Seed Stage — Deep Tech

Planck-99

On-device malware detection built for embedded systems. No cloud. No signatures. No GPU. 37KB of deterministic C that classifies in 34 nanoseconds.

34ns Latency

37KB Footprint

96.28% Accuracy (IoT)

Zero Network

Ziad Salah — Founder & Lead Engineer, 17, Giza, Egypt
Bootstrapped to date · Seeking seed partners & strategic design partners
zs.01117875692@gmail.com · github.com/zierax
All benchmarks public and reproducible: github.com/Division-36/Planck-99_PublicBenchmarks

01 / 11

The Problem

21 billion devices. A hard deadline. Zero solutions.

Traditional antivirus needs 50–500MB RAM and multi-core CPUs. Your average IoT device has 256KB–4MB. By early 2027, the EU Cyber Resilience Act makes security mandatory for every connected device sold in Europe. There is currently no production-ready product that fits.

21B

IoT & embedded devices globally in 2025

Cameras, routers, industrial sensors, medical devices — all connected, all vulnerable, all running on hardware that cannot host traditional security stacks.

Source: IoT Analytics, Oct 2025

200K+

Devices hijacked in a single nation-state botnet

Flax Typhoon (Raptor Train) compromised cameras, storage, and routers at scale. FBI disrupted it in September 2024. The playbook is now proven.

Source: FBI Director Wray, Sept 2024

0

Commercial on-device classifiers for MCU-class hardware

There is literally no production-ready behavioral malware detection engine that deploys at 37KB with no network, no GPU, and no FPU. The category does not exist yet.

Verified market gap analysis

02 / 11

Why Now — Verified Triggers

Three forces converging. One has a legal deadline.

2024–2027 is not arbitrary. Regulation, nation-state activity, and vulnerability rates are hitting inflection points simultaneously. The EU CRA creates a hard compliance cliff.

01

EU Cyber Resilience Act — mandatory on-device security by early 2027

Regulation (EU) 2024/2847 enters into force January 2025. Obligations for most connected devices apply 36 months later — early 2027. Every device manufacturer selling into Europe must have an on-device security capability. Perimeter-only defense is no longer legally sufficient. This is not a market opportunity; it is a compliance mandate with a countdown.

EUR-Lex 2024/2847 · Entry into force: Jan 2025 · Obligations: 36 months

02

Botnets are now nation-state weapons — at IoT scale

Flax Typhoon (PRC-state) built Raptor Train from 200,000+ compromised IoT devices. Volt Typhoon sat inside US critical infrastructure for five years undetected. This is no longer cybercrime — it is geopolitics, and the battlefield is your router.

FBI Director Wray, Aspen Cyber Summit, Sept 2024 · CISA/NSA/FBI Joint Advisory AA24-038A

03

ICS vulnerabilities are accelerating, not slowing

2,155 CVEs across 508 ICS advisories in 2025 — the first year CISA ever published 500+ ICS advisories. Average CVSS crossed 8.0 for the first time. 929 high-severity CVEs in 2024 alone. 75% of all advisories rated high or critical.

Forescout 'ICS Cybersecurity in 2026', Feb 2026 · SOCRadar ICS Recap, Dec 2025

03 / 11

The Gap — No One Else Fits

Every existing solution breaks on embedded

Benchmarked across every category. Here is what actually happens when you try to run them on a microcontroller or embedded Linux SoC.

Metric	Traditional AV	Cloud Detection	Signature Scanner	Planck-99
Peak RAM	50–500 MB	Server-side	~30 MB	0.03 MB
Inference time	10–100 ms	200–2,000 ms	1–50 ms	34 ns
Network required	No	Mandatory	No	Never
GPU / FPU required	No	Yes	No	Never
Air-gap safe	✗	✗	~	✓
MCU-class viable	✗	✗	✗	✓
Deterministic	No	No	~	✓
Accuracy (IoT unseen)	95–98%	N/A	Signatures only	96.28%

04 / 11

The Solution

Planck-99

32-dimensional normalized frequency vectors. Int8-quantized closed-form inference. No neural networks. No cloud. No GPU. No FPU. No runtime dependencies.

