A new paradigm for Endpoint security: secure work environments with Endurance and Ranger

Corporate cybersecurity is evolving rapidly, and the traditional concept of “endpoint security” is becoming obsolete. For decades, the strategy focused on protecting end-user devices: high-performance PCs, corporate laptops, and local servers. Antivirus, firewalls, and EDR (Endpoint Detection and Response) solutions became the first line of defense against external threats.

However, the exponential rise of advanced attacks (ransomware, sophisticated malware, APTs) and the expansion of distributed infrastructures have revealed the limitations of this approach: protecting the device does not protect critical assets, especially if the endpoint itself is compromised.

In this context, Cosmikal proposes a radical change in security philosophy: the endpoint is no longer the center of protection; the focus shifts to securing the connection to the company’s critical assets. This is achieved by combining Endurance, a next-generation Remote Shielded Workspace (RSW), with Ranger, a compact, secure endpoint without local storage (Local Shielded Workspace, LSW). This approach redefines what we mean by endpoint security, and in this article, we will explore how and why it works.

1. The problem with traditional endpoints

Traditional endpoints have several structural vulnerabilities:

1. Storage of sensitive information: Conventional PCs contain local drives that store credentials, critical files, and application caches. This makes them a direct target for attackers seeking lateral access or data exfiltration.
2. Large attack surface: A full operating system with multiple installed applications exponentially increases the attack vector. Every additional piece of software can introduce vulnerabilities attackers may exploit.
3. User dependency: Even with EDR or antivirus solutions in place, security depends heavily on user behavior: opening emails, unsafe downloads, or executing unknown scripts.
4. Complex auditing and access control: In large environments, monitoring who accesses what system from each endpoint is complex and error-prone.

In short, the traditional endpoint is fragile, and its protection does not guarantee the security of corporate assets, especially if those assets reside in critical servers, OT environments, or SCADA systems.

2. Endurance: securing the connection

Cosmikal redefines protection from the perspective of the connection between endpoints and critical assets. Endurance acts as a secure air gap that manages all privileged access, ensuring that even if an endpoint is compromised, assets and critical information cannot be directly accessed or manipulated.

2.1 Endurance Architecture

Endurance combines several security layers:

• Encrypted credential vault: All credentials and secrets are stored in an encrypted vault using advanced algorithms. Users never directly know or handle them.
• Secure connection broker: Every action from endpoint to asset (and vice versa) is transmitted not as direct commands but as encrypted, controlled keyboard, mouse, video, and audio events, always through the secure connection broker. This completely isolates sensitive data, preventing endpoint malware from intercepting or altering information.
• Privilege management and temporary sessions: Endurance grants limited, time-bound permissions according to security policy, preventing privileged access persistence on endpoints.

In practice, this means that endpoints can be insecure or even compromised, yet assets remain fully protected because they are never directly exposed to the end user.

3. Ranger: the new corporate Endpoint

Endurance is the core component, but to maximize both security and efficiency, a purpose-built endpoint is needed for this new paradigm. That’s where Ranger comes in.

3.1 Technical features of Ranger

• No moving parts and no hard drive: By eliminating HDDs and fans, the physical attack surface and risk of mechanical failure are drastically reduced.
• Cosmikal’s own operating system: Lightweight, minimalist, secure, and fully controlled perfect for running shielded remote desktops.
• Remote connectivity to servers: Ranger works as a secure terminal for running critical applications on company servers, leveraging their full power without storing data or sessions locally.
• Built-in connection security: All sessions are funneled through Endurance, ensuring no data or assets are exposed.

3.2 Advantages vs. a traditional PC

Feature	Traditional Endpoint	Ranger + Endurance
Local storage	Yes, risk of exfiltration	No, zero data stored
Attack surface	High (full OS, multiple apps)	Minimal (light OS, remote apps)
Connection security	Limited	Fully encrypted & controlled by Endurance
User dependency	High	Low, limited & controlled interaction
Scalability	Limited	High, leveraging centralized server power

Ranger redefines what we mean by an endpoint: it’s no longer a high-performance standalone device, but a compact, secure gateway to corporate resources, where computing power and data reside centrally, not on the user’s machine.

