You describe your product as a "condom for the PC". In what cases does your "protection" work, and how does it function?
The metaphor is intentionally provocative because it describes a complex security principle in very simple terms: VISS protects wherever productive computers today must interact with untrusted digital content, such as websites, documents, portals, email attachments, or remote access channels. That is exactly where the attack surface arises in classical architectures. To achieve this, we place an external system in between: the VISSBOX. It consists of three modules: the communication module, the victim module, and the camera module.
The communication module is connected exclusively to the host. It receives mouse and keyboard commands from the host and forwards them unidirectionally to the victim module. The victim module connects to the outside world and processes and renders the content in a deliberately exposed environment. The camera module then captures only the visual result of the victim module, transfers it across a galvanically isolated boundary, and further processes it before passing it on to the protected host. As a result, the host receives no executable input from the untrusted context, only the rendered result. Our approach is therefore not to keep getting better at detecting malicious code. Our approach is to eliminate the execution path by architecture. Unlike software-based defenses that try to make the lock harder to pick, VISS removes the door entirely.
That almost sounds as if you no longer need any other security measures when using your solution. Is that correct? Or are there scenarios that the VISSBOX cannot intercept?
VISS is a new base layer for endpoint security, but not a complete security strategy. We address very specifically one of the most dangerous attack classes: the compromise of productive endpoints through remote malware or other executable content from untrusted sources. When this interaction runs through VISS, exactly this path to the protected host is structurally severed. Of course, other risks remain: phishing via legitimate credentials, compromised identities, insider threats, misconfigurations, attacks on backend systems, or physical access. Modern cybersecurity always remains multi-layered. So, we do not solve "everything," but we remove a central escalation path through which many attacks begin today.
"Every decade brings a new security layer. We believe that physical endpoint isolation is the next one."
The protection of critical infrastructure is currently one of the most pressing questions facing our society. Are there recent incidents that VISS could have prevented?
Many serious cyber incidents only become systemic when a productive endpoint is compromised. That is precisely the escalation step we cut off. When you look at real cases, you see the same pattern again and again: A compromising input hits a productive computer, execution begins there, and from there the chain reaction starts. A prominent example is the attack on a large German financial and leasing services provider. Based on publicly available information, the incident led to massive IT restrictions, long operational outages, and later also to data appearing on the dark web. Reports indicate that the escalation began with a compromised Excel file. That is precisely the point: A single compromising input on a productive system can be sufficient to turn a security incident into a company-wide crisis. If this risky interaction had run through the VISSBOX, the protected endpoint would not have executed that code. Another example is the malware-related disruptions at European airports in 2025 in connection with Collins Aerospace systems. There it became visible how quickly a digital compromise can lead to real operational consequences: check-in failures, manual processes, delays. This is exactly the kind of environment where physical decoupling is so essential. When operational workstations and terminals do not directly absorb the untrusted code path, the blast radius remains contained rather than eating into ongoing operations. And then there is the everyday scenario that almost every company knows: An employee is on a business trip, uses a public Wi-Fi network, or opens a manipulated file. In classical architectures, this can lead through lateral movement to a complete company-wide compromise. With VISS, the content is still displayed, but not transferred as executable input to the protected host. The economic scale of such incidents is substantial. According to IBM, the average global cost of a data breach is around USD 4.9 million. Worldwide, Cybersecurity Ventures now estimates the total cost of cybercrime at nearly USD 10.5 trillion.
What should decision-makers from politics, industry, and KRITIS know about the security of the "digital society"?
Cybersecurity is no longer a pure IT topic, but a question of resilience, sovereignty, and functionality. When digital systems fail, it is not only computers that come to a standstill, but often real processes: mobility, production, communication, administration, healthcare. That is precisely why it is no longer sufficient to treat cybersecurity merely as a tool stack, an operating cost item, or a compliance question. At critical points, we need architectural decisions that permanently reduce attack surfaces and prevent individual failures from becoming systemic crises. Our core thesis is therefore deliberately ambitious: If software trust remains permanently fragile, "physical trust" must become the next base layer at critical endpoints.
"Especially for safety-critical technologies, the connection between research, industry, and the public sector is a real accelerator. We see CISPA not merely as a source of support, but as a place where a technological thesis gradually becomes a robust reality."
About two months ago, you announced that VISS was selected for the NATO DIANA program. What does this milestone mean concretely for you?
For us, NATO DIANA is not just a label, but validation, acceleration, and access to real deployment environments. For a company like VISS, this is particularly important because safety-critical hardware does not win through slide decks, but through tests, evaluation, and robust use-case scenarios. That is exactly what DIANA stands for. Added to this is access to relevant stakeholders, realistic test environments, and an environment in which resilience is not an abstract idea but an operational necessity. The financial component is also important. Non-dilutive funding is particularly valuable for deep-tech startups because it enables technological maturation without immediately triggering new dilution. The fact that we were selected in a highly competitive selection process from several thousand submissions is therefore a strong signal for us: Our approach is perceived not merely as an interesting idea, but as technology with real security-policy relevance.
VISS aims to become the standard in every critical IT environment in the future. How do you envision this transformation, and what are the major steps to get there?
Every decade brings a new security layer. We believe that physical endpoint isolation is the next one. We see the path in three stages. First: today, the external VISSBOX as a plug-and-play solution for existing systems. Second: tomorrow, miniaturization and integration into safety-critical devices and OEM environments. Third: in the long term, a standardized hardware security function at the module or chip level. The transformation will not happen overnight. But when attacks scale faster than patch cycles and when resilience becomes a strategic capability, isolation will move from a special case to a base layer. That is precisely where our vision lies: from a box next to the computer to a foundational hardware security layer for networked endpoints.
How does a startup like VISS benefit from the support of a leading research center like CISPA?
To us, CISPA is an environment in which a radical security idea is not only supported, but also rigorously challenged. For a deep-tech startup, this is extremely valuable. If you want to build a new security category, you do not need an environment that only applauds, but one that critically questions technological claims. This sparring is exactly what helps us to further sharpen our architecture, security argumentation, and priorities. At the same time, CISPA brings access to networks, talent, and credibility. Especially for safety-critical technologies, this connection between research, industry, and the public sector is a real accelerator. We see CISPA not merely as a source of support, but as a place where a technological thesis gradually becomes a robust reality.
