Operates offline
Purpose-built for air-gapped networks. No network interfaces, no telemetry, no dependencies on external services.
Bifrost · Australian made
The trusted bridge for untrusted data
Offline, zero-persistence malware scanning and data inspection for removable media — purpose-built for air-gapped and sensitive environments.
What is Bifrost?
Bifrost is a purpose-built scanning kiosk for removable media — USB drives, SD cards, portable hard drives — entering or leaving air-gapped and classified environments. It's a physical device that sits at the boundary: plug in a drive, get a malware and content report, and know what's on the media before it crosses the gap. The device retains nothing. Every scan is wiped from RAM on shutdown. Protected against all current and future malware threats. Suitable for all classifications of data.
Why Bifrost?
In Norse mythology, the Bifrost is the burning rainbow bridge between Midgard — the world of humans — and Asgard — the realm of the gods. Guarded by Heimdall, it was the only path between realms, and nothing could cross it unchallenged.
Bifrost the scanner serves the same purpose. It's the controlled bridge between untrusted and trusted domains — the single point where removable media is inspected before it crosses the air gap. Like its namesake, nothing passes without scrutiny.
What Bifrost does
Zero persistence
Runs entirely in RAM. Sanitised on every shutdown to ensure all data is purged and forensically unrecoverable. Nothing survives a power cycle.
All classifications
Suitable for all classifications of data. Keyword sets, rule profiles, and scanning depth adapt per session — from unclassified through to the highest caveats. One device covers every level.
Managed updates
Signature engine and scanning rules delivered through a protected image pipeline. Ongoing support built in.
Self-protecting
Multiple layers of self-protection against tampering, including BadUSB attack prevention. Only mass-storage devices are accepted — keyboard and HID emulation attacks are blocked at the hardware level.
How it works
From boot to report in minutes
01
Build the image
ISO built with latest OS, scanning engines, signature databases, and ruleset. Can be automatically or manually written to portable protected hardware.
02
Boot
Power on. The system boots read-only and loads entirely into RAM. No persistent disk, no swap, no writable storage.
03
Insert target media
Connect removable media through the hardware write-blocker. Bifrost mounts it read-only and runs seven inspection phases automatically.
04
Read the report
Results displayed on screen or exported to trusted USB as a scan report. Clean files can be transferred from untrusted to trusted media.
05
Sanitise and shutdown
Volatile memory is overwritten and sanitised before power-off to ensure all data is purged and forensically unrecoverable. Zero persistence. System is clean for the next scan.
Scanning pipeline
Seven phases, one report
Each scan runs through a fixed sequence of inspection phases. Every phase contributes to the final report.
01
Mount
Target media mounted read-only through the hardware write-blocker.
02
Inventory
Every file catalogued — name, size, type, timestamps, cryptographic hash.
03
Signature scan
Files checked against a curated multi-engine malware signature database.
04
Rule-based heuristics
YARA-rule detection for malware families, emerging threats, and zero-day variants.
05
Behavioural checks
Executables inspected for suspicious capabilities, packing, and embedded strings.
06
Keyword search
Dirty word search for classification markers and configurable keyword sets.
07
Report
Findings aggregated into a single report — screen, print, or both.
Usage flow
What happens during a scan
START
Boot
System loads from protected media into RAM
01
Select classification
Operator chooses the classification level — keyword sets and scanning rules adapt
02
Insert media
Target media connected through write-blocker, mounted read-only
03
Scan pipeline
Mount Inventory Signatures YARA rules Behaviour Keywords Report
04
Review results
Findings on screen. Export report to trusted USB
END
Sanitise
RAM sanitised. All data purged and forensically unrecoverable
Deployment options
Runs on any x86 hardware
Bifrost portable boot media can run on any x86 hardware, but is most effective when combined with trusted hardware. Choose the form factor that fits your environment — scanning capability is identical. Suitable for highly sensitive environments.
Desktop kiosk
Compact form factor for fixed installations. Sits at a checkpoint — entry point, guard station, or classification control zone. Connects to an external display and write-blocker. Always ready, always in position.
