Menlo Security Acquires Votiro to Deliver Easy, AI-driven Data Security to Enterprises
Read Blog
Zero Trust has strengthened identity and access controls, but one gap remains wide open: the file. Even documents that come from authenticated users, trusted SaaS apps, or encrypted channels can carry zero-day payloads hidden inside macros, OLE objects, and file structures that detection tools can’t see. Attackers now rely on this blind spot because AV, EDR, and sandboxes only stop what they can recognize, leaving new and undisclosed threats free to slip through.
Menlo Security, which has broadened its enterprise browser protection to include a multi-faceted file security solution, closes this gap by eliminating trust at the content layer. Instead of scanning for malicious elements or outright blocking files, Menlo File Security uses a combination of content disarm and reconstruction, hashcheck, AV, and sandboxing to rebuild every file using only verified, safe components. This approach enables Menlo customers to remove hidden payloads tied to zero-day vulnerabilities while preserving full functionality—allowing busy enterprises to safely use complex files without delays or workflow disruptions.
As CISOs extend Zero Trust into SaaS, email, cloud storage, and BYOD environments, content-level controls are becoming essential. By delivering clean, fully functional files in milliseconds, Menlo File Security adds the enforcement layer that Zero Trust has been missing and secures the data stream end-to-end.
Security leaders are confronting an uncomfortable truth: the files they’ve always trusted are now some of their biggest liabilities. A document can arrive fully authenticated, travel through encrypted channels, and originate from an approved partner and still carry a zero-day payload waiting to detonate the moment it’s opened. Modern attackers no longer need to breach perimeter defenses; they can hide within embedded objects, macros, and scripts that reside in everyday business files.
Zero Trust has strengthened the outer layers of the enterprise, from identity verification to access enforcement. Yet while the model evolved around users and networks, an entire layer of risk was left unaddressed. The content itself, as well as the data moving through email, SaaS tools, browsers, and shared repositories, continued to operate under outdated assumptions of trust.
For CISOs, this is the new frontier. If Zero Trust is about removing implicit trust wherever it hides, then it must reach into the data stream and challenge every file at its core. Only by treating content as untrusted by default can organizations close the last open gap in an otherwise modern Zero Trust architecture.
Despite stronger identity controls and hardened perimeters, most organizations still extend a surprising amount of implicit trust to the files moving through their environment. A spreadsheet uploaded through a partner portal, a PDF shared from a cloud repository, or a document sent by an authenticated user are all treated as “safe” by default—simply because they originate from the “right place.” Yet, this trust-in-the-source mindset is exactly what today’s attackers rely on. They compromise legitimate accounts, exploit trusted cloud apps, and weaponize everyday business workflows to deliver their payloads without raising alarms.
Once inside the file, the threat becomes even more difficult to detect. Modern malware is engineered to hide deep within the structure of a document, embedded in objects, macros, media assets, or even file metadata. These components often remain invisible to traditional detection technologies that depend on signatures or behavioral patterns. Zero-day vulnerabilities exacerbate this challenge, as malicious code crafted around an undisclosed flaw can bypass every existing security control before a patch or signature is even available. File-borne threats continue to be the primary channel for delivering enterprise malware, including Office documents, PDFs, and archive files.
In practice, this means the systems built to keep attackers out are being bypassed through the very mechanisms organizations trust the most. The assumptions that once felt reasonable, that an encrypted channel equals safety, that an authenticated upload equates to legitimacy, no longer hold. This blind spot has become a primary entry point for zero-day malware, underscoring a fundamental truth: if the content inside the file isn’t verified, the source of the file is irrelevant.
Traditional defenses fall short because they’re built on recognition. AV, EDR, and sandboxes only stop what they’ve seen before, yet most successful breaches now come from new or unknown zero-day attacks that leave no signature behind. And while still essential in a tech stack for outliers and testing, sandboxes introduce delays, struggle to scale, and are easily outmaneuvered with tactics such as delayed execution or environment checks.
