Casper's Cloak runs a machine-learning classifier on every network connection your device makes. It scores domains in real time on ~40 features — registration age, certificate patterns, hostname similarity to known brands, hosting infrastructure — and blocks threats the moment they're detected. No signatures to update. No database to download. The model learns.
Every DNS query your phone makes runs through a classifier in milliseconds. Five steps, zero perceptible latency.
Any app — Safari, Messages opening an SMS link, a webview in a free game, your email client loading a remote image. All traffic routes through Casper's encrypted tunnel.
Features evaluated: domain registration age, registrar reputation, TLS certificate chain and age, DNS topology, hostname-to-brand similarity (Levenshtein distance from popular brands), cluster proximity to known-bad infrastructure, IP autonomous-system reputation, phishing-keyword density, and ~30 more. Output: a 0.0 to 1.0 risk score.
Score above the threshold: block and show a clear warning page. Score in the gray zone: allow but log and flag for review. Score below threshold: resolve normally. Decision is real-time — no round-trip to a remote database.
Blocked pages show the threat category (phishing, malware C2, scam, malvertising), which app tried to connect, and a one-tap "proceed anyway" for the rare false positive. Background blocks (silent app check-ins) appear as reviewable notifications.
Override reports and aggregate behavioral signals (domains looked up by many devices then immediately abandoned) flow back into retraining within ~24 hours. The classifier gets sharper with every cycle — no manual signature updates required.
Not just known threats. The model scores domains by structure, so it catches categories of attacks that signature-based tools miss entirely.
Fake login pages for banks, Apple ID, Microsoft 365, delivery trackers. Caught the moment they appear, before any blocklist has heard of them. The classifier flags suspicious registration age + brand-name similarity + cert patterns.
If a compromised app on your phone tries to phone home to its C2 server, the connection is refused at the DNS layer. Data stays on the device; the attacker gets silence.
Fake e-commerce stores, tech-support scams, malvertising redirectors that chain through 3-4 domains before landing on a payload. The AI scores each hop in the redirect chain independently.
When a malicious page or app tries to ship your passwords, session cookies, or authentication tokens to an attacker-controlled endpoint, the DNS query for that endpoint never resolves.
Counterfeit banking apps and phishing overlays that mimic real banking interfaces. The AI detects the backend domains these fakes connect to — different hosting, fresh certs, registrar patterns that don't match the real institution.
Wallet-drainer sites, fake airdrops, impersonated DeFi frontends. The model identifies the hosting infrastructure and domain-registration patterns common to crypto scam campaigns.
Side-by-side: how machine learning threat detection compares to signature-based antivirus and blocklist-only filtering.
| Capability | AI detection (Casper) | Signature-based antivirus | Blocklist-only (Pi-hole, etc.) |
|---|---|---|---|
| Zero-day catch rate | High — scores unseen domains on structural features | Near zero — requires signature to exist first | Near zero — domain must be reported and added |
| Update lag for new threats | Seconds (real-time scoring, no update needed) | Hours to days (signature push cycle) | Hours to days (list maintainer must add entry) |
| False-positive rate | <0.05% (tuned against Tranco 1M) | Low (~0.01%) but blocks executables, not domains | Varies widely by list quality (0.1–1%+) |
| Mobile battery impact | <2%/day (scoring on remote resolver) | 5–15%/day (on-device file scanning) | <2%/day (DNS filtering only) |
| Coverage scope | Every app, every connection (DNS layer) | File downloads + app installs only | Every app, every connection (DNS layer) |
| Self-improving | Yes — retrains on feedback loops | No — static signatures until next push | No — static list until maintainer updates |
Casper also runs the blocklist layer underneath the AI model for fast-path resolution of already-known threats. The two approaches are complementary, not exclusive.
Full threat-blocking stack including AI + blocklists
Tracker BlockingStop ~50,000 trackers in every app
Threat ShieldNetwork-level threat protection across all apps
How ML Detects MalwareDeep dive into the classifier architecture
For more on AI-based threat detection standards, see the NIST AI resource center.
What security-conscious users ask first.
Free trial. iOS, Mac, and Android. Real-time machine-learning scoring on every connection — zero-day phishing blocked in under 90 seconds.