- Small-form-factor hardware
- External display and peripherals
- Permanent installation
Portable unit
All-in-one laptop configuration for field use, deployments, and mobile teams. Built-in display and integrated write-blocker. Same protected boot media, same scanning pipeline, same reports — just mobile.
- Integrated display and write-blocker
- Field-deployable
- Same image as the desktop kiosk
Supported media types
Any block storage device accessible through the hardware write-blocker can be scanned.
Update cycle
How Bifrost stays current
Protected boot media is never modified in the field. Updates flow through a managed pipeline — build a fresh image, write it to protected hardware, deploy. The kiosk always runs read-only.
Build
Pipeline pulls latest signatures, rules, and OS patches. Produces a fresh system image.
Write
Image written to protected, hardware write-protected boot media. Automatic or manual.
Deploy
Boot media inserted into kiosk hardware. System boots read-only from the fresh image.
Scan
Runs in the field — read-only, air-gapped, zero persistence. Nothing modifies the image.
Threat model
Every threat considered, every layer hardened
Bifrost assumes the worst about every piece of media it inspects. Here's how the design responds to each threat.
Threat
Malware on target media
Removable media may carry active malware, including novel or weaponised payloads designed to compromise the scanning host.
Mitigation
Multi-engine signature scanning, YARA-rule heuristics, behavioural analysis, and capability inspection — seven independent detection phases. The scanning environment is read-only and RAM-only; even if malware executes, it cannot persist or propagate.
Threat
BadUSB and HID attacks
A malicious USB device may enumerate as a keyboard or HID device to inject keystrokes, rather than presenting as storage.
Mitigation
Bifrost only accepts mass-storage class USB devices. HID, keyboard, and network device classes are rejected at the hardware abstraction layer. Devices that re-enumerate or present multiple interfaces are blocked.
Threat
Data exfiltration from the kiosk
Sensitive data from a scan — file contents, metadata, classification markers — could be extracted from the device after use.
Mitigation
Zero persistence by design. The entire OS runs in RAM with no writable storage. On shutdown, volatile memory is overwritten and sanitised — all data purged and forensically unrecoverable. Nothing survives a power cycle.
Threat
Tampering with the scanning environment
An attacker or compromised operator could modify the scanning tools, signatures, or OS to suppress detection of specific threats.
Mitigation
Boot media is hardware write-protected — the scanning environment cannot be modified in the field. The OS root is an immutable filesystem loaded from a signed image. Every boot is a fresh, known-good state.
Threat
Modification of target media during scan
The scanning process could inadvertently (or deliberately) alter the media being inspected, destroying evidence or planting data.
Mitigation
Target media is connected through a hardware write-blocker and mounted read-only at the OS level — dual-layer write protection. Chain of custody is preserved throughout. Nothing Bifrost does can modify the media being scanned.
Threat
Network-based attack or C2 callback
Malware on scanned media could attempt to phone home, exfiltrate data, or receive commands over a network connection.
Mitigation
Bifrost has no network interfaces — no ethernet, no wifi, no bluetooth. Network drivers are not installed. There is no network stack to exploit. Air-gapped by construction, not by policy.
Threat
Stale or outdated signatures
An air-gapped scanner risks running outdated detection signatures, missing newly discovered threats.
Mitigation
A managed build pipeline produces fresh system images on a regular cadence, pulling the latest signatures and rule sets. Updates are delivered as complete, signed images on protected media — never over the wire, but always current.
Threat
Residual data between operators
Consecutive scans by different operators could leak classification-marked data between sessions.
Mitigation
RAM is sanitised on every shutdown — all data purged and forensically unrecoverable. The device returns to a clean, zero-data state between every session. No cross-contamination is possible.
RAM sanitised on every shutdown. Air-gapped by design. Nothing leaves the device. ISM compliant.
Designed and built in Australia
Get in touch →Contact
Tell us about your environment.
We'll respond within two business days. For technical evaluation or procurement questions, include as much context as you can share.