LUMA

AI-powered forensic platform for comprehensive mobile threat analysis. Designed for security professionals and forensic examiners, LUMA detects state-sponsored spyware, commercial surveillance tools, and Zero-Click / One-Click attack indicators on iOS and Android devices.

Request a Demo Learn More

Threat Actors Detected: 61 state-sponsored actors (mercenary spyware vendors and APT groups), 26 commercial stalkerware vendors.

License Tiers

Choose Your Plan

One product, five license tiers. Same forensic engine, scaled to your scan volume.

Free Trial
Demo

Demo 2

  • 2 full forensic scans
  • iOS + Android coverage
  • Multi-language reports (7 languages)
  • Both AI engines included
Solo Investigator
Starter

Starter 10

  • 10 forensic scans / 365 days
  • All 87 threat actors covered
  • 13 attack scenarios
  • Court-admissible HTML reports
Growing Practice
Advanced

Advanced 25

  • 25 forensic scans / 365 days
  • Remote Scan via QR + email
  • Knowledge Center with country attribution
  • Air-Gap mode for sensitive cases
Forensic Lab
Professional

Professional 50

  • 50 forensic scans / 365 days
  • Priority support channel
  • Annual IOC + CVE database updates
  • Optimized for high-volume practices
Government / Large Agency
Unlimited

Unlimited

  • Unlimited scans / 365 days
  • Full Air-Gap deployment supported
  • On-site installation guidance
  • Dedicated account manager
Analysis Engine

Core Capabilities

Multi-layer forensic analysis powered by AI and deterministic computation

IOC Analysis

172,500+ indicators of compromise from Amnesty Tech, MVT, AssoEchap, and proprietary databases covering 87 actors (61 state-sponsored + 26 commercial stalkerware vendors).

Behavioral Detection

AI-powered behavioral analysis detecting surveillance patterns, sensor cascades, and covert data exfiltration.

Bayesian Scoring

Evidence-based threat probability scoring with weighted assessment and scenario-driven analysis framework.

Forensic Reports

Court-admissible multi-language reports with full evidence chain, methodology documentation, and expert conclusions.

iOS & Android

Deep analysis of sysdiagnose, bugreports, crash logs, network traffic, permissions, and app behavior on both platforms.

Scenario Detection

13 threat scenarios including Zero-Click exploits, night surveillance, sensor cascades, forensic extraction, telco-side SS7, profile-based MITM, and per-actor signature detection.

Process

How It Works

From device connection to forensic report in three stages

01

Collect

Connect the device via USB or receive a diagnostic file remotely through a secure QR-based upload link. iOS sysdiagnose and Android bugreport capture system-level logs without accessing personal data.

02

Analyze

LUMA runs a multi-layer scan: IOC matching against 172,500+ indicators, behavioral pattern detection across sensors and network, process anomaly scoring, and 13-scenario threat modeling.

03

Report

AI synthesizes findings into a court-admissible forensic report with Bayesian evidence weighting, full methodology documentation, and a clear verdict with confidence level.

Remote Capability

Remote Forensic Scan - Same Verdict, No Travel

Scan a phone in another city, country, or hostile environment without ever touching the device. Same engine, same scenarios, same court-admissible report.

What It Detects

Full Detection Coverage

Identical to in-office scan
  • All 13 attack scenarios - Zero-Click, Night Surveillance, Profile MITM, SS7
  • All 87 threat actors - 61 state-sponsored (mercenary spyware + APT) and 26 civilian stalkerware
  • 172,500+ IOC matching across processes, domains, hashes, certificates
  • Behavioral patterns - sensor cascades, hot-mic, asymmetric beaconing
  • Forensic extraction tool traces - Cellebrite, GrayKey, MSAB, Oxygen
  • Same Bayesian methodology, same multi-language report
How It Works

Four-Step Encrypted Workflow

From link to verdict
  • Examiner generates a secure single-use link - QR code, SMS, WhatsApp, Telegram, email
  • Client opens the link on the suspect device and uploads with one tap
  • Encrypted transit, chain of custody logged, consent metadata captured
  • Examiner runs the scan from the office workstation - same pipeline, same output
  • Upload artifacts auto-deleted after 30 days, examiner keeps the encrypted report
Why It Matters

Use Cases

Where remote becomes the only option
  • Traveling executive suspecting compromise after a foreign trip
  • Journalist or activist in a conflict zone needing covert assessment
  • Domestic abuse case where moving the phone alerts the abuser
  • Cross-border investigations - client in Riyadh, examiner in Tel Aviv
  • High-net-worth or VIP clients who cannot visit an office
  • TSCM teams supporting clients across multiple countries

No jailbreak, no root, no specialized hardware. iOS sysdiagnose and Android bugreport are generated natively by the device. The client never relinquishes physical custody.

Threat Detection

13 Attack Scenarios

Pattern-based detection of real-world attack techniques, from zero-click exploits to physical extraction

Critical

S1: Zero-Click Exploit

System daemon crash followed by covert sensor activation. Consistent with iMessage/WhatsApp zero-click exploitation.

Critical

S2: Night Surveillance

Sensors active during 01:00-06:00 with network data exfiltration. State-sponsored surveillance pattern.

High

S3: Sensor Cascade

Sequential activation of mic, camera, GPS, and Bluetooth within minutes. Programmatic intelligence collection.

Critical

S4: C2 Beaconing

Regular-interval server connections with asymmetric upload volume. Active command-and-control communication.

