In this exclusive interview with Swapnil Bhartiya at TFiR, Dr. Aqib Rashid, Applied AI Lead at Glasswall, discusses how AI-powered threat prediction is changing file-based security for Zero Trust architectures.

Why Traditional Malware Detection Fails Against Zero-Day Threats

For over a decade, Glasswall has been securing Five Eyes government networks with Content Disarm and Reconstruction (CDR) technology. CDR breaks files down to their constituent components, analyzes internal structures, repairs files to manufacturer specifications, and removes malware—all while preserving the visual integrity of the document. But CDR alone doesn’t tell you whether the original file was malicious.

Q: What is Glasswall Foresight and what problem does it solve that CDR alone doesn’t?

Dr. Aqib Rashid: “CDR provides you that deterministic capability of making your file safe. We inherently take the view that any file is going to be unsafe. We don’t necessarily care about where it came from. We’re just going to remove the malware, repair the file, bring it back to the manufacturer’s specification and deliver to you a clean and safe file. But that process doesn’t necessarily tell you whether the original file was malicious or suspicious or completely safe itself. That’s where Foresight comes in. Foresight is our new state-of-the-art capability which is able to give you a threat prediction pertaining to the maliciousness of that file.”

The distinction is critical: CDR guarantees file safety through remediation. Foresight provides threat intelligence—telling security teams what they’re dealing with.

Q: What does Foresight do differently from conventional antivirus or sandbox tools?

Dr. Aqib Rashid: “Conventional tools typically operate after or during execution when you’re talking about sandboxing, or you’ll have your traditional AV or signature-based databases that require you to inspect the file in certain ways to establish whether there are particular signatures within the file. The problem with sandboxing is you can have sandbox-aware malware which behaves differently when it knows it’s in a sandbox environment. The cost and scalability of sandboxing is also questionable. Traditional AV has to be regularly kept up to date with signatures. But most importantly, they can’t detect zero-day vulnerabilities or those unseen threats because they need to know what kinds of threats already exist in the wild.”

How AI-Powered Structural Analysis Detects Unseen Malware

Foresight operates at the point of ingress—before files execute. Instead of analyzing behavior or matching signatures, it examines file structure: metadata, content constructs, and embedded elements that reveal malicious intent.

Q: What’s actually happening under the hood?

Dr. Aqib Rashid: “Foresight operates at the point of ingress. We operate on the file before execution. We take the file apart, run it through our CDR process, but we don’t necessarily cleanse it. We only analyze the contents of the file using the technology and capabilities that CDR offers. We can see quite deep down into the structure of the file—particular types of constructs, particular types of content, particular types of metadata. Our telemetry is then fused together and combined in a way that makes sense to AI models we’ve built in-house. Those AI models can then deliver a high confidence verdict as to whether that file contained malware.”

Because Foresight analyzes structure rather than specific code variants, it generalizes across malware families and file types. The structural signature of a PDF exploit remains consistent even when the payload changes.

Dr. Aqib Rashid: “Because we’re operating at the structural level, we’re not inherently tied to specific variants of malware. We’re not inherently tied to specific types of files. What we can actually do is generalize a lot better. We can detect zero-day vulnerabilities because the structure of malware in a PDF file is pretty much always going to be the same. You’re going to find it in the same places. It’s just about how the exploit is then occurring, which tends to differ.”

Probabilistic Threat Scoring and Explainability for SOC Teams

AI-based detection is only valuable if security teams trust it. Foresight delivers calibrated probabilistic scores mapped to human-readable risk levels: malicious, suspicious, or safe.

Q: What does the probabilistic threat score mean in practical terms for a SOC analyst triaging files?

Dr. Aqib Rashid: “With Foresight, because this is AI-based threat prediction, we have to ensure that the probabilities being returned by the model are as accurate as possible and as calibrated as possible. When we say something is malicious, we are highly confident that file is in fact malicious. When we say something is safe, we can be extremely confident it’s safe because the consequences and circumstances within which these technologies operate—there is no chance for second guessing. There is no chance for making a mistake.”

