suspicious logins. Those controls remain essential. 

The challenge is that SaaS access often continues through approved applications, existing sessions, and authorization decisions that happen during normal work. When attackers exploit those paths, the activity can look like ordinary usage because it is happening inside the same mechanisms users rely on every day. 

A typical sequence: 

An employee receives a message in email or chat that links to a SaaS workflow they use regularly. The page looks familiar. The employee signs in and continues. During the interaction, the employee is prompted to approve a simple access request that appears routine, or the interaction results in an attacker capturing a session artifact. The attacker then uses that access to read data, search files, or take actions inside the SaaS environment. The actions can blend into normal activity patterns, which is why detection can be delayed. 

MFA can be present and still not be the only line that matters. The risk moves from breaking authentication to taking advantage of authorized access that persists beyond a single login moment. 

A DSPM tool in this situation still does valuable work. DSPM helps you discover sensitive data across SaaS and identify risky permission patterns and broad access. DSPM answers where sensitive data is and who or what can reach it. 

The remaining gap is timing. Some attacks are about what happens during use, not just what is configured. The attacker’s goal shifts from finding sensitive data to operating as someone or something that already has access. 

Consent phishing and session abuse are persistent patterns 

Consent phishing is one example. A user is tricked into approving an application request that looks legitimate. The approval grants the application access to mail, files, or calendar data. The platform treats the access as authorized because it was granted through the standard flow. 

This creates separation between two important categories of security capability. DSPM reduces structural risk by finding sensitive data and highlighting risky exposure conditions. Session-focused protection reduces real-time risk by limiting what untrusted content can do on a device during high-risk interactions and by keeping risky activity separated from corporate endpoints. 

Secure Isolated Environments 

Replica provides secure isolated environments for exactly these interactions. When your team needs to access untrusted content (investigating a phishing campaign, evaluating a suspicious OAuth application, researching threat infrastructure, opening links from unknown sources) that activity happens inside a fully isolated environment separated from your endpoint and your corporate network. 

The browser session, the network traffic, the content rendering…  all of it executes inside Replica’s environment, with managed attribution shielding who is accessing what. If something malicious fires during the interaction, it detonates inside the isolated environment. Your endpoint, your tokens, your active sessions are untouched. 

This matters for the SaaS session problem specifically. When an analyst investigates a consent phishing lure inside a Replica environment, the OAuth consent flow can’t reach the analyst’s real credentials or corporate session. The investigation happens, the evidence is captured, and the analyst’s actual identity was never in the room. 

Replica also produces consistent session records) activity logs, screen captures, network telemetry) that your security team can use during incident review. When leadership asks what happened and when, the evidence already exists in a structured form. 

Two halves of the same problem 

DSPM and session-level isolation are solving adjacent problems. DSPM reduces your exposure surface by telling you where data is, how it’s shared, and what’s misconfigured. Secure isolated environments reduce your attack surface by making sure that when your people do interact with risky content, the interaction can’t reach your production environment. 

Both belong in the conversation. The organizations that deploy one and ignore the other are leaving a gap that adversaries like Midnight Blizzard have already demonstrated they know how to exploit.

Learn More About Isolated Environments

FAQ 

What does DSPM cover? 

DSPM discovers sensitive data across cloud and SaaS environments, classifies it, and identifies exposure risks like broad permissions, risky sharing settings, and misconfigurations. It’s focused on data-at-rest posture. 

How are SaaS accounts compromised when MFA is in place? 

Attackers increasingly target session tokens and OAuth grants. Once an attacker captures a valid token or tricks a user into an OAuth consent flow, they can operate as that user without re-authenticating. The Midnight Blizzard attack on Microsoft used exactly this technique,  MFA was available but irrelevant once the attackers had OAuth-based access. 

What is consent phishing? 

A technique where an attacker tricks a user into granting OAuth permissions to a malicious application. The user sees what looks like a routine consent screen. The attacker gains persistent access to SaaS resources through the authorized application. 

How do secure isolated environments help with SaaS session risk? 

When users access untrusted content inside a Replica environment, the interaction is fully separated from their endpoint and corporate network. Malicious content, OAuth lures, and session hijacking attempts execute inside the isolated environment and can’t reach real credentials or active sessions. Replica also captures session evidence for incident review.

Why security leaders are moving from paperwork to proof—and how to demonstrate real control during high-risk work and transitions....

Data Protection

See More

Read more

Torq and Replica partner announcement

Torq partners with Replica to make autonomous SecOps safer.

