BrickStor SP vs ProLion CryptoSpike — purpose-built Cyberstorage vs ransomware overlay
ProLion CryptoSpike is a capable ransomware-detection product for NetApp, Lenovo, and Dell storage. The question for buyers evaluating both is what kind of architecture each company is offering — and what that architecture can and cannot do at the data layer.
Two companies, two starting points
ProLion is an Austrian company, founded in 2013, headquartered in Wiener Neustadt. Its early business was NetApp high-availability — ClusterLion, an automatic switchover solution for NetApp MetroCluster environments. As the company expanded into data security it built CryptoSpike, a ransomware-protection product that monitors NetApp ONTAP and, later, Lenovo DM-Series and Dell storage. ProLion’s center of gravity is adding ransomware detection to someone else’s storage.
RackTop was founded in 2010 by veterans of the U.S. Intelligence Community to build a storage platform with security embedded in the data path from day one. RackTop coined the term CyberConverged™ Storage in 2018 and shipped what is now broadly recognized as the first NAS with proactive data security built into the storage layer itself — inline threat detection, automated response, forensic audit, and surgical remediation as platform primitives. The four BrickStor patents are the architectural expression of that decade-long head start.
Both approaches have a place. They are not the same thing — and the difference is architectural, not a feature checklist.
Credit where it's due
Fast to deploy. CryptoSpike installs as a set of virtual machines from an OVA file.
Multi-platform reach. CryptoSpike works across NetApp ONTAP (FAS/AFF), Lenovo DM-Series, and Dell PowerScale, Unity, and PowerStore. For organizations that have already invested in one of those platforms and want to add behavior-based ransomware detection without replacing the storage, CryptoSpike is one of the available options.
A maintained blocklist. ProLion curates and continuously updates the ransomware-extension blocklist, taking that maintenance burden off the customer to manage a block list on the storage itself.
Organizations with a large NetApp or Dell investment they are not in a position to replace will look for overlay solutions like CryptoSpike to add a ransomware-detection layer to the storage they already own.
The difference is not a feature checklist. It's where the security work happens in the data path.
CryptoSpike is a software overlay. It runs as three virtual machines that live outside the storage system. It consumes file-operation events from the storage array through the FPolicy interface, runs behavioral analysis and a blocklist check, and when it detects something suspicious it issues a call back to the array to block the offending user. The detection is real-time relative to the FPolicy event stream, but the architecture is fundamentally event-driven: events have to be generated by the storage, shipped to the CryptoSpike VMs, processed, and only then can a response be initiated. The security control lives one layer removed from the data.
BrickStor SP is the storage system, and security is in the data path. Active Defense is patented behavioral detection that runs inline as I/O happens — not in a downstream VM consuming an event feed. The decision to block, alert, or quarantine is made by the storage system itself before the suspicious operation is allowed to propagate. Active Defense →
This architectural difference cascades into several others:
Recovery model
CryptoSpike pairs with RestoreManager to restore files it has identified as corrupted — a meaningful capability, and better than a blanket snapshot rollback. But it still depends on the FPolicy event record being complete and on the underlying array’s snapshots being intact and uncompromised. It doesn’t remove bad or corrupted files from the live file system. BrickStor’s patented Intelligent Bulk Remediation works from the platform’s own immutable forensic record, surgically rolling back exactly the files an attack session touched.
Intelligent Bulk Remediation →Detection without a signature list
CryptoSpike’s first line of defense is a blocklist of known ransomware file extensions and names, curated and continuously updated by ProLion. That is effective against known, file-renaming ransomware — but it is a signature model, and it depends on connectivity to ProLion’s update service. Ransomware that does not rename files, or that uses unknown extensions, leans entirely on the behavioral layer. BrickStor’s Active Defense is behavioral by design, with no signature list to keep current and no external dependency.
Active Defense →Air gap
CryptoSpike does not provide a virtual air gap; isolated, immutable copies depend on whatever the underlying array offers. BrickStor’s patented ImmutaVault delivers air-gap-equivalent immutability as a feature of the same platform — no parallel environment to size, license, and operate.
ImmutaVault →Threat coverage
CryptoSpike is, by its own description, ransomware protection. BrickStor SP is designed to defend against both ransomware and data theft / exfiltration. The forensic record of UBA and the Active Defense behavioral engine work together to identify abnormal read patterns — the precursor to exfiltration — not just abnormal write patterns. The threat landscape long ago shifted from "encrypt and demand ransom" to double extortion that prioritizes data theft. The defense has to follow.
