// AI ZERO-DAY DETECTOR · BEHAVIORAL ANOMALY
Spot novel exploitation before it has a signature.
Paste a suspicious HTTP request, access-log line, or payload. The detector scores it for exploitation indicators and novelty — the breadth, obfuscation, and irregularity that mark an unknown or chained attack rather than a single known CVE — then maps it to MITRE ATT&CK and gives you detection and containment steps. Defensive only.
// DETECTOR OUTPUT
NeoShield Zero-Day Detector ready. Paste a request, log line, or payload and run the analysis.
Recent analyses
| When | Source | Score | Severity | Families |
|---|---|---|---|---|
| Jun 30, 18:34 | request | 93 | critical | traversal,ssrf,deser,ssti,obfusc |
| Jun 30, 18:29 | request | 0 | info | — |
| Jun 30, 18:25 | request | 0 | info | — |
| Jun 30, 18:22 | request | 0 | info | — |
| Jun 30, 18:18 | request | 1 | info | — |
Metadata only — raw payloads are never stored.
How the zero-day detector works
Traditional scanners match known signatures, so they are blind to vulnerabilities that have no signature yet. This detector takes the opposite approach: it measures behavioral anomaly. It looks for the breadth of distinct attack techniques in one sample, structural irregularity, obfuscation chains, and entropy. A payload that blends server-side template injection, SSRF, deserialization, and heavy encoding — without matching a single known CVE — is precisely what scores high on the novelty signal and deserves zero-day-level triage.
Three signals it combines
- Exploitation indicators — weighted detection of injection, traversal, SSRF, deserialization, template injection, XXE, web shells, auth tampering, and memory-corruption markers.
- Novelty / anomaly — how far the sample deviates from normal traffic: technique breadth, entropy, and non-printable content.
- AI reasoning — an optional Claude-powered judgement on whether the sample looks known or novel, with detection and containment ideas. It is strictly defensive and refuses to weaponize anything.
Frequently asked questions
Can a tool really detect a true zero-day?
Not by signature — a real zero-day has none. This detector uses behavioral anomaly analysis: the breadth of distinct attack techniques, structural irregularity, obfuscation, and entropy in a sample. A broad, obfuscated, multi-technique payload that does not match one known CVE is exactly what scores high on the novelty signal.
What should I paste in?
Something you already have as a defender: a raw HTTP request, one or more web access-log lines, a WAF/IDS payload, or a suspicious script snippet. Do not paste anything you are not authorized to analyze.
Is this tool offensive in any way?
No. It only analyzes input to help defenders detect and contain attacks. It never produces, completes, or improves exploit code, and the AI layer is bound by a strict defensive prompt that refuses weaponization.
Do you store what I submit?
No. The raw payload is analyzed for your session and never stored. Only non-reversible metadata — score, severity, indicator families, and a hashed actor id — is recorded for the recent-activity view.
What is the difference between the two scores?
Exploitation score reflects how strongly the sample matches attack indicators. Novelty score reflects how much it looks like unknown or chained exploitation rather than a single known pattern. High novelty is the "treat as possible zero-day" signal.