When the Threat Model Changes, the Architecture Has to Change Too
Enterprise security architectures rested for a long time on the same assumption: if we detect the attacker early enough, we can stop the chain before it completes. Powerful security layers grew around that assumption. The WAF blocks malicious requests. The load balancer enforces protocol-level control. The access gateway determines who the user is and which application they can reach. Logging and SIEM make incidents visible.
Every one of those layers is still necessary. But AI-driven attack automation showed that security can no longer rest on "faster detection" alone. We are now facing a threat model where the attacker can read code, search for vulnerabilities, build exploit chains, and repeat the cycle in seconds.
At this point the question is no longer just "how do we catch the attacker faster?" A more fundamental question needs to be asked: even if the attacker reaches the endpoint, how do we make sure they never reach the application surface?
ZeroLeak is the architectural answer to that question. ZeroLeak runs the web application in an isolated environment managed by TR7 rather than on the user's device. No DOM, JavaScript, API response, session token, or application state is sent to the user's browser. The user sees only the live pixel stream of the application; mouse and keyboard input is forwarded securely to the isolated environment.
The role of the endpoint is deliberately narrowed: not to run the application, but only to display the image and carry the input. The difference may look small, but it is critical from a security-architecture standpoint. Because there is no application on the device the attacker has compromised.
What ZeroLeak Removes From the Endpoint
The architectural property of ZeroLeak is best expressed by what does not reach the user's device.
Live video of the rendered page is the entire endpoint surface
TR7 ZeroLeak product specThe Core Approach: The Application Does Not Travel to the Endpoint
In the traditional web application model, the user's device is an active part of the application. The browser receives the DOM, executes JavaScript, makes API calls, carries session information, and holds part of the application state on its own. That model is functional; but it has an important security consequence: when the endpoint is compromised, the attacker sees not only the screen but the operating surface of the application.
ZeroLeak inverts that model. The application runs not on the user's device but inside an isolated server-side container. What is sent to the user's browser is not the application itself but the application's visual output. The user sees the page, fills out forms, clicks buttons, and continues to interact with the application. But technically the browser does not run the application; it only shows a live pixel stream.
What leaves the boundary toward the endpoint is deliberately limited: no DOM is sent, JavaScript is not executed, API responses are not carried to the endpoint, session tokens are not given to the user's device, application state is not held in the browser. Mouse, keyboard, and navigation events flow back the other direction into the isolated container. The application runs there, is rendered there, and only its image is delivered to the user.
As a result, the surface the attacker is targeting changes. What lives at the endpoint is no longer a directly exploitable application surface, but a display layer with limited authority.
How Pixel-Stream Isolation Works
When a ZeroLeak session begins, a dedicated isolated working environment is prepared for the user. The web application opens in that environment, the identity context is carried in through the TR7 Access Gateway, and user interactions are executed inside that secure session.
From the user's perspective the experience is close to a standard web application. Pages load, menus are used, forms are filled, operations are performed in admin panels. The difference is that all of this happens not on the user's device but inside the isolated container. From the container to the user, only the rendered image flows. From the user to the container, only controlled input events return.
This model provides three security advantages. First, the endpoint does not see the application's internal structure — because there is no DOM in the browser, no DOM-based attack surface is transferred to the endpoint. Second, the application session does not live on the user's device; credentials, tokens, and application responses remain inside the container boundary. Third, the session is ephemeral — when the user finishes, the container is destroyed, and no persistent workspace is left behind for an attacker to find later.
This approach applies the "least privilege" principle to the endpoint level. The user's device does not have the authority to run the application. It only displays the image and forwards the input.
For a long time, when people talked about data leakage they meant file download, copy, print, email, or clipboard — the classical channels. DLP controls were therefore mostly focused on monitoring and blocking those channels. But a screenshot is no longer a simple visual copy. Modern OCR engines and vision AI systems can turn a screenshot of a table, a customer record, a financial value, an identity field, or a technical document back into readable text. A screenshot can become a structured data leak within seconds. Separating the application from the endpoint is the critical first step; but the screen the user sees can also become a leakage channel. ZeroLeak's anti-OCR layers exist to close that channel — the goal is to make screenshot and video captures harder to read reliably for machines, without disrupting the human user's work. The core balance: humans should still read; machines should not parse reliably.