Move faster. Stay contained.

The faster your security operations move, the riskier the remaining manual work becomes. Automation handles enrichment and orchestration, but it can’t click suspicious links, detonate unknown files, or poke at attacker infrastructure. That work still requires a human. 

The traditional choice: slow down for safety, or move fast and accept endpoint/network risk. Now, there’s a new option:  

Torq orchestrates your SecOps workflow. Replica isolates the high-risk execution.

We’re AMP’d to be working together.

Torq ingests alerts, enriches context, and routes work across your stack. When the next step requires interacting with something untrusted, like a suspicious URL, an unknown file, attacker infrastructure, Torq can route analysts into Replica when interaction with untrusted content is needed.

Replica provides secure, isolated environments where analysts can investigate without exposing corporate devices or networks. Everything is logged; nothing touches production.

Explore Isolated Environments

Investigate boldly.

You don’t have to choose between speed and safety. Torq makes your processes repeatable, and Replica makes your execution safe. You don’t need new VDI projects or analyst workarounds. Automation when it’s safe, isolation when it’s not

With our forces combined, you can:

  • Examine suspicious links and attachments in isolated browsers that can’t leak credentials or install malware  
  • Detonate and analyze artifacts in controlled environments separate from your endpoints  
  • Validate remediation by testing fixes in isolation before deploying to production 

 

We’d love to show you more.  

Read the Torq Partner Profile

Explore the Replica Partner Program

Together, Torq and Replica are transforming how security teams operate — empowering customers to detect and defend against threats, faster....

Secure Environments

See More

Read more

paperwork to productivity

From Paperwork to Proof: Why Security Leaders Are Being Asked to Show Their Work

In the last week, two public signals landed that matter far beyond Washington. The first is the new OMB memo M-26-05, which shifts federal software and hardware security expectations toward a risk-based approach. The second is CISA’s Binding Operational Directive 26-02, which pushes agencies to identify unsupported edge devices and remove them to cut down on exposure. 

Even if you don’t sell into federal agencies, these updates mirror where enterprise security conversations are headed. Leaders are spending less time debating whether a policy exists and more time asking whether risk is really contained in day-to-day operations. especially when the environment is in transition. 

Track the shift to risk-based security 

Risk-based security sounds like flexibility, but in real life, it often raises the bar. When requirements become more tailored, decision-makers need clearer evidence that controls work in the moments that matter most. That evidence typically comes from what teams do during real work, not from what a policy says in a document. 

This is why the market is moving toward measurable outcomes: how risky activity is handled, what exposure is prevented, and what oversight exists when something goes wrong. Security leaders are being asked to show that the organization can operate safely under pressure, not just that it has standards written down. 

Recognize how edge lifecycle gaps create exposure 

CISA’s focus on end-of-support edge devices is a reminder of a hard truth: most organizations can’t replace critical infrastructure immediately. Procurement takes time. Change windows are limited. Dependencies show up. Exceptions are made. 

Those realities create a gap between what should happen and what can happen quickly. That gap becomes a risk window, because threat actors look for periods where controls are weakened, workarounds are common, and teams are rushed. 

Protect high risk work while remediation catches up 

During transition periods, essential work still must happen. Investigations don’t pause. Vendor validation still happens. People still need to access third-party portals, review suspicious artifacts, and move quickly in response to new information. 

This is where many programs feel the most strain. The work is legitimate, time-sensitive, and necessary.. but it often forces people to interact with untrusted content or unfamiliar systems from standard endpoints. That’s exactly the situation security leaders want to avoid, especially when they’re also trying to reduce exposure from aging infrastructure. 

Demonstrate control with auditable isolated environments 

This is where secure isolated environments stop being theory and become a practical way to keep operating. Replica is built for high-stakes cyber workflows where the work can’t pause and the cost of exposure is high. The core idea is to give teams a controlled place to do risky tasks without pushing that risk onto production endpoints and networks. 

For example, when analysts need to investigate suspicious links, validate a new tool, or access sensitive vendor portals, Replica provides secure environments that keep that activity in a governed space separated from the systems you’re trying to protect. This matters most during transition windows, when remediation plans are still underway, and teams are asked to move quickly with incomplete information. 

Strengthen audit readiness without slowing teams down 

Risk-based expectations tend to increase scrutiny after the fact. Leaders want answers to simple questions: where did the work happen, who did it, and what guardrails were in place? 

