GMTekAI
Online — Whidbey Island
Vilkas — Lithuanian for wolf — is GMTek's real-time security monitoring platform. Where most tooling waits for a breach and cleans up after, Vilkas plants tripwires that fire before the attacker can do damage. Mean-time-to-detection measured in seconds, not days.
Phase 1 live on our own infrastructure · Sub-2s MTTD · Shadow-mode-first
The industry average to even notice a breach is measured in days or weeks — long after the attacker has planted persistence, exfiltrated data, or pivoted. Vilkas inverts that. It seeds decoys and tripwires across hosts, browsers, networks, and SaaS accounts, then fires the instant something hostile touches them. By the time a normal alert would land, the attacker's already blocked and reported.
Each component watches a different attack surface. Together they cover the paths a real intruder actually takes — and most of them fire in under a second.
Decoy files — fake credentials, fake key lists — planted where they have no business being read. Linux inotify catches any access in sub-100ms and captures the process, user, and command behind it.
File-integrity monitoring on the files attackers tamper with to persist — authorized_keys, SSH config, shell startup files. Any unauthorized change fires an instant alert with who and when.
Reads Google / Microsoft / Apple security emails in real time — new device, recovery-phone change, 2FA disable, new OAuth grant — and alerts within seconds instead of the hours it takes you to notice.
Ties a tripped tripwire back to the SSH session origin IP, so a canary trip or file change comes with the attacker's address attached — not just "something happened."
Before any destructive response, checks GreyNoise to separate benign internet scanners (Shodan, Censys) from confirmed bad actors — so you never ban a researcher and you escalate real attackers with confidence.
When an attack is confirmed, the source IP is auto-submitted to public threat-intel feeds — AbuseIPDB, CrowdSec, and downstream consumers — toxifying it for 50,000+ defenders worldwide.
Confirmed-hostile traffic gets blocked at the edge automatically. Paired with a WordPress agent and Cloudflare Workers, the perimeter closes on the attacker without waiting for a human.
Site-side and edge-side enforcement modules extend the sentinels onto the surfaces GMTek hardens most — WordPress installs behind Cloudflare.
🛡️ Shadow-mode-first. Destructive actions — blocking, reporting — run in observe-only mode when first deployed, so you watch Vilkas make the right call for a while before it's allowed to act on its own. It earns trust before it pulls the trigger.
We don't ship security theater. Vilkas is being hardened on our own infrastructure before each component goes into client environments — earliest partners first.
The core sentinels run in production on GMTek's own infrastructure right now — canary-watch as a managed service, sub-2-second detection, real alerts to a monitored Telegram bot. We run it on ourselves first, every day, before it touches a client.
Hardening a site is a moment in time. Attackers come back. Vilkas is how GMTek turns a lockdown into an ongoing managed-defense relationship — we keep watching, and we're on call when something fires.
Sentinels on your hosts, sites, and accounts — reporting 24/7 to alert channels we both watch.
Not a noisy dashboard. A ping when it matters, with the forensic detail to act — and us on the other end.
When a tripwire fires for real, you're not alone with it. The retainer covers triage and response, not just notification.
Managed-defense retainers typically run $200–750+/month per zone, scoped to portfolio size and surface. Founder-tier pricing — we'll find a number that works.
Already hardened and want it to stay that way — or want monitoring as part of a fresh engagement? Tell us what you're protecting.