The Three-Layer Anti-OCR Approach
ZeroLeak's anti-OCR approach does not rest on a single technique, because screen-capture methods, OCR engines, and vision AI systems all have different weaknesses and different tolerances. Three layers operate together.
The first layer exploits the gap between human perception and machine perception. The page is shown so that the human user can read it. But controlled micro-disruptions are applied at character edges, line alignment, contrast transitions, and background texture. These disruptions are kept below the threshold of human visual annoyance; but they make OCR character segmentation and word parsing harder. This layer is the first line of defense against classic screenshot capture, screen recording, and lower-quality video capture. The goal is not to hide the screen — the goal is to make the captured image harder for machines to convert into clean, reliable text.
Not every screen area carries the same sensitivity. A navigation menu, a general header, or a help text is not treated at the same risk level as a customer ID, an account balance, a health record, or an admin token. ZeroLeak can handle sensitive content regions at different protection levels depending on context. Dynamic blur, selective masking, or interaction-based visibility can be applied. Content can be controllably visible while the user is actively working on a data field; when focus changes, when screen-capture risk rises, or when the field becomes passive, the protection level rises. This matters for usability: disrupting the entire screen constantly weakens user experience, while targeted protection centers on the sensitive data and reduces unnecessary friction.
OCR and vision AI systems do not read pixels alone. They analyze letter forms, word spacing, line layout, character continuity, and visual relationships across the page. ZeroLeak's third layer breaks those assumptions. Controlled variations applied at the text-layer level preserve the human reading experience while making it harder for the machine to extract text cleanly, consistently, and in structured form. This layer adds resistance specifically against high-resolution screenshots, frame extraction from video recordings, and vision-AI-based content analysis. The goal is not just to "make letters unreadable" — it is to make the page harder to interpret by a machine at all.
Single-technique defenses are studied and bypassed quickly. The three layers cover different bypass classes: visual disruption defeats classical OCR; context-aware blur defeats selective region extraction; text-layer distortion defeats high-fidelity vision models that survive noise-based techniques. As vision models improve, each layer evolves independently. The architectural property — that the application is rendered server-side and only pixels reach the endpoint — is what makes layered anti-OCR feasible in the first place.
Vision AI Defense: The Problem Is No Longer Just Text
The classical OCR threat was mostly bounded by the question: what text is written in this image? With vision AI, the problem widened. The attacker can now extract not only the text but the page context. They can infer which value relates to which customer, which field carries financial data, which screen belongs to an admin panel, or which workflow is running.
For that reason ZeroLeak's visual protection approach is not limited to disrupting characters. Page integrity, field relationships, sensitive data regions, and visual context are all part of the defense model. The goal is to deny the attacker reliable answers to questions like: what is the sensitive text on the page, which value relates to which user, which field carries financial or identity data, from which session was this screenshot taken, to which user can the leak be attributed.
ZeroLeak addresses each of these questions in a different layer. Anti-OCR disrupts readability. Watermarking and steganography provide attribution. Forensic recording preserves the surrounding context of the incident.
No visual protection layer eliminates every leakage possibility. An authorized user can point a phone camera at the screen. A person can retype information from memory. As long as visual output exists at all, leakage probability is a reality that must be managed. ZeroLeak therefore focuses not only on prevention but on attribution and deterrence. The visible watermark carries user identity, timestamp, source system, and session info — it deters and provides immediate attribution if a screenshot surfaces. The invisible steganographic mark is embedded at the pixel level; it survives JPEG compression, resizing, and routine image editing. Even if the visible watermark is cropped out, the invisible mark identifies the source. Both layers update live during the session and are tied to the authenticated session identity — a dynamic, session-bound attribution mechanism rather than a static stamp.
Forensic Recording: Reconstructing the Incident Afterwards
One of the most important effects of AI-driven attacks is speed. Breach windows can compress from minutes to seconds. Under those conditions, security teams need not only to generate alerts but to rapidly reconstruct the after-the-fact reality.
For this reason ZeroLeak treats session recording as an integral part of the architecture. The aim is not just to answer "who logged in?" The real aim is to reconstruct what was seen during the session, which actions were taken, which data was processed, and how the chain of events unfolded.
