WHY SECULETTER · OUR CONVICTION

All-in on one thing —
Content Disarm and Reconstruction.

In a broad security market, we chose to specialize. Reverse-engineering file structure from the inside out, neutralizing the threats we find, and safely reassembling — that single focus built the MARS engine.

Compare against competing products Talk to us about migration

Content Disarm and Reconstruction — SecuLetter's approach: reverse-engineer document files, neutralize embedded threats, and safely reassemble

DIFFERENTIATION · 01

We lead on all four axes.

Most CDR vendors compete on format coverage alone. SecuLetter has held a leadership position simultaneously across four axes — core technology, format coverage, performance, and Korea-native design.

Core technology

MARS reverse-engineering engine — built and owned entirely in-house.

Not a reseller, not OEM — 100% engine ownership
Format spec updates shipped quarterly, in-house
Custom formats added on customer request

Patents held 14

Format coverage

309 supported file formats — roughly 1.5× the global CDR vendor average.

CFB · OOXML · PDF · HWP · HWPX · HTML — every major family
Includes images, archives, scripts, and media
Multiple Korean public document formats that global vendors do not support

Industry average ~200 formats

Performance and reliability

TTA GS Grade 1 · avg. analysis time 12.02s.

Average sanitization 34 ms per file
Guaranteed email-gateway throughput of 200k files / day
TTA GS Grade 1 · Common Criteria EAL2 · Korean public procurement listed

GS analysis time 12.02s

Korea-native

HWP and Korean regulated-industry environments designed in as defaults.

Every version of Hancom Office · HWPX · HML supported
Korean public procurement listed · 40+ public-sector deployments
Korean-language support — direct from engineers at Pangyo HQ

Public-sector references 40+ organizations

WHY · the limits of behavior-based detection

Four things sandboxes cannot catch.

Behavior-based systems execute files in a virtual environment and observe the result. Four real-world conditions break that premise — and we've seen each one confirmed during actual PoCs.

01
Non-executable document attacks

Attacks that produce no behavior are undetectable by design. Fragmentary payloads — embedded in documents, images, and scripts that themselves execute no code — are growing.

BNK Busan Bank adopted SecuLetter because behavior-based systems couldn't catch non-executable document attacks.
02
Throughput at scale

A sandbox needs at least 3–5 minutes per file. When email and public-service portal upload traffic surges, the entire business workflow stalls.

Daishin Securities replaced a behavior-based system with SecuLetter to resolve throughput constraints.
03
Limited HWP coverage

Global solutions are weak on Korean HWP and HWPX formats. The primary entry path for government and public-sector campaigns flows straight through them.

Ebest Investment & Securities adopted SecuLetter after it correctly diagnosed an HWP attack.
04
Sandbox-evasion techniques

Samples that use sandbox evasion — VM-aware, time-delayed, user-action-triggered — produce no behavior in a virtual environment. Detection rates drop further.

Daishin Securities replaced a behavior-based system with SecuLetter due to low detection rates against evasion-equipped samples.

HEAD-TO-HEAD · 02

Same question, different answer.

We picked the criteria that come up repeatedly in real procurement RFPs. Competitor names are referenced by their published product category.

Criterion	OURSSECULETTER	AGlobal CDR · US	BGlobal CDR · EU	CSandbox APT · Korea
Approach	Disassemble and reassemble	Disassemble and reassemble	Disassemble and reassemble	Behavior observation (execution-based)
Supported formats	309+	~220	~180	Unlimited (requires execution time)
HWP · HWPX	● All versions · PostScript	◐ HWP partial	○ Not supported	◐ Execution only
Avg. processing time	34 ms / file	~60 ms	~80 ms	2–5 min (sandbox wait)
Zero-day and unknown malware	● Structurally removed	● Structurally removed	● Structurally removed	○ Passes if not detected
Sandbox-evasion resilience	● Does not execute	● Does not execute	● Does not execute	○ Defeated by evasion
TTA GS certification	Grade 1	Foreign certifications only	Foreign certifications only	Grade 1
Korean public procurement listing	● Listed	○ Not listed	○ Not listed	● Listed
Korean-language direct support	● Direct from HQ	◐ Via local partner	◐ Via local partner	● Direct
Engine ownership	100% in-house	In-house	In-house	Partially OEM

● Full support ◐ Partial ○ Not supported

PROOF · 03

Not claims —
verified numbers.

Every figure is sourced from third-party certification, a public challenge, or live production data. We publish the source alongside every number.

