Deterministic Allowlisting Automation Autotrust

Issue 71 Edition 2026-03-12 7 min read

General

Sources: 1 • Confidence: Medium • Updated: 2026-03-14 12:25

Key takeaways

Airlock built an unreleased feature called Autotrust that generates allowlisting rule recommendations and can optionally automate some trust decisions.
Airlock identified PowerShell assembly reflection as a potential execution gap and invested engineering effort to close it.
Airlock attributes limited competition partly to the engineering difficulty of maintaining performant, lightweight agents across Windows (including legacy), Linux, and macOS while covering many execution pathways without unacceptable resource overhead.
Airlock states that over the next three months it will push to ship and improve integrations with surrounding enterprise tools to operationalize allowlisting workflows.
Airlock Digital appointed Kevin Dunn (based in New York) as CEO, and co-founder Daniel Schell became Chief Product Officer.

Airlock built an unreleased feature called Autotrust that generates allowlisting rule recommendations and can optionally automate some trust decisions.
Autotrust recommendations are based on deterministic logic using internal environment data and external signals including VirusTotal and execution prevalence.
Airlock plans to provide plain-language explanations for Autotrust recommendations while keeping the underlying decisioning based on decision trees and internal rules rather than LLM inference.
Airlock avoided using contemporary LLMs as the primary decision-maker for allowlist decision-making due to concerns about non-deterministic, unpredictable choices in execution-control enforcement.
Airlock expects most customers will use Autotrust for recommendations and some may enable automated trust decisions during early rollout to reach enforcement faster.

Airlock identified PowerShell assembly reflection as a potential execution gap and invested engineering effort to close it.
Airlock's product strategy emphasizes preventing classes of attacks by removing execution techniques (e.g., assembly reflection and MSBuild compilation) rather than detecting specific malicious outcomes.
Airlock increasingly treats browser extension control and Microsoft ClickOnce as execution surfaces that require explicit visibility and rule-building user experience.
Airlock's underlying framework already blocks multiple execution vectors including ClickOnce and VSTO add-ins.

Airlock attributes limited competition partly to the engineering difficulty of maintaining performant, lightweight agents across Windows (including legacy), Linux, and macOS while covering many execution pathways without unacceptable resource overhead.
Airlock claims some newer 'app control' competitors are effectively focused on blocklisting or single-OS scope despite marketing messaging implying broader allowlisting capability.
Airlock reports the last 12 months have been extremely busy because the market is more ready to adopt allowlisting, despite persistent skepticism about operationalizing it.
Airlock says selling allowlisting has become easier over time because compliance standards forced adoption in some environments and successful deployments demonstrated allowlisting works beyond static kiosks.

Airlock states that over the next three months it will push to ship and improve integrations with surrounding enterprise tools to operationalize allowlisting workflows.
Airlock argues that allowlisting is an operational strategy and lifecycle process rather than an install-and-forget product, and claims this contributes to why many vendors avoid or struggle to compete in allowlisting.
Airlock is prioritizing integrations with workflow and productivity tools (including Microsoft Teams, Slack, and ServiceNow) to route approvals and exception processes without requiring operators to work directly in the Airlock console.

Airlock Digital appointed Kevin Dunn (based in New York) as CEO, and co-founder Daniel Schell became Chief Product Officer.

Airlock states that over the next three months it will push to ship and improve integrations with surrounding enterprise tools to operationalize allowlisting workflows.

When (and in what form) will Autotrust be released, and what specific functions will be available at GA versus later iterations?
What are the measurable outcomes of Autotrust (e.g., reduction in allowlisting backlog, time-to-enforcement, rate of successful deny-by-default deployments) compared with prior workflows?
How exactly are external signals like VirusTotal and execution prevalence translated into deterministic recommendations (thresholds, policies, customer tunability, and audit trails)?
Do plain-language explanations fully trace to auditable rule logic (including end-to-end provenance), and how are explanation failures handled?
What residual execution gaps (if any) remain for PowerShell/assembly reflection and other technique-removal areas, and how are they validated against real adversary tradecraft?

If Autotrust reaches GA with reliable deterministic recommendations, it could reduce allowlisting operational friction and accelerate deny by default deployments, improving adoption and expansion.
Closing execution gaps such as PowerShell assembly reflection and broadening execution surface coverage could strengthen security efficacy and differentiation in allowlisting, supporting competitive positioning.
Shipping integrations with enterprise workflow tools could move allowlisting from console bound usage to organization wide processes, potentially increasing stickiness and reducing time to approve exceptions.

Autotrust GA release with clear feature scope and documentation of deterministic rule logic, signal sources, tunable thresholds, and audit trails for recommendations and automated decisions.
Published or customer reported outcomes showing reduced allowlisting backlog, faster time to enforcement, and higher success rates for deny by default deployments versus prior workflows.
Delivered integrations over the next three months with common enterprise tools, evidenced by customer uptake and measurable reductions in approval cycle time outside the security console.

Autotrust remains unreleased or launches without auditable deterministic logic, tunability, or consistent explanations, leading to limited customer trust and low adoption.
Independent validation or customer feedback indicates residual execution gaps persist, including for PowerShell assembly reflection or other bypass paths, undermining the technique removal value proposition.
Integration push slips or integrations ship but do not improve operational workflows, with customers reporting approvals and exceptions still bottlenecked in the security console.