A platform, not a product stack
CryptoSpike requires NetApp, Lenovo, or Dell storage underneath, plus the CryptoSpike VMs, plus RestoreManager for recovery, plus whatever immutability the underlying array provides. BrickStor SP is one platform with one license model, where Cyberstorage is the system, not an add-on. BrickStor’s simplified architecture makes it easier to manage and less vulnerable to data attacks.
The defense itself becomes an attack surface
A software overlay running in separate VMs is, by definition, a discoverable network resource — and that means it can be targeted before the main attack on data ever begins. Modern adversaries routinely conduct reconnaissance, fingerprint the defensive tooling in an environment, and disable or isolate it before initiating the encryption or exfiltration phase. Disabling backup infrastructure, EDR agents, and storage security overlays is a standard step in current ransomware and data-theft playbooks.
CryptoSpike runs as three virtual machines and depends on a continuous FPolicy event stream from the storage array. If an attacker can compromise, isolate, or take those VMs offline — through a VM-level vulnerability, a hypervisor compromise, a network partition between the VMs and the array, an authentication compromise of the management plane, or a denial-of-service against the appliances — then the underlying NetApp or Dell storage reverts to being storage without active defense. The data is then defended only by whatever native protections the array has, which is precisely the gap CryptoSpike was created to fill.
BrickStor SP does not have this attack surface.
Active Defense is not a separate VM, not an agent, not a sidecar — it is the storage operating environment. Detection, automated response, ABAC enforcement, ImmutaVault immutability, and the forensic audit record are all features of the same system that serves the data. There is no “turn off the defense and keep the storage” configuration. An attacker cannot disable Cyberstorage without disabling the storage itself — and disabling the storage prevents the data theft or destruction the attacker was attempting in the first place.
This is the practical difference between defense of the storage and defense built into the storage.
BrickStor SP vs. ProLion CryptoSpike — side by side
| Capability | RackTop BrickStor SP | ProLion CryptoSpike |
|---|---|---|
| Architecture | Purpose-built Cyberstorage platform | Software overlay (three VMs) on third-party storage |
| Storage required | None — BrickStor is the storage | NetApp ONTAP (FAS/AFF), Lenovo DM-Series, or Dell PowerScale / Unity / PowerStore |
| Detection model | Patented Active Defense, inline in the data path | FPolicy-event-driven analysis in separate VMs — behavioral anomaly detection plus a ProLion-managed blocklist of ransomware file extensions |
| Detection dependency | Self-contained behavioral analytics — no signature list, no external service | Blocklist of known ransomware extensions is curated by ProLion and requires connectivity to ProLion’s update service to stay current |
| Recovery | Patented Intelligent Bulk Remediation — surgical, file-level rollback from the platform’s own forensic record | RestoreManager — restores files identified as corrupted |
| Immutability / air gap | Patented ImmutaVault (in-platform virtual air gap) | Not a native CryptoSpike capability — relies on the underlying array’s snapshots |
| Threat focus | Ransomware and data theft / exfiltration | Ransomware-first |
| Audit and forensics | Native forensic record on every operation | Derived from the underlying array’s FPolicy event stream |
| Air-gapped / disconnected operation | All Cyberstorage functions run on the controller — air-gap friendly | Blocklist updates require reaching ProLion’s external update service |
| Defense as an attack surface | None — the defense is the storage system | Detection runs in three separate VMs; discoverable and attackable |
| Products / licenses for full protection | One | Multiple — storage + CryptoSpike + RestoreManager for recovery |
Comparison based on publicly available ProLion product documentation as of May 2026. Vendor capabilities evolve — contact us if you believe any entry is out of date and we will validate against the current release.
Pick the architecture that matches your threat model
Choose ProLion CryptoSpike if
You have a large, established NetApp, Lenovo, or Dell footprint that you're not in a position to replace, and your priority is adding behavior-based ransomware detection as an overlay on the storage you already own. Your threat model is primarily commodity ransomware. You don't have federal ABAC, classified, or coalition mission environment requirements, and a non-U.S. vendor is acceptable for your procurement. You're comfortable operating the CryptoSpike VMs and a separate recovery component.
