Originally published in The Marker, Cyber Magazine.
In an era where hackers conceal malicious code within pixels and metadata, OPSWAT utilizes Deep CDR technology that deconstructs every file to its raw elements and rebuilds a completely clean version. Noam Gavish, a cybersecurity architect, explains the rationale behind the technology and together how they form a multi-layered defense system.
At one of Israel’s security organizations, the internal cybersecurity team began shifting uneasily in their seats due to a threat from an unexpected direction. Their concern wasn’t about infiltration — the common cyber threat — but rather about what might leak out, unnoticed. They feared that sensitive information — such as code names, locations, and identities — could be hidden inside seemingly innocent files: Word documents, image metadata, or even within the pixels themselves. DLP systems failed to detect it, experts didn’t know what to look for, and the situation felt like an invisible threat with no solution. That gap was bridged by OPSWAT’s Deep CDR technology that breaks down the file to its essential components and rebuilds it from the necessary objects only.
“The idea is simple and based on the assumption that every file is suspicious, under the Zero Trust approach,” says Noam Gavish, a cybersecurity architect at OPSWAT. “The Deep CDR system breaks down each file, retains only the elements necessary for its functionality, and rebuilds it — identical to the original, but completely clean. The end user’s ability to use the file remains the same, and the system allows tailoring the module's behavior based on file type and the specific channel. We don’t try to determine whether something in the file is good or bad. If it’s not essential — it doesn’t go in.”
To illustrate the logic, Gavish refers to the Anthrax attack in September 2001 — a week after 9/11 — during which letters containing Anthrax spores were sent to various U.S. media outlets and two senators, killing five and infecting 17 others. “Applied to our technology — if a customer receives a letter in the mail, our system rewrites it word for word on a new page — without including the suspicious white powder someone might have sprinkled inside.”
So instead of checking if a file is dangerous, you assume it is — and don’t let it in at all?
“Exactly. Anything unnecessary — even if we can’t explain why — simply doesn’t pass. There’s no need to determine if it’s malicious. If it’s not required, it’s excluded,” Gavish emphasizes. “The goal isn’t detection — it’s minimizing the attack surface to the absolute minimum. Even if a threat isn’t visible, it doesn’t get a chance. This is based on deep psychological insight: People fear what they don’t understand — and we treat files the same way. It’s a kind of survival mechanism.”
Balancing Cybersecurity and Information Availability
The technology Gavish describes — Content Disarm and Reconstruction, or CDR — is not new to the market, but OPSWAT has enhanced it to handle highly complex files, including archives, media files, and documents with active macros. This expanded capability earned it the name Deep CDR.
Still, Gavish emphasizes that Deep CDR is just one component in a complete platform designed to protect organizations — especially critical infrastructure — across all information exchange channels. This begins with email systems, extends to USB devices connected to endpoints, and includes internal system interfaces. Every file, from any source, undergoes a multi-layered security scan.
This is increasingly important as attack surfaces expand, especially with supply chain attacks, where hackers target third parties to gain access to an organization. Hackers also identify organizational weak points — for example, HR departments, which receive dozens of resumes daily, often as PDFs or images, with full operating systems hidden behind them. HR teams tend to be the largest receivers of Office files — yet often have the lowest cybersecurity awareness. Another weak point: removable media, which may contain malware.
“We don’t rely only on Deep CDR because no single module can address all challenges,” Gavish explains. “Before a file reaches CDR, it goes through multiple antivirus engines — over 30, depending on the package. Then it passes through Deep CDR, and next to OPSWAT’s Sandbox system, which decodes the file, analyzes the code, and determines what it does — or would do — with specific input.”
The organizing principle is not to rely on a single detection mechanism, but on layered security: If antivirus misses something, Deep CDR rebuilds the file. If Deep CDR removes nothing suspicious or further clarity is needed, Sandbox analyzes its behavior. Only if nothing is deemed suspicious is the file allowed into the organization.
