Cyberphysical Security

Deniable

What if being forced to unlock your phone was no longer the moment everything fell apart?

The Wrench Attack

Deniable is a cyberphysical security company. Our first product is the world's first deniable encryption operating system, built for civilian and military operators who carry data worth taking into places where someone can force them to unlock their devices. We close the one gap the security industry has spent decades stepping around: forced key disclosure.

The world spends about $213 billion a year keeping attackers out of its devices. The cheapest way past all of it costs about five dollars: a wrench. Nobody cracks the encryption when they can crack the person holding it, and once that person unlocks the phone, the passcodes, the biometrics, and the encryption fall at once. The field has a name for it. The wrench attack.

The Coerced-Key Gap

That is the coerced-key gap, and it sits at the sharp edge of cyberphysical security: where digital tools meet the real world, and the weakest part of any system is the person holding the key. Cybersecurity assumes the attacker is somewhere else. Cyberphysical security assumes the attacker is standing in front of you.

The people who live with this gap are not edge cases. Journalists carry sources across borders, where a single device search can burn an entire network. NGO teams pass through checkpoints run by the forces they document. Private security details, energy crews, and intelligence personnel cross hostile ground with high-value data in their pockets. And anyone holding real cryptocurrency in a wallet on their phone is carrying a vault that a single forced unlock empties. For all of them, encryption was never the problem. Being made to open it was.

And the exposure is widening. Border agents now search phones as routine, authoritarian checkpoints are multiplying, crypto holders are robbed at gunpoint for their keys, and forensic kits powerful enough to image a device in minutes are cheap and everywhere. The use of coercion was once rare. It is becoming ordinary.

Karakoram built Deniable to close that gap. We took it from a problem the market wrote off as theory to a deployed operating system, in the field, against real adversaries.

What We Built

Deniable is a hardened Android operating system with three passwords and one phone. The first opens an ordinary, working phone. The second opens the hidden environment, where the real data lives. The third destroys the hidden environment and opens the ordinary one. Under pressure, the user looks fully cooperative, and the phone looks unremarkable.

It works like a traveller's false wallet. Hand over a little, keep the real one out of sight, and the threat passes. The mechanism is what makes it hold: the hidden data is stored so that it cannot be distinguished from unused space, and its existence cannot be proven, even by a trained examiner with forensic tools. Show everything, without showing anything.

"It's been transformative for us so far."

Security lead

Major international news organization

Why It's Different

The idea isn't new. Hidden volumes and hardened phones have been around for years. But desktop tools like VeraCrypt never made it to the field, and privacy-focused systems like GrapheneOS harden a phone against a remote attacker, not against the person holding it. None of them was built for forced disclosure. Deniable is.

Customers can run Deniable in two ways: with pre-provisioned devices ready to hand out, or with a software-only license they install on phones they already have. Either way, a team puts it to work without becoming security engineers.

Impact

  • Deployed since late 2024 in contested environments — with journalists, NGO field teams, and intelligence personnel.
  • Zero compromises: as of June 2026, no reports of arrests, detentions, or data loss from any user, anywhere.
  • Letters of support from several US and allied intelligence and logistics units, who call it "a critical advancement in how we protect sensitive data."
  • Adopted in production by the international high-risk team of a global news-media organization — protecting field crews, covert filming, and confidential sources.
  • In early revenue and growing 18% month over month, with paying customers across NGOs, journalism, energy, legal, and private security.

"The ability to carry a dual-environment device, one that looks like a regular smartphone but conceals an encrypted mission workspace that is truly invisible under inspection, could have been game-changing on many of my past deployments. … A solution like Deniable, with its offline-first design, duress PIN features, and forensic invisibility, aligns precisely with what's needed on the edge."

USAF Airborne ISR Operator

97th Intelligence Squadron 20+ years · 9 combat deployments

What's Next

The hard part is done: Deniable is built, deployed, and earning. On a coercion-resistant foundation, the same team can extend well beyond the phone — to resilient field communications, secure tunnels, and the laptops and servers that operators carry into the same hostile ground. That is the roadmap. The market it reaches into runs to tens of billions, and Deniable holds the entry point that no one else does.

That is the work Karakoram sets out to do: take a problem the market has written off as too hard, and build a company against it. Deniable is the third venture we've built this way. It won't be the last.

Continue exploring