Multi-layer file scanning, on your own hardware.
Rayzcan is the self-hosted alternative to OPSWAT MetaDefender. Scan uploads from your web apps through six detection layers — without ever sending the file to a third party.
Why Rayzcan
Multi-layer scanning
Anomaly detection, ClamAV with SaneSecurity feeds, YARA rules, structural analysis, and CDR sanitization. Layered like ESET, tuned for static file uploads.
Files never leave your stack
Unlike cloud scan APIs, Rayzcan runs on hardware you control. The file stays in RAM during the scan and is wiped immediately after. Only metadata (SHA-256, size, MIME, verdict) is logged.
Self-hosted, predictable cost
Pay for our software, not per-scan fees. Run on a MacBook, Mac Studio, or any VPS. The full stack ships as Docker Compose — migrate in minutes.
Built-in CDR
Receive sanitized PDFs back instead of just a verdict. Active content (JavaScript, OpenAction, embedded files) gets stripped via Ghostscript re-render.
Plug-in engine model
Every scanner conforms to one TypeScript interface. Add new detection layers (ML, sandbox, custom YARA rules) without touching the pipeline.
Per-tenant policies
Each API key has its own allowed file types, size limits, score thresholds, and engine toggles. Configure from a dashboard, no redeploys.
Six detection layers, cheap-first
- 1. anomaly — magic-byte verification, double-extension detection
- 2. reputation — SHA-256 vs known-bad hash DB
- 3. signature — ClamAV with SaneSecurity feeds (3.6M+ signatures)
- 4. structural — pdfid + oletools, deep document analysis
- 5. rule — YARA scoring with custom rule sets
- 6. cdr — Content Disarm & Reconstruction (Ghostscript flatten)
Pricing
Free
- • 100 scans / month
- • All 6 detection layers
- • Dashboard + API key management
- • Community support
Paid
- • 10 000 scans / month
- • Higher rate limits
- • Premium ClamAV signature feeds
- • Priority support