We catch ransomware mid-attack.
On every tier.
Decoy files. Hashed every backup. Tamper triggers an alert and freezes the backup chain to protect the last clean image. Deterministic — no ML training, no false positives. Free with BigMind DR Free. Email alerts on Plus and Pro.
Illustration — actual canary alert UI
Daily backups + 30-minute ransomware = encrypted backups.
Modern ransomware encrypts over 30–120 minutes. Daily backups capture encrypted data and overwrite the clean version. The only defense is detecting tamper before the next backup runs.
Decoy. Hash. Verify. Alert.
Decoys deployed at install
Invisible to your users. Look normal to ransomware.
Hashed at install
SHA-256. Manifest locked.
Verified every backup
Any tampered decoy = mismatch detected.
Alert + freeze
Dashboard alert (all tiers) + email (Plus/Pro). Backup chain frozen to protect last clean image.
We don't need 30 days of training to detect a hash mismatch.
ML-based ransomware detection (Druva, CrowdStrike, others) needs 30–60 days of training. During that window, you're unprotected. Then false positives still happen — and one false 3am alert is enough to make admins ignore them. Hashes don't drift. A decoy is intact or it's not. We catch attacks on day one, endpoint one — zero false positives in 6+ weeks of internal testing.
Same canary. Different alerts.
| Tier | Detection | Dashboard alert | Email alert |
|---|---|---|---|
| Free | ✓ | ✓ | ✗ — dashboard only |
| Plus | ✓ | ✓ | ✓ email + Slack/Teams/webhook |
| Pro | ✓ | ✓ | ✓ email + Slack/Teams/webhook |
The catch on Free: detection runs, but the alert waits in the dashboard until someone logs in. A canary trip on Friday night that nobody sees until Monday is a weekend of encryption. Plus sends it to your inbox — and Slack — at 3am, while there's still time to pull the network cable.
Druva charges $3-8/endpoint/month for the worse version.
| BigMind DR | Druva | Veeam | Acronis | |
|---|---|---|---|---|
| Detection | Deterministic | ML | None | Heuristic |
| Training period | None | 30–60 days | n/a | Weeks |
| Cost | Free | $3–8/endpoint/mo | n/a | Bundled |
| False positives in testing | 0 in 6+ weeks | Documented | n/a | Documented |
Complementary, not replacement.
Canary detection works at the backup layer. It tells you ransomware is encrypting your files. It doesn't stop the attack (that's antivirus / EDR's job) and it doesn't remediate (that's incident response). What it does is make sure you have a clean backup to recover from — which is the only thing that matters after.
Canary FAQ
Is canary really free on the Free tier?+
Yes. Detection runs at every tier including Free. Email alerts on canary tamper require Plus or above.
How is this different from antivirus?+
AV stops malware from running. Canary detects when ransomware-like activity starts encrypting your files (regardless of whether the AV missed it). Different layer, complementary.
Can ransomware evade the canary?+
Sophisticated targeted ransomware might attempt to skip our decoys. Commodity ransomware won't. Even partial detection saves the bulk of your data and surfaces the attack.
Does it work offline / air-gapped?+
Yes. Detection runs locally during the backup. Alert reaches the dashboard whenever the agent next connects.