Network security.
Local by design.
Paloryx Labs builds DNS-layer threat detection for organizations that prefer to keep their data on their own hardware. Detection runs locally. Paloryx Labs never sees, logs, or stores your DNS queries. No commercial threat-feed subscription. Built for healthcare, legal, defense, finance, and anywhere data sovereignty matters.
Currently in pre-release. Talk to us at contact if you have a specific deployment in mind.
What Resolver delivers
DNS-layer threat detection that runs entirely on your network. Built for teams who'd rather keep their queries, their device inventory, and their detection signals on their own hardware.
Privacy by architecture
We don't see your queries because the system doesn't send them to us. Detection runs on the resolver itself; cloud lookups (when used) are k-anonymized to a 4-byte hash prefix. We can't violate your privacy with data we never receive.
Detection runs locally
The threat-detection stack — three layers plus reference banks — lives on your hardware and runs without per-query cloud dependency. Detection events and audit logs stay on the install. Paloryx Labs never receives, logs, or stores your DNS queries. Initial license activation and the daily threat-bank delta are the only ongoing Paloryx-cloud touches; both transmit zero query data.
Layered detection, no black box
Three independent layers — heuristic (DGA, fast-flux, NRD), lexical (typosquats, homoglyph confusables), and semantic (embedding-based similarity against curated reference banks). Each layer is auditable. No single ML model deciding fate alone.
No commercial threat-feed subscription
Detection capability is assembled from curated public threat-intelligence sources into bundled reference banks shipped with the installer. No per-customer feed contract, no upstream subscription cost, no surprise renewal pricing.
Audit-ready by default
Every admin action lands in an append-only audit log. Every blocked query is explained in plain language: which signal fired, what category, what reference matched. Customers in regulated environments can answer auditor questions without a forensics engagement.
Built for restricted environments
Healthcare with PHI exposure rules. Law firms with privilege concerns. Defense contractors with CMMC posture. Financial institutions with FFIEC guidance. EU operations with GDPR data-residency obligations. Single-tenant, on-premises, your control end to end.
Detection that runs in your binary,
not in someone else's cloud.
The threat-scoring stack — three layers plus a behavioral beacon detector — ships embedded in the resolver. Reference banks of known-malicious and known-legit indicators are bundled with the installer. No commercial feed subscription. No queries leaving your network for analysis.
On-device threat scoring
Every query is scored 0–100 by three independent layers — heuristic, lexical, and semantic — before the answer leaves the resolver. No cloud round-trip on the hot path. No telemetry to a vendor.
secure-apple-id-login.co
Brand impersonation
update-office365-portal.xyz
Phishing pattern
news.ycombinator.com
Allowed
Three-layer detection
Heuristic catches DGA / fast-flux / newly-registered. Lexical catches typosquats and homoglyph confusables (paypa1, micros0ft). Semantic catches what the others miss — meaning-level similarity to known-bad reference banks. Each layer is independently auditable.
C2 beacon detection
Hourly background scan finds devices making periodic callouts to rare or recently-registered domains — the fingerprint of compromise — and explains in plain English what the timing pattern looks like.
What does and doesn't reach Paloryx Labs
Stays on your install: every device identifier, every threat score, every detection event, every audit-log entry, every policy change. Paloryx Labs never receives, logs, or stores your DNS queries. License heartbeat: periodic transmission of product version, platform, and uptime — nothing about your queries or your network. Optional k-anon lookup: when the local score is uncertain, the resolver MAY send a 4-byte SHA-256 prefix to our threat-intel service. Reconstruction of the original query isn't mathematically possible. Admin-controlled, off by default.
Built for organizations that prefer not to outsource trust
If your buyer evaluation includes “where does the data live, who else can see it, and what happens if you get acquired” — this product was designed with you in mind.
Healthcare
PHI exposure rules, HIPAA Security Rule
DNS query logs that never leave the network. No third-party data processor in your covered-entity chain. Audit trail your compliance officer can actually read.
Legal
Privilege protection, client confidentiality
Your firm's research patterns don't become someone else's telemetry. No SaaS provider can be subpoenaed for your queries because no SaaS provider has them.
Defense & federal contractors
CMMC posture, ITAR-shaped restrictions
Single-tenant, on-premises, with the detection layer embedded in the binary. The daemon retains a minimal cloud touch for license activation and the bundled threat-intel refresh.
Financial services
FFIEC guidance, GLBA, supply-chain due diligence
Vendor-risk questionnaires answered with “the data never reaches us.” No commercial threat-feed contract to renegotiate. No fourth-party processors to inventory.
Education
FERPA, student-data residency
K-12 districts and higher ed running thin IT staff don't need a SaaS subscription with unbounded data flows. Local-only operation, low management burden.
EU / data-residency operations
GDPR, Schrems II concerns
No transatlantic data transfers because there are no data transfers. Deployable in any jurisdiction without renegotiating data-processor agreements.
Have a specific deployment in mind?
We're currently in pre-release. We'd rather talk to a handful of organizations with concrete deployment requirements than open the firehose. Reach out and tell us what you're trying to protect.