Choose BrickStor SP if
You want one platform that is Cyberstorage, with Active Defense, ImmutaVault, IBR, ABAC, and a complete forensic audit trail built in. You need behavioral detection that doesn't depend on a signature list or an external update service — and that runs fully on the controller for air-gapped and disconnected environments. You need ABAC on unstructured data for federal, classified, or coalition workloads. You want defense against data theft and exfiltration, not just ransomware. You want a first line of defense at the storage layer rather than a detection overlay — and a U.S.-based vendor with a cleared engineering team. GHOST instant migration →
The two companies, in brief
- 2010
RackTop Systems founded by U.S. Intelligence Community veterans to build storage with security in the data path.
- 2013
ProLion GmbH founded in Austria — early business focused on NetApp MetroCluster high availability (ClusterLion).
- 2018
RackTop coins CyberConverged™ Storage and ships the first NAS with security built into the storage layer.
- October 2020
RackTop ships Active Defense — inline threat detection and automated response in the storage data path.
- 2021
Gartner introduces the term "Cyberstorage." RackTop named as a sample vendor.
- 2024–2026
RackTop patents issued for Active Defense, Intelligent Bulk Remediation, Transparent Data Movement, and ImmutaVault.
BrickStor SP vs. ProLion CryptoSpike — answered
- No. CryptoSpike is built to monitor NetApp ONTAP, Lenovo DM-Series, and Dell PowerScale / Unity / PowerStore storage through the FPolicy interface (and Dell equivalents). It is not deployable on BrickStor — and it doesn’t need to be. BrickStor’s Active Defense, ImmutaVault, Intelligent Bulk Remediation, ABAC, and forensic audit deliver Cyberstorage natively.
- CryptoSpike uses a three-level model: a ProLion-curated blocklist of known ransomware file extensions and names, real-time behavioral anomaly detection, and automated blocking of suspicious users. The detection runs in CryptoSpike’s own VMs, consuming file-operation events from the storage system’s FPolicy interface. BrickStor’s Active Defense runs inline in the data path on the storage system itself — the decision happens before the suspicious operation is allowed to propagate, and it does not depend on a signature list.
- It is a strength against known, file-renaming ransomware and it offloads maintenance to ProLion — but it is a signature-style model. Ransomware that does not rename files, or that uses extensions not yet on the list, falls through to the behavioral layer. The blocklist also has to stay current, which means CryptoSpike needs connectivity to ProLion’s update service. BrickStor’s Active Defense is behavioral by design — no list to maintain, no external dependency, and it runs fully on the controller for air-gapped and disconnected environments.
- CryptoSpike is positioned as ransomware protection. Insider threats and slow data exfiltration look nothing like ransomware — they use authorized credentials, move slowly, and read far more than they write. Detecting that pattern requires inline behavioral analytics on every read, ABAC enforcement at the data layer, and the ability to terminate sessions in real time. Those capabilities live inside BrickStor SP.
- This is a real concern with overlay architectures. CryptoSpike runs as three separate virtual machines that are discoverable on the network, depend on a continuous FPolicy event stream from the storage, and are subject to the standard set of VM-level, hypervisor, network, and management-plane vulnerabilities any virtual appliance has. Sophisticated adversaries routinely identify and neutralize defensive tooling before launching the main attack. If the CryptoSpike VMs are compromised, isolated, or taken offline, the storage is defended only by whatever native protections the underlying array has. BrickStor SP doesn’t have this exposure — Active Defense is the storage operating environment, not a separate VM. An attacker cannot disable the defense without disabling the storage.
- For commercial customers, generally not — ProLion is a legitimate, well-regarded vendor with a global customer base. For U.S. federal, defense, and intelligence customers, vendor provenance and supply-chain considerations are part of due diligence. RackTop is a U.S.-based company built by U.S. Intelligence Community veterans, with a cleared engineering team able to support classified programs directly. That is a factual procurement consideration, not a knock on ProLion’s engineering.
- Many customers run BrickStor alongside an existing NetApp + CryptoSpike environment first, starting with the highest-risk shares — federal data, classified work, regulated PII, high-value IP — and migrate the rest over time using BrickStor’s gateway-based migration. You don’t have to choose all at once.
Go deeper
BrickStor SP →
The flagship Cyberstorage NAS — full architecture, capabilities, and use cases.
Built-In vs. Bolt-On Cyberstorage →
Why bolt-on tools can't stop APTs, insider threats, or data theft.
BrickStor SP vs. Superna →
The same architectural comparison against Superna Eyeglass / Ransomware Defender.
See Cyberstorage Built Into the Storage, Not Bolted On
In a 30-minute demo, we'll show Active Defense, ImmutaVault, ABAC, and Intelligent Bulk Remediation working together — and run a competitive scenario against your current NetApp or Dell environment.