From Dr. Chase Cunningham's presentation at Edge Computing Expo North America 2026 in San Jose. Watch the full video below or read the key takeaways.
If an Endpoint Is Stateful, It's a Launch Point
If an endpoint stays in the same state, it's just providing the bad guy an ability to launch stuff inside a system, inside a network. From a red teamer's perspective — and I was a red teamer at NSA — I want your machines to be stable. Because what does that mean? When I drop a backdoor, I can come back to said machine and leverage it to do things inside your network.
The other thing people lose in the mix: your endpoint is not much more than a door to the infrastructure itself. Red teamers, bad guys — they're not usually too interested in your machine itself. We want what's behind it. It's kind of like if I walk up to your front door, I don't care about your door. I want what's in the house.
Bad guys don't sit there and go, "Yes, we got an endpoint." They go, "Yes, we got infrastructure."
The Underground Economy of Persistent Access
If you look at what's going on in the underground, bad guys will take one machine and sell it to somebody else — in bulk. Tens of thousands of endpoints at a time, so folks can come back and use those systems for other accesses. It's big-time business. It's basically funding a lot of Russian criminal cooperations. Not that the Russians ever do this stuff. I'm just saying theoretically, right?
Traditional endpoints preserve the basic material that attackers need to turn one session into a foothold. If I get to one machine — especially a machine that is authenticated and authorized and connected — guess what? I'm able to leverage all those things on that machine to get towards the next step.
Kernel Mode Is God Mode
If you think about endpoint security and the technology we've been buying — some vendors who market stuff like "we stop breaches" except they don't, and they actually bring down the internet on their own because they ship bad code on Friday — you're basically saying "I can do stuff at the kernel level." If I can do things at the kernel, that's god mode.
All this software that's running out there that does stuff to stop breaches — which it doesn't — is operating at kernel mode. Go look up bypass methodologies. It is easy to leverage kernel to do a whole lot of bad things inside of systems.
You do not want to leave your endpoints in a stable position unless you want to offer it up to the bad guys to leverage and resell.
Change the Unit of Control: From Device to Session
If we change the unit of control from the device itself and move towards a model where the session is the avenue of control, that takes the bad guys' ability away to continually access that system.
How many folks have ever heard the conversation from a phishing test about "the bad guys only got to be right once"? I hate that because that's a victim mentality. Just because you kicked in my front door doesn't mean you get to live there and drink my beer, right? That's not the way this works. I'm from Texas. It definitely won't work out well for you.
The truth is you want to move towards a session-based approach because session means for the time that we're connected, bad things might happen. But when we roll over and reset and nuke the machine back to a known good state — you lose.
Yelp for Criminals
From the bad guy perspective, if I'm reselling access on the underground to machines that I tell people I've compromised and those accesses go away, guess what? In the bad guy world, I am no longer a valid seller. These folks rate each other. They have like Yelp for criminals.
If you're doing bad things and selling machines that don't provide access, they will talk, share it in the forums, and you will lose those customers.
If we can change the approach — from "here's a machine, it's up, it's stateful, I've got antivirus running on it, we're good" to "here's a machine, it does what it needs to do, only the applications available for that session are available, do what you need to do, then you're done, move on" — the bad guys lose.
Ephemeral Denies Persistence
This used to be theory and concept. Now it's actual technology. Ephemerality essentially denies persistence. That's what we're trying to get to.
I don't care if you get compromised. I'm sorry, it sucks for you. Your machine got hacked. What I care about is taking care of my infrastructure.
The control objective here is to remove the foothold. If there's nowhere durable for the bad guy to exist, you are the harder target. They will find someone else. It's not worth their time and effort. If I have 100,000 other machines out there that I can compromise and resell and make that money and buy my Lambo and drive it around Red Square in Moscow, why would I bother with your organization where everything resets?
A rising tide in cyber does not lift all ships, but it sure takes care of me.
The Session Window
If you're bounding it, compromise only exists in that session window. We already do this to some degree with SSO — how long does an SSO session last? Hopefully about 8 hours. So at least you know at 8 hours somebody is logging out, logging in.
We can do this in real time on the machine, which really changes the game. I want to go back to a known good state. You deployed malware on my machine? Oh no, that's terrible. Guess what? Roll back over. Malware is gone because we're in a clean state prior to that.
Take my machine. Drop it in downtown Johannesburg. Put whatever you want on it. When it reloads, when it goes back to the session before — life is good.