A controlled environment makes those answers easier, because the work is designed to happen in one governed place. Instead of relying on best-effort behavior across a mix of endpoints, teams can standardize how high-risk work gets done. That’s also why use cases like technology evaluation and isolation are often a practical starting point, they’re common, repeatable workflows where risk is real and timelines are tight. 

Apply the takeaway beyond federal policy 

The specific directives are federal, but the message is universal. Buyers want practical, demonstrable controls that reduce risk when conditions are imperfect. Edge devices, third-party access, investigations, and remediation timelines will continue to create transition windows. 

Organizations that handle those windows well will be the ones that can show how they kept risky work contained without slowing down the business. That’s the difference between security that looks good on paper and security that holds up under pressure. 

If you want to see how this maps to your environment, the simplest next step is to talk through the highest-risk workflows your teams can’t avoid and what it would look like to run them in a governed isolated environment. 

Learn more about Replica’s secure environment platform here

Why security leaders are moving from paperwork to proof—and how to demonstrate real control during high-risk work and transitions....

Business AccelerationData Protection

See More

Read more

Isolated browsers

Secure Browser vs Isolated Workspace: How Network Reality Forces the Architecture Decision

Security teams are being pushed into a category debate. Secure enterprise browser. Browser isolation. Workspace isolation. Each label comes with strong opinions. An isolated browser is an attractive idea because it promises a simple outcome: safer access to risky content, with less exposure.

These are different tools for different kinds of work. The right choice depends on what you are trying to protect, how your users operate, and what your environment will reliably support. The problem is that browsing rarely stays narrow. In most organizations, the browser is also where privileged work happens, where third parties connect, where investigations live, and where high-consequence decisions get made.

Once browsing becomes real work, the requirements change. You need to be sure if your workflows can be controlled, repeatable, and reviewable. Replica’s view on moving beyond browser isolation frames why the forced choice shows up in the first place.

The limits of an isolated browser

An isolated browser is a strong tool when the job is scoped and clear: open untrusted destinations with less endpoint exposure and less direct network exposure. It works well for safe access, research, and one-off tasks where the browser session is the work.

For many teams, that is the entry point because it is simple, understandable, and immediately valuable.

The limits show up when browsing turns into real work. Once a session needs internal access, privileged SaaS workflows, tools, files, and reviewable records, the requirements expand beyond what a browser-only control can reliably govern. Three shifts drive most of the friction.

Use cases that challenge an isolated browser

Work expands from the public web to internal apps

The moment a session needs access to internal applications, private portals, or sensitive SaaS workflows, isolation is no longer just “a safer window to the internet.” It becomes part of the enterprise access fabric. 

This introduces requirements that an identity-hiding mental model does not cover. Internal apps and third-party systems care about who is connecting and from where. Access policies care about conditional access and session context. Security controls care about predictable traffic paths and stable identity presentation. If those elements are not stable, organizations compensate with one-off workarounds, and the control starts to feel brittle. 

Work expands from browsing to tools and files

High-stakes work rarely stays inside a tab. A typical workflow includes downloads, uploads, document editing, messaging, notes, screenshots, and coordination across tools. The risk surface shifts from “what the browser can load” to “what data can move, where it can move, and what can be retained.”

If the tool only governs the tab, the rest of the workflow becomes a gap. That gap is where policy breaks down in practice, because work still needs to happen.

Work expands from safety to evidence and governance

When workflows matter, outcomes must be defensible. That means evidence that survives review: what happened, who did it, what data moved, and why controls behaved the way they did.

This is the line between a control that blocks and a capability that can be operated. It is also where “zero trust” becomes real. Access control is necessary, but operational security depends on governance and evidence. Replica’s perspective on that distinction is captured here: Our take on zero trust: access control vs operational security.

Two tools, two jobs

The forced choice becomes easier when the tools are described by what they optimize.

Secure enterprise browser

A secure enterprise browser is an endpoint-centered tool. It assumes the browser runs locally, then tightens policy and visibility around browser activity. It tends to fit when endpoints are consistently managed, posture signals are reliable, and most work stays inside web and SaaS patterns that behave predictably under enterprise controls.

Its strength is broad coverage with minimal disruption. Its limitation is scope. When a workflow needs stronger separation from the endpoint, tighter control over data movement across tools, or higher-quality evidence, browser-only governance can fall short.