Explainability is a first-order requirement in regulated environments. Foresight doesn’t just return a score—it provides context based on CDR telemetry signals.

Dr. Aqib Rashid: “Some users might not be understanding of what it means to receive a 60% probability back from a model. We’ve spent a lot of R&D and engineering trying to develop human-readable labels which can tell them with confidence whether this particular probability actually means malicious or suspicious, given all the different signals we are now seeing about the file. Explainability is the key thing here. We want explainability to be a first order requirement in cybersecurity in these regulated environments.”

World-Class Detection Rates Without Alert Fatigue

High detection rates mean nothing if false positives overwhelm SOC teams. Foresight achieves 99% detection with less than 0.1% false positives—validated through real-world deployment simulations, not just benchmarks.

Q: Let’s talk about accuracy, especially when we’re looking at traditional detection tools.

Dr. Aqib Rashid: “With Foresight, we can achieve 99% detection rate with extremely low false positive rates, less than 0.1% false positive rates across the board for the file types we support. These are world-class industry-leading stats. Other companies or offerings within this kind of domain are nowhere near this kind of level of performance. The way we’ve validated these models isn’t just by simple benchmarking. We’ve actually tried to simulate real-world deployments and understand how the models will do in real-world conditions when they’re exposed to different types of attacks, different levels of malware.”

The result: genuine signal, not constant noise.

Dr. Aqib Rashid: “What we have at the end is a series of AI models and an AI product that delivers high detection with high precision, without the alert fatigue. We’re getting genuine signal from this product as opposed to just constant noise where it’s calling everything malware, which is not going to be helpful for anybody.”

Air-Gapped and Classified Network Deployment

Many threat intelligence platforms require cloud connectivity or external threat feeds. Foresight operates completely offline—critical for defense, government, and enterprises that prohibit outbound connections.

Q: Foresight operates offline and in air-gapped environments. How does that work without external threat feeds or cloud lookups?

Dr. Aqib Rashid: “Because Foresight isn’t inherently calling back to home, it has no capability of calling to the internet. We’re operating on that structural telemetry of CDR. Everything we need to know about malware or everything we need to know about goodware is already encapsulated within the CDR telemetry and in the models that we deploy and ship. They will have that information to hand and available to them for being able to provide those verdicts about files.”

This eliminates dependency on continuous signature updates and internet connectivity.

Dr. Aqib Rashid: “If you look at threat intel feeds which require regular updates, you often need to call to home and reach out to the internet to update your feed. Or your traditional AV will definitely require regular updates. There are limitations with those kinds of systems when you want to deploy to classified networks, classified systems, air-gapped systems. Foresight operates completely offline, on-prem within your network. It doesn’t require the ability to call to anything external.”

Deployment Models and Integration Pathways

Foresight currently supports PDF, DOCX, and XLSX files with multiple deployment options tailored to customer environments.

Q: Which file formats does Foresight currently support, and where can security teams deploy it?

Dr. Aqib Rashid: “Foresight supports three file types: PDF, DOCX Word documents, and XLSX Excel spreadsheets. The performance of the model for these file types is extremely high. The CDR telemetry we get for all the file types that Glasswall supports is incredibly comprehensive. We offer Glasswall Meteor, our desktop application, which allows you to drag and drop a file into the user interface and obtain the AI-based threat prediction. We also offer Glasswall Halo, our API or server-based offering that can be deployed completely on-prem. But if a customer has an appetite, you can take our SDK and deploy it in any way you want—maybe chain it together in your own application.”

Q: For teams already running CDR, what’s the integration path?

Dr. Aqib Rashid: “Foresight itself is certainly not going to be a re-architecting. Foresight relies on the CDR telemetry. It’s going to be extremely simple to integrate if you are already using Glasswall CDR. Where you’re not using an existing piece of Glasswall software or CDR, this is very easy to deploy—whether you want this as an SDK, through a CLI, on your user’s machine as a desktop application, or as a server. All offerings are on the table. It depends on what the customer wants.”