The assumption is pragmatic. It reflects real experience with what ransomware attacks look like in practice and what recovery from them requires. And it is the assumption that Qumulo just decided to challenge with NeuralProtect a ransomware resilience solution built directly into the storage layer that inspects every file at the exact moment it is written, detects threats before any file is encrypted or corrupted, and responds in seconds rather than waiting for anomaly detection to notice something has gone wrong.

The difference between catching ransomware at the point of write and catching it after it has started encrypting files is not a performance metric. In an enterprise storage environment, it is the difference between a blocked attack and a recovery event measured in days.

Why the Storage Layer Is the Right Place to Stop This

The architecture decision that defines NeuralProtect building the protection into the storage layer rather than sitting it on top as an external security tool reflects a specific insight about where ransomware actually does its damage and why catching it there changes the outcome.

Endpoint security catches ransomware at the point where malicious code executes on a device. That is valuable, but it misses the scenarios where the endpoint itself is compromised, where the attacker is using legitimate credentials and tools, or where the ransomware variant is novel enough that signature-based detection does not catch it. Backup systems restore data after an attack has succeeded, which is essential but means accepting that the attack ran to completion before the recovery began. Entropy-based storage detection notices when large amounts of data are being encrypted which means the attack is already underway and files are already being lost before the detection fires.

NeuralProtect operates at a different point in the sequence: the exact moment each file is written to storage. Every write operation goes through inspection before it completes. If the write is malicious if it is encrypting, corrupting, or replacing legitimate data with ransomware payload it is blocked before the file changes. Not after. Before.

The performance implication of inspecting every file write is the engineering challenge that makes this approach harder than it sounds. Doing Deep File Inspection at write speed, across enterprise storage volumes, without introducing latency that degrades the performance of the applications writing to that storage, requires AI inference capability that can run at what Qumulo calls “user-space speed” fast enough that the inspection does not become the bottleneck.

NeuralProtect achieves that through a four-layer AI detection architecture that applies different models to different threat categories simultaneously rather than running them sequentially.

Four Models, Four Threat Categories, One Inspection Pass

The detection engine architecture is the technical core that makes NeuralProtect’s protection claims credible rather than aspirational and it is worth examining specifically because the four-model approach addresses distinct threat categories that single-model detection systems consistently miss.

The deterministic AI model handles known ransomware and malware variants. For threats that have been previously identified and characterized, deterministic detection produces 100% accuracy no uncertainty, no probability threshold, no tuning required. Known is known, and known threats are caught.

The statistical AI model handles zero-day and novel attacks the ransomware variants that have not been seen before and therefore have no signatures to match against. Statistical detection achieving greater than 95% success against novel attacks is the capability that changes the risk calculus for zero-day ransomware campaigns, which are specifically designed to bypass signature-based detection by being new.

The temporal AI model handles the attack category that is specifically designed to evade both deterministic and statistical detection: slow-moving, partial-encryption stealth campaigns. A ransomware operator who knows their target has anomaly detection in place will sometimes deliberately run their encryption campaign slowly enough, and partially enough, that the entropy-based signals that trigger anomaly detection never reach the threshold that fires an alert. The temporal model surfaces these stealth campaigns by analyzing behavioral patterns over time rather than looking for instantaneous signals catching attacks that are specifically designed to be patient.

The BitDefender Virus Detection Engine adds the proven commercial antivirus layer that provides comprehensive coverage for the established malware landscape. Layering a known-good commercial engine alongside the AI models ensures that the detection architecture does not have gaps where established threats slip past novel detection approaches.

The false-positive rate that results from this architecture less than 0.01% is the number that determines whether the protection is actually deployable in production environments. Security tools with high false-positive rates get disabled by frustrated administrators whose legitimate users are being blocked. A sub-0.01% false positive rate means that automated blocking is usable in production without creating the friction that causes security controls to get turned off.

What Happens in the Seconds After Detection

When NeuralProtect identifies a threat, the response is autonomous and immediate rather than waiting for human analyst review to authorize action. The sequence happens in seconds:

The offending user session is terminated. The user or IP address is blocked from further writes. Defensive snapshots are created capturing the clean state of the data at the moment before the attack was detected, providing the recovery point that makes restoration rapid rather than requiring a full backup restore. Infected data is quarantined, stopping the spread from the compromised files to adjacent data.