Isolated workspace

An isolated workspace is a workflow-centered tool. It assumes certain work should run in a controlled environment so execution, network reach, and data movement can be governed together. It tends to fit when work is high stakes, endpoints are heterogeneous, third-party access is involved, or evidence must stand up to review.

Its strength is controllable work. Instead of trying to make every endpoint behave perfectly, it standardizes the environment where the work runs and makes governance repeatable.

Evaluating your options

1) Define the workflows that matter

Write down the top workflows that motivate the search for isolation in the first place. Group them into three buckets.

Standard work includes routine SaaS usage and everyday internal tools. Privileged work includes admin consoles and sensitive systems. High-stakes work includes investigations, risky research, third-party access, and any workflow where a single mistake carries disproportionate consequence. 

You may not need the most restrictive tool, but you should consider all realistic use and misuse cases. You want to apply the right control to the right activity, so security improves while friction stays predictable. 

2) Predict the impact before adopting a category 

For an endpoint-centered approach, the impact is driven by endpoint manageability, browser standardization, posture enforcement, and support burden.

For a workflow-centered approach, the impact is driven by whether critical workflows can run inside the controlled environment without breaking the work, and whether governance is strong enough to remove the need for ad hoc workarounds.

A simple litmus test helps: if the control requires frequent special handling to keep important workflows moving, it will create an exception culture. Exception culture is how security controls quietly lose authority.

3) Ask for proof of control, not claims

Instead of focusing on scripted experiences, focus on artifacts that demonstrate operability.

Look for a clear description of where execution happens, how network reach is governed for public web, SaaS, and private resources, and how identity is presented to destinations. Look for explicit rules for data movement across common actions like upload, download, and clipboard. Look for evidence outputs that align with investigations and governance: where records land, how long they are retained, and who can access them.

Teams doing investigations usually have the clearest requirements for what defensible work looks like. This is a practical companion for that mindset: Modern threat hunting: 7 best practices for secure investigations. 

The takeaway

An isolated browser reduces exposure for risky destinations. A controlled workspace goes further by reducing common attribution signals and operational mistakes across the full workflow, especially when identity, tools, and data movement come into play.

The choice worth examining is endpoint-centered control versus workflow-centered control. Clarity comes from naming the work, predicting operational impact, and choosing the tool that makes secure work repeatable without turning workarounds into the system.

FAQ

What is the difference between a secure enterprise browser and an isolated workspace?

A secure enterprise browser applies controls to browsing activity on the endpoint. An isolated workspace runs defined workflows in a controlled environment, which expands governance beyond the tab to include execution context, network reach, and data movement.

When is an isolated browser enough?

It is often enough when the job is safe access to untrusted destinations, and the work can stay largely within the browser session without needing deep internal access, extensive tool use, or defensible evidence requirements.

When is an isolated workspace the right tool?

It is the better fit when the workflow is high stakes and needs stronger separation, predictable behavior, and governance across tools and data movement. This is also where teams typically want tighter control over attribution and operational leakage across the full workflow.

Why does the choice change when work involves internal apps?

Internal apps and third-party systems add access policy, identity context, and governance requirements that go beyond safer browsing. When those requirements are not met consistently, teams fall back on ad hoc workarounds that undermine scale and defensibility.

 

If you’re interested in learning more about Replica, and how isolated environments can give your team more control and security, drop us a line.

Browser isolation or workspace isolation. Different tools for different kinds of work, but the right choice depends on what you...

Data ProtectionInformation SecurityRisk and Liability

See More

Read more

Replica v4.4: Stronger Access, Safer Secrets, Clearer Proof 

Some security updates only matter on paper. The ones that matter in real life show up in the same stressful moments: when something urgent lands, when timelines compress, and when the safest move is also the fastest move.

The Replica v4.4 release focuses on the operational guardrails that keep isolated workspaces trustworthy under pressure: tighter session controls for sensitive actions, hardened certificate and secret handling, clearer observability across the stack, and safer networking for high-risk work.

What’s new in 4.4

Enclaves now let you choose a storage type based on how you want data to behave inside the enclave: isolated when separation is the priority, or synchronous when you need a shared, reusable workspace for automation and collaboration.

When you create an Enclave, select one:

  • Isolated (default for strict separation). Use this for investigations or sensitive work where you want outputs to stay tightly scoped and avoid accidental reuse. Data is kept contained to the environment context to maximize isolation.
  • Synchronous (shared workspace inside the Enclave). Use this when your team needs to build once and reuse—for example, automation that generates artifacts, long-running processes that write outputs over time, or workflows where one user produces data and another reviews it later. Synchronous storage keeps a shared enclave workspace consistent so teams can pick up where they left off without rebuilding from scratch.
Replica v4.4 Enclave Options

Enclaves are also now assignable, making it easier to delegate ownership and management without changing the storage model.

