BedRock Active Security™

BedRock Active Security™ enables deep semantic forensics for the guest operating systems or applications and does not require their cooperation. Active Security™, living within BHV™, protects and enforces the behavior of the guest operating systems and applications even within a contested environment. With the power of virtual machine introspection, detailed forensics for guest machines, virtual services and hardware resources are unlocked. Deep semantic information supports fine grained policy lock down and blocks malicious behavior from instruction level to application behavior. It has become possible to implement cyber resilient systems and fail operational systems without the need to change applications.

If you are interested in partnering with BHV and Active Security for Orchestration, Device Management and Policy Management, please contact us to discuss how to enable and expand your customer base on Bedrocked infrastructure.

BHV™ supports workloads being unmodified guests, containers and services. Traditionally applications are vulnerable to attacks. By consolidating these workloads on top of BHV™ not only the benefits of SWaP-C* are a significant benefit, but also the fact that lateral movements are impossible thanks to the formally proven Bare Metal Property™, but also the BedRocked™ applications can be locked down, monitored and made cyber resilient with deep semantic introspection and policy.


BedRocking™ operating systems, services, containers and applications is saving costs, adds agility and creates cyber resilient systems from existing assets in a software defined architecture.


If you are interested in partnering with BHV™ and Active Security™ for Orchestration, Device Management and Policy Management, please contact us to discuss how to enable and expand your customer base on Bedrocked™ infrastructure.

Deep Semantic Forensics

Active Security™ is using Virtual Machine Introspection, introduced by Tal Garfinkel Mendel Rosenblum, with detailed semantic understanding of the guest operating system virtualized. Just to name a few, it has an understanding of processes, Kernel Data Structures, Memory Layout, Devices and System Call Tables. It can do much more than the usual logging of a system and can be enhanced to understand applications and their intended behavior and to alert on deviation. While this is already extremely powerful at virtual machine level, it becomes even more impactful when combining this deep semantic information cross guest machines, containers and devices in the network, to power your real-time decision process in a critical and/or data driven environment.

Formal Verification

Building a foundation based on formal verification enables us to precisely define with a formal model what a system can do. This is then matched, through proofs, to the actual code implementing the model. If the proof can satisfy the model, the code is formally verified. Formal verification allows us to establish the correctness of a system to the same degree of confidence that you know that 1 + 1 = 2, eliminating human error. In other words, we have mathematical proof of the BedRock Hypervisor’s effectiveness. At BedRock we are building formal verification at scale by investing in automation.

Minimal Attack Surface

The BedRock Hypervisor combines the best concepts from microkernels, capability-based systems, and modular design for superior performance, security, and isolation. Because it enforces the principle of least authority, BedRock is able to guarantee that most attacks are not possible to begin with. Our secure architecture keeps all critical functions, including Active Security and Policy Enforcement, below the OS-reachable attack surface, thereby fully protecting the OS and its applications.


BedRock Security is enabled without a cooperating operating system or application, eliminating the attack surface of the components. Based on formal verification, the capability-based system ensures resources can only be accessed when explicitly enabled. With this level of security embedded into the BedRock Hypervisor, users can run the software stack from the OS and up without modification beyond their life cycle, while still preventing attacks.

Unmodified Guest OS & Applications

The BedRock Hypervisor is designed to run unmodified guest operating systems without the need to recompile the kernel or any application. Powered by formal methods, the Hypervisor cannot be breached, and, therefore, is not part of the attack vector. The fundamental hardware abstraction layer can leverage hardware features while concealing them from the OS, increasing system security.


No Vendor Lock-In

The BedRock Hypervisor includes a business-friendly open source license. This prevents vendor lock-in, provides freedom of choice, and prohibits intellectual property contamination. Rather than create a dependency, BedRock Systems is committed to community-driven projects and collaboration.


Interact With Us

Contact Us ›

Give us a call or fill out our contact form.

Partners ›

Apply to become a partner with BedRock.

Insights ›

Learn how BedRock's technology can benefit your business.