This puts detection tools at odds with the Zero Trust approach. Zero Trust assumes nothing is safe; detection assumes it can identify what’s unsafe. When attackers hide inside file structures that don’t trigger known indicators, that assumption collapses.
And while quarantining or blocking suspicious files might seem safer, it’s not practical. Business runs on documents, spreadsheets, PDFs, images, and archives. Slowing or stopping that flow breaks critical workflows. To enforce Zero Trust at the content level, organizations need a way to guarantee safe files without introducing friction or relying on guesswork.
Attackers have also shifted from single-vector techniques to multi-layered infection chains. A file may contain a benign-looking macro that triggers an OLE object, which then calls hidden shellcode embedded in an image. Each step is intentionally designed to evade traditional scanning tools by distributing the exploit across multiple parts of the file. If one layer goes unnoticed, and it often does, the entire chain succeeds.
Even more concerning are the vulnerabilities no one knows about yet. Undisclosed flaws can remain invisible for years, giving attackers ample time to craft payloads that detection engines simply cannot flag. When malicious code is built around a pre-zero-day weakness, no signature, heuristic model, or behavioral pattern will uncover it. By the time the vulnerability is publicly identified, the attacker has already moved on. This is where detection-based tools hit their ceiling and where Zero Trust at the content level becomes essential.
The only way to close this gap is to stop trying to detect what’s malicious and instead rebuild files so that only safe content remains. That’s exactly where Level 3 CDR, and specifically Menlo’s Positive Selection® technology, changes the equation. Rather than scanning for suspicious elements or comparing a file against known threat markers, CDR reconstructs the document from the inside out. It creates a clean, vendor-approved template, then transfers only the verified, known-good components into the new file. Anything unrecognized, malformed, or potentially dangerous from macros and OLE objects to embedded scripts and hidden structures never makes it through the process.
This model eliminates the guesswork that detection tools typically rely on. There are no signatures to update, no heuristics to tune, and no assumptions about what constitutes “bad” behavior. Whether the threat is tied to an undisclosed vulnerability, a brand-new zero-day, or an old flaw waiting in an unpatched system, CDR eliminates the exploit before it reaches the user. And because Positive Selection rebuilds the file instead of flattening or stripping it, organizations retain full functionality: active content works as intended, password-protected files stay protected, and workflows remain uninterrupted.
This is what true Zero Trust looks like at the content layer. The file is never considered safe solely because of its origin or method of delivery. Every element must be explicitly verified before it’s allowed into the environment. Nothing is blocked, quarantined, or delayed, yet everything is sanitized. The result is a steady flow of safe, fully functional files that keep the business moving without relying on trust or detection at all.
As files move across partners, vendors, cloud apps, within and outside browsers, and via remote devices, the organization’s real weakness becomes the content itself. Every document, upload, and automated transfer carries risk, and without content-level controls, a single hidden payload can bypass even the strongest identity and network defenses.
Menlo Security sits at the center of this evolution, meeting modern enterprises where and how they work and delivering something the rest of the market has struggled to achieve: real Zero Trust for files. Creating a defense-in-depth architecture alongside our browser security solution, Menlo File Security is able to provide clean, fully functional content in milliseconds, giving organizations immediate protection without interrupting workflow. Every file is rebuilt, verified, and delivered safely, a level of assurance that traditional detection tools simply can’t match.
Menlo also strengthens this model at the access layer with our Secure Enterprise Browser solution that stops threats before they ever touch the endpoint, controlling how users interact with the web, and preventing malicious activity from reaching them—without ever forcing users to stick to a single browser. When paired with file sanitization, the two solutions form a seamless Zero Trust pipeline.
This combination is transforming how security leaders approach Zero Trust. It broadens the model from perimeter and identity to the content actually moving through the business, closing the gaps attackers rely on, and giving CISOs the confidence that files, not just users, are operating under Zero Trust principles.
If you’re ready to extend Zero Trust where it matters most, explore how Menlo File Security can protect every file entering your environment and keep your business moving safely. Schedule a demo and put content-level Zero Trust into action.
Menlo Security