Why this matters: Teams doing real investigations and data processing often need both: the confidence of isolation and a reliable way to persist and share artifacts across steps in the workflow. Storage Type lets you choose that behavior up front.

Sensitive action safeguards

In the moments that matter (changing controls, taking privileged actions, cleaning up environments), the risk isn’t theoretical. It’s account misuse, lingering admin sessions, and permissions that outgrow their purpose.

Replica v4.4 strengthens those “moment-of-change” guardrails with:

  • Step-up re-authentication for sensitive actions (Force Reauth), so privileged changes require an extra confirmation step.
  • Tighter session behavior, including auto-logout for the environment-deleter session in Keycloak after use.
  • Least-privilege isolate-route permissions to reduce privilege drift.
  • Smoother 2FA styling/flow consistency updates so security checks don’t feel like UI friction

Why it matters: High-risk work is time-boxed, shared across teams, and executed quickly. Guardrails that trigger at the moment of change reduce misuse risk without adding process overhead.

Observability coverage and audit readiness

In isolated environments, the proof is part of the product. When incidents happen (or when audits demand clarity), the difference between signals and answers is often whether telemetry is unified and easy to interpret.

Replica v4.4 expands and standardizes observability by:

  • Auto-registering new clusters in Grafana for a more consistent single-pane view.
  • Improving the path to audit-ready evidence with updated logging documentation and fixes that make key logging views easier to access (including a Logging menu fix for the Monitor role).

Why it matters: Faster triage starts with fewer gaps – especially when teams need to explain what happened, when it happened, and what changed.

Networking consistency and workload resilience

Containment only works if the platform stays stable while the work continues, especially when the work is long-running, compute-heavy, or dependent on tunneling.

In v4.4, we moved egress tunneling enforcement from per-VM clients to the cluster router layer, a standardization that brings VM-based environment egress routing in line with container-based environments. Practically, it makes egress behavior more consistent across the platform, including Windows-based VEs. It also makes it easier to hot swap egress when needed without introducing per-VM drift.

We also improved handling for SEADs-style research workloads, so heavy jobs are less likely to degrade cluster health or create collateral impact for other users and environments.

Why it matters: You shouldn’t have to choose between advanced workflows and platform stability.

Provisioning speed and operational stability

  • Alongside the headliners, v4.4 includes improvements that make the platform faster to provision, steadier at scale, and easier to operate day-to-day:
  • Faster, more consistent provisioning with standardized Windows/Linux images and streamlined AWS and Proxmox image transfers, including more comprehensive backups for VMs running on the Proxmox layer,
  • FlareVM available for Proxmox (Malware analysis image.)
  • Steadier performance at scale with added capacity, safer upgrade behavior, tuned scaling, and runtime hardening.
  • Updated Guest Portal + a new Troubleshooter experience to help admins get to answers faster (and reduce friction before and during evaluations).
  • Fewer “papercuts” with clearer router messaging and improved zones/time lifecycle states.

Release highlights

Replica 4.4 is built for the moments when urgency is high and mistakes get expensive, tight remediation windows, fast-moving investigations, and high-risk workflows that still have to keep running.

  • Enclaves & data workflows: New Enclave Storage Type options: Isolated for maximum separation, or Synchronous for shared, reusable workflows (automation + long-running processes + handoffs).
  • Access & governance: Force Reauth for sensitive actions, tighter session handling (incl. deleter session auto-logout), least-privilege isolate-route permissions, and smoother 2FA flow
  • Observability & proof: Expanded Wazuh coverage (including Proxmox/non-AWS nodes) and smoother Grafana + logging workflows.
  • Networking & workloads: Router-based egress tunneling standardization and improved resilience for heavy research workloads.
  • Operations & UX: Faster provisioning, steadier scaling, and refreshed Guest Portal + Troubleshooter experiences. VE Toolbox can now be relocated around the screen for ease of use and visibility.

Cut friction in reviews and investigations while keeping evidence close at hand. If you want to see these workflows in action, request a demo.

See how Replica v4.4 creates tighter session controls, hardened certificate and secret handling, clearer observability, and safer networking...