Deterministic

34 ns

Median inference on IoT syscall traces. σ ≤ 14 ns across 9 independent runs. Same input, same output, every single time. Safe for hard real-time systems.

Ultralight

37 KB

27 KB int8-quantized binary + 10 KB ring buffer. Smaller than most icons. Fits in the L1 cache of virtually any embedded Linux SoC. No AI accelerator required.

Accurate

96.28%

On unseen IoT malware from 2016–2026 (ADFA-LD). Not training-set accuracy — real generalization across 10 years of threats. 97.71% precision.

Throughput

29.4M/s

Inferences per second on a single CPU core. No batching, no GPU, no tricks. Just a deterministic dot product on a 32-feature vector.

05 / 11

How It Works

Closed-form syscall analysis

Zero black boxes. 100% deterministic. Training computes a mathematical decision surface; inference is a quantized dot product. Every classification produces a JSON proof file — a complete audit trail.

Math, not magic

Most ML in security is a black box. You feed it data, it gives you a probability, and you hope it is right. Planck-99 is different.

We model syscall sequences as 32-dimensional normalized frequency fingerprints. Training computes a closed-form decision surface. At runtime, inference is a deterministic int8 dot product — identical input always yields identical output.

The model generalizes 51× beyond its training ceiling (tested to 117,088 syscalls) because normalized frequency ratios are length-invariant by construction. No neural networks. No stochastic behavior. No runtime training.

1

Kernel hook captures syscall trace into ring buffer

↓

2

Extract 32 normalized frequency ratios (closed-form)

↓

3

Int8 deterministic classification (dot product)

↓

4

JSON proof file generated for audit / compliance

06 / 11

Performance — Three Datasets, Two Fully Unseen

It works on data it has never seen

All benchmarks public. No cherry-picking. The IoT dataset is our primary target — malware from 2016 to 2026 that the model never encountered during training. C kernel numbers shown (int8 quantized).

Baseline

Training Set (Internal Validation)

Accuracy 98.88%

Precision 98.58%

Recall 99.21%

FPR 1.45%

Unseen

LinuxStatic ELF Dataset

Accuracy 92.01%

Precision 100%

Recall 92.01%

FPR 0.00%

Unseen — Primary Target

IoT Syscalls (ADFA-LD)

Accuracy 96.28%

Precision 97.71%

Recall 97.87%

FPR 12.18%*

Absolute kernel latency — deterministic, trace-length invariant

Training validation traces (median 863 syscalls)

62 ns σ ≤ 14 ns

LinuxStatic ELF (median 1,161 syscalls)

35 ns σ ≤ 14 ns

IoT Syscalls (median 15,075 syscalls; max 117,088)

34 ns 51× training ceiling extrapolation

* IoT FPR context: The 12.18% FPR on ADFA-LD is a data-distribution artifact, not a model flaw. Benign IoT traces in this dataset have a median of only 2,234 syscalls — at the lower edge of the reliable operational window — and a heavily skewed 1:5.3 benign-to-malware ratio. Short benign traces dominated by generic syscalls (read, mmap) overlap with malware frequency profiles. On the balanced internal dataset with representative trace lengths, FPR is 1.45%. The short-trace blindspot is fully mitigated by a 500-syscall gate in production deployment. See full analysis in benchmark documentation.

07 / 11

Market Size — All Figures Sourced

$28B → $80B by 2031

18.7% CAGR. But the real driver is a 2027 compliance cliff, not market growth.

$80B

Global IoT Security Market, 2031

EU CRA: a forced retrofit of 21 billion devices

By early 2027, every connected device sold in Europe must meet mandatory cybersecurity requirements. Manufacturers who cannot demonstrate on-device security capabilities will be legally barred from the market. This creates immediate, non-discretionary demand for a solution that deploys on existing MCU-class hardware without redesigning the product.