The isolation is surgical rather than broad. Rather than taking down large segments of storage infrastructure to contain an attack, NeuralProtect isolates the specific compromised session and data while leaving legitimate operations running. For enterprises where storage unavailability translates directly to application downtime and business impact, the precision of the containment matters as much as the speed.

The snapshot creation at the moment of detection is the recovery architecture detail that makes NeuralProtect’s protection genuinely different from traditional detection approaches. Entropy-based detection that fires after an attack has been running for minutes or hours creates a recovery point that is already significantly behind the clean state. Point-of-write detection that fires on the first malicious write creates a recovery point that is current to the moment the attack began making restoration a near-immediate operation rather than a major recovery project.

The Cisco Hypershield Integration – When Storage Detection Becomes Network Response

The integration between NeuralProtect and Cisco Hypershield is where the storage-layer detection capability becomes an enterprise-wide threat containment architecture and it reflects an insight about what complete ransomware response requires that single-vendor solutions cannot provide.

A ransomware attack that reaches enterprise storage did not originate at the storage layer. It entered the environment through some other vector a compromised endpoint, a phishing credential, a lateral movement path from an initial compromise elsewhere in the network. Stopping the encryption at the storage layer is essential, but it leaves the attacker’s network presence intact and their initial access unaddressed.

When NeuralProtect detects an attack, the joint solution with Cisco Hypershield triggers automated network quarantine distributed enforcement across workloads and clouds that isolates the compromised systems at the network level simultaneously with the storage-layer isolation. The attacker who has been stopped from encrypting files also loses their network connectivity, their lateral movement paths, and their ability to pivot to other systems while the security team responds.

Detection-to-mitigation time measured in seconds reflects both the storage isolation and the network quarantine happening in the same automated response sequence. The attacker is not just stopped from encrypting more files. They are cut off from the environment before they can adapt their approach.

Splunk Integration – Visibility That Turns Seconds Into Intelligence

Telemetry from both Qumulo and Cisco flows into Splunk via OpenTelemetry integration, giving security teams unified visibility into what happened, where it happened, and what the attack involved.

The specificity of the notification is the detail that makes this integration operationally useful rather than just generating another alert. When NeuralProtect detects an attack and triggers the Cisco network response, Splunk receives the specific client involved, the malware variant identified, and the exact point of intrusion. That is not a generic “ransomware detected” alert. It is the information that the incident response investigation would otherwise spend hours reconstructing from partial telemetry after the fact.

Starting the incident response with the attacker’s identity, the malware variant, and the intrusion point documented automatically removes the reconnaissance phase from the response process. Security teams that would normally spend hours on initial investigation can move directly to containment validation, root cause analysis, and remediation compressing the overall incident timeline significantly.

The OpenTelemetry integration also means that the intelligence generated by NeuralProtect detections contributes to the broader threat picture that Splunk maintains across the entire infrastructure stack. Patterns that appear across multiple detection events consistent attacker infrastructure, recurring entry vectors, behavioral signatures of specific threat actors become visible at the SIEM level in ways that individual point-solution alerts do not surface.

The Architecture the Industry Has Actually Needed

Bhageshpur described what the combined Qumulo, Cisco, and Splunk architecture delivers as “what the industry has long needed: a coordinated cybersecurity architecture that spans storage, infrastructure, and security operations.”

That framing is worth taking seriously rather than reading as product launch language, because it identifies a specific structural gap that has been visible in enterprise ransomware response for years.

Storage security, network security, and security operations have historically been separate domains with separate tools, separate telemetry, and separate response workflows. A ransomware attack that triggers responses in all three domains simultaneously creates a coordination problem the storage team is isolating data, the network team is blocking traffic, and the security operations team is trying to understand what happened often with incomplete visibility into what the other two domains are seeing and doing.

NeuralProtect, Cisco Hypershield, and Splunk operating as an integrated architecture with shared telemetry and automated cross-domain response removes that coordination problem for the most time-critical phase of the response. The isolation, quarantine, and notification happen automatically in seconds before any human coordination is required. The human team that engages with the incident starts from a position of complete information rather than incomplete telemetry that needs to be assembled from three separate systems.

For enterprises that have experienced ransomware incidents and measured the time lost to the coordination overhead in the immediate response window, that architecture change is not incremental. It is the difference between a contained incident and a spreading one.

Research and Intelligence Sources: Qumulo 

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com