Secure Environments

See More

Read more

Screenshot of a browser in Replica Cyber showing depicting known exploited vulnerabilities

When Active Exploitation Hits: What January's KEV Update Reveals About Browser Risk

In mid-January, CISA updated its Known Exploited Vulnerabilities (KEV) catalog with actively exploited browser vulnerabilities. Federal agencies received remediation deadlines. For everyone else, KEV additions signal that attackers are already using these exploits and defenders need to respond. 

The challenge appears after the decision to patch. Remediation requires impact analysis, testing, change approvals, and coordinated deployment. When exploitation is confirmed and active, that time window creates the highest operational risk. 

The shift to in-session attacks 

Browser exploits increasingly execute inside the session itself. GhostFrame, a recent phishing framework, uses dynamic browser-executed content that adapts per session, including iframe-based techniques.  

Traditional defenses inspect content before it reaches the browser. In-session attacks execute after inspection completes, inside environments where admin credentials, cloud consoles, and sensitive workflows are already active. This shifts where controls need to operate. 

Operational constraints during remediation windows 

KEV-driven urgency encounters predictable constraints: 

  • Change control and stability requirements slow patch deployment in production environments
  • Dependency chains across apps, identity systems, and endpoint tooling extend remediation timelines
  • Third-party and managed platforms limit what internal teams can change directly
  • Critical workflows continue during elevated risk periods: admin portals, SaaS dashboards, cloud management interfaces, investigative browsing 

Browser-based access to these systems remains necessary while remediation proceeds. 

Why detection needs to be paired with containment 

Logging and alerting remain foundational for detecting anomalies, understanding scope, and supporting incident response. During active exploitation windows, security teams also need controls that reduce exposure during ongoing operations. 

Browser sessions during this period often include: 

  • Untrusted web content executing in the same environment as trusted administrative work
  • Sessions handling credentials, tokens, and privileged actions
  • User interactions required for business operations 

The operational question becomes: what reduces the likelihood that a compromised session leads to broader breach while remediation completes? 

Controls that address the remediation gap 

Effective compensating controls during this period share a common characteristic: they limit what can execute and where sensitive data persists during high-risk workflows. 

Security teams implementing these controls focus on specific outcomes:

  • Containing execution so untrusted content does not run directly on endpoints
  • Reducing data persistence on local devices for administrative and sensitive browsing sessions
  • Constraining exfiltration paths from sessions handling regulated information
  • Maintaining operational continuity for critical workflows during heightened threat periods 

Session-level containment addresses these requirements. Users interact with necessary content while execution occurs in isolated environments, reducing reliance on endpoint security posture during elevated-risk periods. 

These controls operate during remediation, not as a replacement for it. 

Questions for January’s KEV response 

Organizations responding to January’s KEV update can use these questions to translate urgency into actionable priorities:

  1. Which browser workflows remain active during remediation windows? Identify sessions that continue during elevated risk: admin portals, cloud consoles, investigative browsing.
  2. Where does sensitive data exist during those sessions? Review clipboard activity, downloads, uploads, tokens, cached data, and local persistence patterns.
  3. What controls reduce exposure without halting operations? Evaluate measures that constrain execution and limit data persistence during high-risk workflows.
  4. How are dynamic, in-session threats being addressed? Phishing frameworks that adapt per user session  valuate measures that constrain execution and limit data persistence during high-risk workflows.
Observations from January’s KEV update
  • KEV additions create a timing challenge. The period between confirmed exploitation and complete remediation represents the highest operational risk window.
  • Browser sessions serve as primary access paths during this period. Administrative interfaces and SaaS consoles remain operational when threat levels increase.
  • In-session attack techniques like GhostFrame execute after static inspection completes, requiring controls that operate during session execution.
  • Compensating controls during remediation gaps should address where untrusted code executes and how sensitive data persists or exits the session.
  • Session-layer containment can reduce endpoint trust dependencies during remediation periods without requiring workflow interruption.

Planning for predictable gaps

The remediation gap between vulnerability disclosure and complete deployment is a known operational reality. Organizations can incorporate session-level containment by using secure environments for high-risk browsing and administrative workflows as a standard control during these periods, alongside patching schedules, monitoring infrastructure, and incident response procedures.

Bridge the gap between exploit detection and patching. Explore how to maintain operational continuity and secure high-risk browser sessions against...

Cyber Warefare

See More

Read more

Linkedin
product
Use Cases
Industries
Company
Resources
Copyright© 2025. All rights reserved.