4. Isolation of critical assets and data

A key pillar of this new paradigm is the complete isolation of assets and critical information from the endpoint.

4.1 Connection flow

1. The user powers on Ranger and logs into Endurance.
2. From their shielded remote desktop, the user requests access to authorized assets. Endurance’s vault injects encrypted, temporary credentials.
3. The secure broker establishes the connection to the asset, transmitting only interaction events (mouse, keyboard, video, audio).
4. Assets are displayed on the endpoint as a processed event stream on Ranger’s connected screen, but critical data never reaches the physical device.

This flow ensures:

• No exposure of credentials or data.
• The endpoint can be compromised without risk to infrastructure.
• Full traceability of all actions, enabling compliance with regulations such as NIS2 or GDPR.

5. With Zero Trust and VDI

The new endpoint security paradigm doesn’t replace best practices; it complements them:

• Zero Trust: Each connection is continuously validated and authenticated, minimizing unauthorized access risks.
• VDI (Virtual Desktop Infrastructure): Ranger serves as the secure terminal where Endurance projects the shielded workspace, leveraging server power and ensuring no local data distribution.

By combining Endurance and Ranger with Zero Trust and VDI, organizations gain both Remote Shielded Workspaces (RSW) and Local Shielded Workspaces (LSW), ensuring that neither the endpoint nor the user’s network can compromise corporate asset security.

6. Real-world use cases

6.1 Critical Infrastructure (OT, SCADA, Telecommunications)

Protecting industrial and telecom environments is one of the greatest cybersecurity challenges: a compromised endpoint can trigger power outages, manipulate industrial valves, or halt production.

With Ranger + Endurance:

• Secure access to OT environments from anywhere
  Engineers don’t need corporate PCs or heavy software. Ranger functions as a storage-free secure terminal, while Endurance establishes a connection channel where only keyboard, mouse, video, and audio events flow. Even if an endpoint is attacked, malicious commands cannot be injected nor SCADA data stolen.
• Complete credential protection and full traceability
  Credentials never reside on the device nor are exposed to users. Endurance injects them from its encrypted vault, using them temporarily to start the session. All actions are logged and auditable, critical for NIS2 compliance and preventing unauthorized access to industrial control systems.

6.2 High-security remote work (IT/OT & Critical Data)

Traditional remote work is a cybersecurity weak spot: vulnerable home networks, insecure personal devices, and users outside the corporate perimeter.

With Ranger + Endurance:

• Complete isolation of sensitive assets and data
  Workers connect Ranger to any screen and home network, but the device stores nothing. Endurance ensures data never travels to the endpoint, only session events are projected. This eliminates leakage risks even if the user’s network is insecure or compromised.
• Regulatory compliance and centralized control
  Organizations retain absolute control over who can access what assets, when, and how. Endurance logs every session, enabling thorough audits and compliance with GDPR, NIS2, and other critical frameworks. Access can also be revoked in real time, mitigating risks from identity compromises or security incidents.

7. Conclusion

The traditional endpoint security concept is in decline. Security can no longer focus on protecting individual PCs or laptops; true protection requires isolating critical assets and maintaining total control of the connection.

With Endurance and Ranger, Cosmikal has established a new endpoint security paradigm:

• A compact, secure device (Ranger) without local storage or moving parts.
• A secure, managed connection (Endurance) that remains safe even if the endpoint or network is compromised.
• Integration with VDI and Zero Trust for maximum scalability and control.
• Complete auditing to simplify regulatory compliance.

In this approach, corporate assets remain fully isolated, secure, and under control, redefining how companies must think about IT and OT security. The endpoint is no longer the center; security resides in connection architecture and the intelligent isolation of data and assets.

The future of endpoint security is clear: less dependence on the device, more control over the assets.