Compliance Gets Easier
With this approach you get rid of a lot of crap running on machines that's just slowing stuff down — aka Microsoft's entire portfolio, right? If you can prove the policy, you're doing things to enable compliance quicker, better, faster.
There's no reason you should be compliant for your entire infrastructure. The only people that benefits are the auditors. Why do I have to be compliant for everything in my infrastructure when everything in my infrastructure is not actually within the scope of the compliance objective?
Why do I have to have everything PCI compliant? Only the stuff that does credit cards should be PCI compliant. But if it's connected and it's not ephemeral and you don't have policy to govern it, guess what the auditors say? "It's got to be compliant because we said so."
If you change the approach — only the stuff that's supposed to be there is going to be there, only the things that can access it are supposed to access it, and we're going to apply compliance controls for those machines where it needs to be — you reduce your compliance portfolio. If you reduce your compliance portfolio, you save money, because auditors ain't cheap.
Not Every Endpoint Should Be a Workstation
If you think about what's going on with your organization, there's a lot of people that work in your organization that probably don't need an Intel Pentium 7 processor, super Dell computer, or whatever else. There's probably a lot of folks that work on terminals that do just one or two things.
If you go to the airport, you know those folks that stand up there and do the clickity clicks and then get your seat and change it and give you the coffee coupons and all the other stuff — they should only have one application that they need with one user logged in to do the thing and then somebody else jumps on it.
If it's a terminal, if it's a thin client, if it's a dumb session — it shouldn't have all that other stuff on it. You shouldn't have to be secure or compliant for some terminal that does one thing. That's a waste of your money. It's a waste of your time. It's increased risk. And it makes no sense.
The Math Works Out
I did this based on a sample with 1,000 endpoints. If you want to license all thousand of those machines from CrowdStrike, you're looking at $184,000. Yikes.
If you change the approach and just go to this model — that's a 40% reduction. You're saving a lot of cash. And guess what happens when you save cash? You can use that money for other things.
This is not even including the services to make that stuff work. They will nickel and dime you to death to make sure that everything's doing what it's doing and that they have pro services and SLAs. Why would I budget for that when I can just remove that from the equation?
Don't pay to maintain entropy.
The Ephemeral Model
Define the policy. Run the session. Reset. Reload. Keep going. The user will not be affected by this. The machine will not be affected by this. You're rolling over to a known good state.
You can actually say, "Go ahead, drop malware on this." When it rolls over based on the policy, you're back to where you were before. This removes the bad guys' ability to be successful. Less agents, less sprawl, less patching, less BS. All those things go away.
Really take a second and ask the question: if I have a thousand machines, how many of those thousand machines are we using everything on the machine all the time? The number is probably pretty close to zero. Why would you let yourself have that excessive risk when you can remove it?
The Bottom Line
When the endpoint does not persist, the compromise cannot persist. You win, the bad guy loses. It's that simple. It's physics.
There is a better way to do cybersecurity. There's a more intelligent approach to the problem that aligns with things like zero trust strategically and it's based on using the technology the correct way with the right capabilities to remove the adversary's ability to be successful.
This is not about defensive thinking. Defensive thinking has failed us categorically. If you go back to when we started talking about high walls and firewalls — what did we used to call malware? We called them Trojans. You know why? Because the first time the perimeter-based model of cybersecurity failed was in Troy in the 1400s BC.
We've known for thousands of years that model was categorically going to fail. All we did was digitize it, put everything on the planet on it, give it excessive capabilities, excessive privileges, and excessive access. And we said, "Man, if we build a higher wall, eventually we'll get this right."
You can keep doing that and be the easy target. Or you can change the approach, change the thinking, optimize the investment, and do things the smarter way.
Further Reading
Learn more about Dr. Chase Cunningham joining the Scylos Board of Advisors: Press Release
For deeper technical documentation and implementation guidance, explore the Scylos Knowledge Base.
What Is Scylos?
Scylos is the company that built zero trust at the substrate layer into a production platform. It consists of ZeroCore, a minimal cryptographically verified execution substrate that replaces the operating system as a persistent dependency, and Switchboard, the centralized control plane that orchestrates ephemeral, containerized workloads on demand.
Together, they implement the substrate-layer security model Dr. Cunningham describes. No persistent state. No residual compromise potential. Every boot begins from a known-clean baseline. The endpoint is no longer something to protect — it becomes something that cannot be compromised.