Input/output (I/O) inspection methods and systems are disclosed to detect and defend against cybersecurity threats. In one example, a method includes intercepting input/output (I/O) operations including I/O write operations for a storage system. Segments of data related to the intercepted write I/O operations are stored in a write I/O buffer. One or more levels of inspection are performed on the segments of data stored in the write I/O buffer to detect a security threat. A protection instruction is injected in any segments of data having a detected security threat. The defensive action can be performed for the injected protection instruction prior to storing segments of data in the write I/O buffer in the storage system. The protection instruction can be injected at the head of the segments of data having a detected security threat.