Forensic Recording Capabilities
Full Session Video
Every ZeroLeak session can be recorded from start to finish as video. Security teams can replay what pages the user saw, what steps they followed, and what operations they performed. A strong evidence layer for incident review, internal investigation, audit, and compliance.
Smart Screenshots
Event-driven, not periodic. Screenshots are taken on meaningful events — a new page load, a form submission, a copy operation, a download attempt, a critical administrative action. The approach reduces noise and provides fast access to the moments that matter.
Word-Based Keystrokes
Keys are recorded not as individual characters but as word-level events. Auto-repeat is filtered out. A security analyst can read what the user typed or which commands were issued in a far more usable format than character-level logs.
Click and Navigation Tracking
Every click position, URL change, and SPA navigation event is recorded. The chain of user actions can be reconstructed without inference. Critical when an incident requires precise sequence-of-events analysis.
Clipboard Operations
Copy, cut, and paste events are logged with their content. The clipboard is one of the critical channels for authorized-user-driven data leakage; making it visible alongside its content is essential for understanding how a leak actually happened.
Integrity-Protected Logs
Session logs are chained for integrity. Subsequent manipulation is detectable. This property matters for legal proceedings, regulatory audits, internal investigations, and post-incident evidence management.
Where Is ZeroLeak Meaningful?
ZeroLeak is not a mandatory layer for every web application. Its value emerges in scenarios where carrying the application surface to the endpoint is unacceptable. It provides strong architectural control particularly in these situations: portals where sensitive data is displayed, privileged admin consoles, third-party and contractor access, access from personal devices (Personal Device (BYOD)), SCADA and ICS interfaces, classified document systems, legal review and research platforms, and critical workflows that require auditability.
The common thread in these scenarios is this: the user must be granted access, but carrying the application surface and the data to the user's device is risky. ZeroLeak answers that dilemma with visual isolation.
How Visual Isolation Works in Each Scenario
SCADA and ICS Environments
In industrial control systems, opening management interfaces directly onto user devices creates serious risk. With ZeroLeak, operators reach SCADA and ICS panels through visual isolation. The industrial network is not exposed directly to the user's device. Every parameter change, every control action, and every session can be recorded. This model preserves operational continuity while strengthening network isolation.
Banking and Finance
In banking and finance environments, customer data, transaction records, and admin screens carry high sensitivity. ZeroLeak provides isolated access to internal customer portals and admin panels. Because customer data, DOM, or API responses are not carried to the user's device, leakage risk from administrative access is reduced. Session recordings form a strong evidence base for audit and compliance.
Classified Documents and Portals
For some documents, classic DLP is not enough. Blocking downloads does not prevent exfiltration by screenshot. ZeroLeak limits download, copy, and print on sensitive document portals, and applies anti-OCR, watermarking, and steganographic marking against visual leakage risk. If a screenshot surfaces externally, source identification becomes possible.
Contractor and Personal Device (BYOD) Access
Third-party contractors and personal devices are a difficult access problem for enterprise security teams. ZeroLeak simplifies the model. The contractor reaches the application through a standard browser, but the real application surface does not land on the device. The organization can isolate the application surface even when it cannot fully manage the device.
Privileged Admin Consoles
Cloud consoles, database admin tools, CI/CD panels, and internal control planes are high-value targets for attackers. ZeroLeak provides access to those consoles through an isolated container. Credentials, session tokens, and admin interfaces do not reach the endpoint. The user operates the interface, but the admin surface stays off the device.
Legal, Education, Sensitive Research
In legal document review systems, research databases, exam platforms, and education portals, the core risk is usually not unauthorized access. The risk is data exfiltration during authorized access. ZeroLeak lets the user see the content while making it harder to extract that content as files, text, or screenshots. Every access is recorded for auditability.
Native Integration with the TR7 Stack
ZeroLeak is not a separate product bolted onto the TR7 platform. It is a native security layer within the TR7 WAAP architecture, operating alongside the WAF, Load Balancer, GTM, and Access Gateway.
Shared Identity and Policy
ZeroLeak sessions authenticate through the TR7 Access Gateway. The same identity context, MFA, conditional access, and authorization policy applied at the gateway carry into the isolation layer. Policy is not synchronized — it is shared. This prevents the gateway and the isolation layer from reaching different access decisions.