EUR-Lex 2024/2847 · Technavio, March 2026

Industrial OT: air-gapped by definition

Industrial OT requires on-device, air-gapped detection. No cloud solution qualifies. This structural gap is exactly what Planck-99 fills. Industrial IoT security alone was $26.24B in 2024. North America holds 34.2% global share.

Technavio, March 2026

APAC: highest-growth region

APAC IoT security CAGR: 22.2% — highest globally. Japan's JC-STAR IoT security labeling (2024) signals regulatory alignment. Rapid industrial digitalization across Southeast Asia and India creates massive greenfield opportunity.

Technavio, March 2026 · Japan MIC JC-STAR, 2024

Regulatory stack: CRA, PSTI, NIST, FDA

EU Cyber Resilience Act (2024/2847). UK PSTI Act (enforced April 2024). FDA Cybersecurity in Medical Devices Guidance (2023). NIST SP 800-213A. Every single one mandates on-device security capabilities. Compliance is no longer optional — and the deadline is fixed.

EUR-Lex · legislation.gov.uk · FDA.gov · NIST

08 / 11

Go-to-Market — B2B SDK Licensing

Three phases, regulated verticals

No revenue projections here — those are fantasies until you have a signed contract. These phases represent directional priorities aligned with the EU CRA 2027 compliance window.

Now — 12 months

Design Partners

3–5 paid pilot integrations with IoT security gateway vendors
SDK license model — per-device pricing to be determined with first partners
Target verticals: Industrial OT, edge computing, smart infrastructure
Success metric: first signed integration agreement + EU CRA compliance validation

12–24 months

Platform Deals

OEM integration with SoC vendors (NXP, STM, Espressif)
Chipset-level embed — zero integration effort for end customers
EU CRA compliance offering: pre-certified security module for device manufacturers
Medical: FDA Cybersecurity in Medical Devices Guidance compliance
Automotive: ISO/SAE 21434 compliance (enforced since 2022)

24–36 months

Compliance Layer

EU CRA deadline arrives (early 2027) — demand shifts from optional to mandatory
CISA reference implementation for ICS/SCADA sectors
APAC expansion: Japan, South Korea, India (22.2% CAGR region)
Patent licensing on feature extraction method (filing in Phase 1)

Note: No revenue projections are stated. Pricing will be determined with first design partners. Phases represent directional priorities, not guarantees. The EU CRA 2027 deadline is a fixed external milestone that de-risks Phase 3 demand.

09 / 11

Competitive Landscape

We're not improving a category — we're creating one

No competitor checks all four boxes. Most fail on two or more. That's not a feature gap — it's a category gap that happens to be legally mandated by 2027.

Category	On-device	Air-gap safe	Real-time	MCU-class	Notes
Traditional AV Kaspersky, CrowdStrike	✗	✗	✓	✗	50–500 MB RAM requirement
Cloud Detection Darktrace, Vectra	✗	✗	~	✗	Mandatory connectivity
Signature Scanners YARA, ClamAV	~	✓	✗	✗	No behavioral analysis
OT Platforms Nozomi, Claroty	✗	~	~	✗	Network layer only
Planck-99	✓	✓	✓	✓	27 KB · 34 ns · 96.28%

10 / 11

Next Step

One design partner. That's the only milestone that matters.

Everything else — investor decks, revenue projections, patent filings — is noise until a real customer validates the integration. Here's how we get there. Bootstrapped to date. Open to seed partners and strategic investors.

1

Find the right vendor

An IoT gateway or OT security vendor shipping embedded Linux devices with an active security team. The product already runs on their hardware class. This is integration, not invention.

2

Run a live benchmark

Planck-99 deploys as a 27KB binary with a kernel hook. Integration takes hours, not months. The vendor gets a JSON proof file per classification — auditable, verifiable, and compliant with upcoming EU CRA traceability requirements.

3

Sign a paid pilot

A signed agreement is the proof of market demand no pitch deck can substitute. It de-risks every subsequent conversation with investors, accelerators, and OEM partners — and validates the EU CRA compliance story.

zs.01117875692@gmail.com

github.com/zierax

11 / 11