To demonstrate the power of OPSWAT as a comprehensive platform, Gavish compares the company’s security architecture to medieval castles — which used layered defenses to wear down attackers. “In cybersecurity, it’s all about layers. Like a castle: first a moat, then an iron gate, archers, and boiling oil poured from above. Deep CDR isn’t magic — it’s another brick in the wall. And a castle without walls isn’t a castle.”
So it’s both a technological combination and a process series?
“Yes, because Deep CDR is good for some things, Sandbox for others — together they provide full coverage. Alone, they can’t handle every scenario. For example, we combine Deep CDR with antivirus scans and Sandbox to detect sophisticated attacks that each layer alone might miss. We’re not just offering a point security solution — but a multi-layered platform. We’ve built a circular security platform, not isolated barriers: multi-engine scanning, behavioral analysis, and the core — Deep CDR technology that rebuilds each file cleanly, without asking questions.”
The platform currently supports 190 file types — DOC, PDF, ZIP, images, audio, video, and more — double the industry standard. It also tailors’ security levels to the file’s path, configuration, and destination.
“The protection spans the entire threat landscape, but each threat has its own nature,” Gavish says. “We also don’t want to stop data flow or delay operations. The idea is not to block the world — but to reintroduce it in a clean way — balancing security and availability. Like drinking from a potentially contaminated stream — you use a purification tablet and give up minerals in the process. But if the tablet was smarter, it could purify and preserve the minerals. That’s our goal — to deliver data in its original structure, minus the hidden malicious content — always customizable to your needs.”
Securing Every Organizational Entry Point
Founded in 2002 with a vision to protect critical infrastructure from cyber threats, OPSWAT now serves around 2,000 customers in over 80 countries. The company has offices across North America, Europe (including the UK, Germany, Hungary, Switzerland, Romania, France, and Spain), Asia (India, Japan, Taiwan, Vietnam, Singapore, and the UAE), and more.
In Israel, OPSWAT provides cybersecurity solutions to hundreds of leading organizations.
Gavish himself has been immersed in cybersecurity since 2007, shifting between offense and defense. He began in the defense industry and later worked in both "red team" and "blue team" roles at cyber firms. OPSWAT is renowned for its protection of critical infrastructure — water, electricity, transport, and defense — but in fact, its cybersecurity platform is suitable for any organization.
“I suggest broadening the definition of ‘critical infrastructure.’ Every organization has something critical. If a newspaper can’t print because malware shuts down the presses — that’s a disaster. For them, the presses are critical infrastructure. If a health insurer leaks sensitive customer data — that’s devastating. In that case, data is the critical infrastructure. If a hacker disrupts an elevator controller — a very real scenario — the controller becomes critical. Any touchpoint for data — entry or exit — is a potential risk, and we’re prepared to protect it. I always say: when defending critical systems, don’t just think of the internet — think of every possible gate. Sometimes it’s not a server or port, but a back door on the 30th floor. In a world where you can be attacked through an email or a seemingly innocent file — only those who think from every angle are truly ready. OPSWAT’s system is built for that: protecting endpoints, email servers, kiosks for connecting external devices, and even one-way file transfer systems (Data Diode). In a world where even a simple image file might contain embedded attack code, breaking it down and rebuilding it clean makes perfect sense — not paranoia.”
In line with the times, how much do you use AI?
“AI has become a trendy buzzword, but OPSWAT doesn’t use it just for show — only where it truly helps. 99% of antivirus engines claiming to use AI are using ML — Machine Learning. That said, AI is excellent at building new attack techniques, so layered defenses are critical. We don’t rely on known signatures alone.”
Still, even layered security isn’t airtight. In cybersecurity, there’s no such thing as 100% protection.
“Correct — and at OPSWAT, we understand that. That’s why our approach neutralizes threats regardless of whether they’re detected, known, or listed in any database. The cat-and-mouse game between attackers and defenders will never end — so we don’t try to win it with one tool. We build walls, gates, bridges, and position archers. There’s no 100%, but there is a platform you can trust.”