Unified Observability
ZeroLeak session events land on the same observability surface as WAF blocks, load balancer metrics, GTM decisions, and AGS authentication events. Security teams can investigate an incident in the context of full application traffic and identity activity, not through a single product's UI in isolation.
Operational Simplicity
ZeroLeak does not require a separate, parallel deployment model. For an application already protected by TR7, isolation can be enabled at the policy level. Less integration, less maintenance overhead, less fragility. From the architecture side: integration seams an attacker could exploit are reduced.
WAF in Front
TR7 WAF handles volume and known-pattern enforcement before traffic reaches ZeroLeak. The two layers compose: WAF absorbs scan-and-bypass attempts; ZeroLeak ensures that even a fully bypassed WAF does not put the application surface in the attacker's hands.
Load Balancer Beneath
TR7 Load Balancer handles TLS termination, protocol enforcement, and traffic distribution. The isolated containers behind ZeroLeak benefit from the same scale, the same observability, and the same operational baseline as the rest of the application stack.
One Vendor, One Stack
Loosely-coupled security chains built from separate vendors produce policy-consistency and compatibility risk at every release cycle. ZeroLeak is designed to reduce that risk by being a natural part of the TR7 stack — one upgrade path, one support relationship, one set of operations runbooks.
The Security Model: Reducing the Surface Instead of Racing the Attacker
ZeroLeak's core claim is not that you can always catch the attacker faster. That is no longer a safe assumption. ZeroLeak's approach is different: remove the application surface the attacker would target from the endpoint.
In this model, the security assumption shifts. If there is no DOM on the user's device, the DOM-based attack surface is not carried to the endpoint. If JavaScript does not execute, client-side script exploitation is bounded. If API responses never reach the endpoint, there is less application data to capture in memory. If credentials never leave the container, even a compromised endpoint diminishes the value of the session. Even if a screenshot is taken, watermark, steganography, and anti-OCR layers engage. If an incident does occur, the full session recording supports retrospective review.
This approach does not replace detection-centric security. WAF, access control, behavioral analysis, and logging remain necessary. But ZeroLeak adds a different architectural barrier alongside those layers: the application does not travel to the device the attacker is on.
Conclusion: Why Visual Isolation Matters for the Next Generation of Application Security
AI-driven threats are pushing security teams not only to build faster detection mechanisms, but to rethink application architecture itself. Knowing every attack in advance, closing every vulnerability before the attacker, and stopping every exploit chain within seconds is not a reliable security assumption.
For that reason, critical applications need a stronger approach: separating the application surface from the endpoint. ZeroLeak implements that approach as visual browser isolation inside the TR7 platform. The application runs in an isolated container. The user sees only a pixel stream. Anti-OCR layers reduce screenshot risk. Watermarking and steganography make the leak source attributable. Forensic recording provides the context needed for post-incident review.
In the end, ZeroLeak's goal is not to change the user experience entirely but to change where the application runs. The user continues to use the application. The attacker, however, cannot reach the application surface.
References & Related Reading
Full product overview, technical specifications, and use cases. /platform/addons/zeroleak
Why detection-first security strategies hit their limit in 2026, and the architectural response. /resources/analysis/ai-inflection-point-2026
How webpages now attack the AI agents visiting them, and where browser isolation fits. /resources/analysis/browser-agent-prompt-injection
Analysis of breach-window collapse from 8 hours (2022) to 22 seconds (2026). https://blog.jazzcybershield.com/agentic-ai-cyber-attacks/
Academic research on adversarial perturbations and vision-AI accuracy degradation. https://thehackernews.com/2026/05/2026-year-of-ai-assisted-attacks.html
Documentation of AI tooling moving from supporting role to active attack surface. https://www.microsoft.com/en-us/security/blog/2026/04/02/threat-actor-abuse-of-ai-accelerates-from-tool-to-cyberattack-surface/
Market overview of the remote browser isolation category. https://www.gartner.com/reviews/market/remote-isolation-software
Protect Your Most Sensitive Applications
ZeroLeak delivers zero-access visual isolation, multi-layered anti-OCR, two-layer leak attribution, and complete forensic session recording — natively integrated into TR7. Built for sensitive customer portals, privileged admin consoles, SCADA/ICS interfaces, classified document systems, contractor access, and Personal Device (BYOD) scenarios. Available as a premium add-on for all TR7 license types.
Explore ZeroLeak