12.02 s

Avg. analysis time · TTA GS Grade 1

TTA software evaluation results. Average over a 1,000-file sample. 2.5× faster than the published industry benchmark.

Source · TTA GS certificate 2024-GS-0817

100 %

KISA APT response challenge — detection rate

Participated in the KISA APT defense challenge in 2023 and 2024. Detected and sanitized all 124 sample variants.

Source · KISA APT Challenge Report

309 +

File formats supported · industry-leading coverage

Major families: CFB · OOXML · PDF · HWP · HWPX · HTML. Includes 17 Korean public document formats.

Source · internal QA 2026 Q1 · format spec published

100 +

Public, finance, and defense deployments

Cumulative deployments since the Korean public procurement listing. 92% renewal rate. Over 100M files processed per day on average.

Source · 2026 Q1 internal CRM · auditable

KOREA-NATIVE · 04

Korea is the default —
not a regional option bolted onto a global product.

Global CDR products treat the Korean environment as a locale. SecuLetter was designed with HWP, Korean public procurement, and Korean-language support as architectural premises from the very first line of code.

Public-sector deployment guide

HWP

Full Hancom Office format coverage

HWP 3.0–5.x · HWPX · HML · HWT · CELL · SHOW. The only solution on the market that disassembles the PostScript stream inside HWP.

Industry-average coverage HWP partial

GOV

Public procurement and security requirements

Korean public procurement listed · Common Criteria certified · cleared for security suitability by a national agency. Deployed at 40+ public organizations.

Public-sector renewal rate 94%

Direct support from HQ engineers

Direct technical support from engineers at the Pangyo HQ. Average 1.4-hour first-response on urgent incidents. Full Korean-language technical documentation.

First response Avg. 1.4 h

LAW

Compliant with privacy and network-separation regulations

On-premise and air-gapped network deployment by default. No logs or analysis data leave Korea. Compliant with Korean electronic-finance supervision regulations.

Network separation Supported by default

VOICES · 05

What deployed organizations actually say.

Not vendor copy — sentences written by the security leaders themselves. We only publish quotes where the organization has agreed to be named.

"

We see 300+ HWP-based spear-phishing attempts per month. The previous solution only told us suspicious. After switching to SecuLetter, we receive a disassembled, safe version delivered directly — past the suspicion stage entirely. The biggest difference: the SOC is freed from making the verdict call.

CISO · public-sector agency 2 years deployed · renewed

"

We evaluated two global vendors alongside SecuLetter. In the end, the decision came down to three things — depth of HWP support, response speed, and Korean-language documentation. SecuLetter clearly led on all three. The two custom formats we requested during the PoC were added within two weeks.

Head of security · financial services (one of the four major holding groups) 3 years deployed · expanded firm-wide

"

We operate in defense, so every file is a candidate for classified information. A deployment where logs and analysis data don't leave the country and stay on-premise was a contract prerequisite. SecuLetter already had that as the default architecture — no custom work required.

Information security officer · defense contractor 1.5 years deployed · expanding to affiliates

MIGRATION · 06

Move from your current solution
to SecuLetter.

18 organizations per year transition from sandboxes or global CDR products. Avg. migration: 3.2 weeks · zero service interruptions · 100% transition success.

01Environment assessment — log and traffic analysis of the existing solution (1 week)
02Parallel PoC — both solutions running on live email traffic simultaneously (2 weeks)
03Full cutover — non-disruptive switchover plus monitoring (1 week)

Request a consultation We reply within one business day

Organization Work email Current solution (optional) Reason for inquiry

SecuLetter Inc. (the "Company") collects and uses personal information for consultation handling as follows.

Items collected	Organization, email
Purpose	Receive and respond to consultation requests
Retention period	3 years from application date (per applicable laws)
Right to refuse	You may refuse consent; if you do, the request cannot be processed.

The Company may send marketing messages for the following purposes and will retain the data until consent is withdrawn.

Items collected	Email, phone
Content sent	SecuLetter product updates, threat-intelligence briefings, and event and webinar invitations
Channels	Email, SMS / KakaoTalk
Retention	Until consent is withdrawn (you may opt out at any time)

All-in on one thing — Content Disarm and Reconstruction.

We lead on all four axes.

Core technology

Format coverage

Performance and reliability

Korea-native

Four things sandboxes cannot catch.

Non-executable document attacks

Throughput at scale

Limited HWP coverage

Sandbox-evasion techniques