Technology and Product

Spherical Defence ingests many forms of structured data, from HTTP traffic to AuditD System Call logs. Events in this form are converted into points in space, in which many geometric properties arise. The most interesting property is that nearby points within this space have a similar meaning.

Rather than using a 3-dimensional space with X, Y and Z coordinates for each point, we instead use 150 dimensions. This enables us to capture far more nuance in the content of the processed data, and means that even small abnormalities and deviations can be detected.

Whole streams of user behaviour can be captured as the movement between consecutive points. This movement is the unique fingerprint of a user, user type, or process - depending on the application.


If this fingerprint looks different to what is commonly seen, several things can happen. First, the event that caused the deviation can be blocked. This is useful for HTTP traffic, where attacks can cause damage to running web servers. The second option is that an event is fired to an existing SIEM system such as Splunk or LogRhythm. The final option is that logs are written for ingestion by a downstream service such as LogBack.


Spherical Defence can be deployed completely on-premise or on private cloud via docker image. The deployment optionally utilises GPU acceleration to handle high throughputs.


As user and system behaviour changes over time, Spherical Defence continuously retrains to capture these alterations. This prevents trained models from going stale, and causing false positives and negatives.

Rapid Deployment

Our model is built using API access logs, which may be historic data, or real time API requests. Unlike WAFs, there is no need for the creation of rules or signatures

Easy Integration

Our technology fits within your existing infrastructure, be that on premise or a private cloud.  Our models are agnostic to your choice of infrastructure

Secure and Confidential

All your data stays within your network, and our model can be built and operated without requiring any third-party access to your data

Unattended Learning

We dynamically build any number of models to protect each of your applications, without the need for user intervention

Transparent Operation

Security is provided with little or no performance degradation.


We provide fail-safe service against any single point of failure