High

S5: Anti-Forensic

PT_DENY_ATTACH, truncated backtraces, SIGABRT in security processes. Hallmark of state-sponsored tools.

Critical

S6: Process Exploit

Daemon crash followed by anomalous process behavior. Privilege escalation via daemon restart vulnerability.

High

S7: Proximity Attack

WiFi or Bluetooth anomaly indicating close-range attack vector. Hotel, airport, and meeting scenarios.

High

S8: Forensic Extraction

Detection of Cellebrite, GrayKey, MSAB, and Oxygen tools. Identifies unauthorized physical forensic acquisition.

Critical

S9: Profile MITM / Cloud Token Theft

Configuration profile with root CA + VPN/proxy enabling HTTPS interception. iCloud / OAuth token theft pattern.

High

S10: Telco-Side Surveillance

Indirect symptoms of SS7 / Diameter network-level interception. Identifies victim-side evidence of telco exploits.

High

S11: SS7 GT Roaming Attack

Detection of suspicious Global Title roaming activity consistent with documented SS7 attack infrastructure.

High

S12: Mixed Vector Attack

Combined cellular, WiFi, and configuration profile anomalies. Multi-vector targeting pattern.

Critical

S13: Per-Actor Signature

Cross-correlated detector evidence matching specific actor TTPs (Pegasus, Predator, Candiru, Hermit, others).

Intelligence

AI-Powered Forensic Analysis

Local-only AI engine. Scans never leave the device, never reach a third-party cloud, never depend on connectivity.

Forensic Engine

Deterministic Bayesian Computation

Audit-friendly verdict logic
  • Bayesian probability scoring with weighted assessment matrix
  • Evidence chain with full traceability
  • Negative evidence override for false positive reduction
  • 13-scenario threat model + per-actor signature correlation
Local AI

On-Device LLM

Adaptive narrative + cross-examination
  • Multi-step pipeline: Analyst, Cross-Examiner, Synthesizer, Evidence Curator
  • Automatic RAM-based model selection
  • MDM, antivirus, and App Store context awareness
  • IP reputation classification (80+ providers)
Air-Gap Ready

No Internet Required

Built for classified and sensitive environments
  • Zero data exfiltration - scan stays on the device
  • Air-gap mode blocks every external call by design
  • Multi-language Bayesian report assembly (7 languages)
  • Court-admissible HTML output with full methodology
Who Is LUMA For? >
Trust & Compliance

Built for Regulated Environments

LUMA is designed to meet the highest standards required by government agencies, law enforcement, and enterprise security teams.

GDPR Compliant
Court-Admissible Reports
Air-Gap Ready
End-to-End Encryption
Client Consent Framework
United States - Regulatory Alignment
4th Amendment - Consent search framework
Federal Rules of Evidence 901 / 902 - Authentication of digital records
Daubert standard - Methodology disclosure for expert testimony
Federal Rules of Civil Procedure 26 / 34 - ESI handling
NIST SP 800-86 - Computer Forensics Guidelines
NIST SP 800-101 - Mobile Device Forensics
NIST Cybersecurity Framework
CCPA / CPRA - California consumer privacy
HIPAA - When scanning devices used by covered entities
Stored Communications Act / ECPA - No third-party data interception
ABA Model Rule 1.6 - Attorney-client privileged data handling
SOC 2 control alignment - Air-gap design + audit trail
Before You Buy

System Requirements

The examiner workstation runs the entire forensic pipeline locally - including the AI engine. The model size and inference speed are bounded by GPU memory. Pick a tier that matches your scan volume.

Minimum

Basic Functionality

Slower AI narrative
  • Windows 10/11 64-bit or macOS 13+ (Ventura)
  • x64 CPU with SSE4.2 or Apple Silicon
  • 16 GB RAM
  • 50 GB free storage
  • Integrated graphics or GPU with under 4 GB VRAM (CPU-only inference)
Recommended

Production Performance

Full GPU acceleration
  • 32 GB RAM
  • 16 GB+ GPU VRAM
  • 100 GB SSD
  • NVIDIA RTX 4080 16GB / RTX 4090 24GB / RTX A4000 16GB
  • Mac M1 Pro / M2 Pro / M3 Pro / M4 (16 GB unified memory or more)
Optimal

High-Volume Lab

Daily scan throughput
  • 64 GB RAM
  • 24 GB+ GPU VRAM
  • 500 GB NVMe SSD
  • NVIDIA RTX 4090 / RTX A6000
  • Mac Studio M2 Max / M3 Ultra

Performance Expectations

Hardware tier Clean iPhone scan Compromised iPhone scan
Mac M-series (any) 1-2 min 2-3 min
Windows, 24 GB+ VRAM 1-2 min 2-4 min
Windows, 8-16 GB VRAM 2-3 min 4-7 min
Windows, 4-8 GB VRAM 3-5 min 7-12 min
Windows, integrated / under 4 GB VRAM 5-10 min 12-25 min

First-run AI model download is approximately 17 GB (one-time, per workstation). Air-gap mode is supported after initial setup. Scans never leave the device - the entire forensic pipeline runs locally.

Get LUMA

Download

Available for Windows and macOS. Licensed for authorized security professionals.

Windows

v2.0.0.5 - Installer (.exe)

Request Access

Windows 10/11 - 64-bit
Python 3.12 embedded

macOS

v2.0.0.5 - Disk Image (.dmg)

Request Access

macOS 13+ (Ventura or later)
Apple Silicon & Intel

Get Started

Need Answers About a Device?

Contact us to schedule a live forensic demo or discuss deployment for your organization.

Contact Us