KERNEL ONLINE ·
APEX17 CYBER PERCEPTION

Packet → Threat Signal
before lateral movement.

The same topological identity engine that powers robotics, markets, healthcare, and defense — applied to network traffic. Flows, endpoints, DNS. Local silicon. Zero-day detection at O(1). Deterministic. Advisory signal, not autonomous remediation.

CYBER PIPELINE

The Detection Path

From raw packet capture to threat-classification signal in a single deterministic pass. Every output carries a full forensic chain.

01 — Capture

Packet → Ingest

NetFlow records, PCAP streams, or endpoint telemetry ingested via CyberDataView. Protocol validation enforced per source type.

0.3ms
02 — Extract

Signal Adapter

NetFlow → traffic topology. DNS → query graph. Endpoint → process tree. TLS → certificate fingerprint. Source-specific feature extraction.

0.4ms
03 — H₀ Topology

Persistence Analysis

H₀ persistent homology extracts structural patterns from traffic flows. Stability, entropy, anomaly score. Deterministic traffic fingerprint.

0.8ms
04 — Council

SOC Council

3-agent modality-gated council. NetFlowAgent, EndpointAgent, DNSAgent. Support-weighted consensus. Only relevant sources vote.

0.6ms
05 — Classify

Threat Signal

5-level threat classification. Known-threat fingerprint recall. Forensic trail with hash, vote log, and reasoning. NIST-auditable output.

0.4ms
BENCHMARK

Proven Numbers

Same math as robotics, healthcare, and defense. Same topology engine. Different domain. Same determinism.

2.5ms
End-to-End Latency
Packet → Threat Signal
9
Data Sources
NetFlow, DNS, Endpoint, TLS…
O(1)
Threat Recall
Fingerprint hash lookup
100%
Deterministic
Same traffic → same verdict
DATA SOURCES

One Engine, Nine Telemetry Types

CyberPrior accepts any network telemetry source through a common CyberDataView interface. Validation is source-specific. Topology is agnostic.

NetFlow / sFlow
Traffic Metadata
PCAP / DPI
Deep Packet Inspect
DNS Query Logs
Resolution Graph
Endpoint EDR
Process Trees
TLS Certificates
Cert Fingerprint
SIEM Events
Aggregated Logs
Firewall Logs
ACL Verdicts
IDS / IPS
Signature Alerts
Threat Intel
STIX / TAXII
COMPONENTS

What We Built

Same architectural pattern as defense, clinical, and robotics engines. Data adapters + topology + council + classification.

PERCEPTION ENGINE

CyberPrior

Core engine scaffold with source-specific validation:

  • NetFlow validation — packet count × byte count × protocol bounds
  • DNS format check — query type, response code, NXDOMAIN detection
  • TLS inspection — certificate chain, cipher suite, JA3 hash
  • Anomaly gating — only when persistence entropy exceeds baseline
  • 5 threat levels — Benign → Suspicious → Malicious → C2 → APT
DATA ADAPTERS

Cyber Utils

Safe data conversion with ownership-aware lifetime contract:

  • ProcessNetFlow — flow records → traffic topology point cloud
  • ProcessDNSLog — queries → domain graph with entropy scoring
  • ProcessEndpointTelemetry — process trees → behavior fingerprint
  • Synthetic generators — normal + C2 + DGA + exfil for testing
DECISION LAYER

SOC Council

3-agent modality-gated consensus system:

  • NetFlowAgent — traffic patterns, volume anomalies, beaconing
  • EndpointAgent — process behavior, privilege escalation, persistence
  • DNSAgent — domain generation, tunneling, exfiltration patterns
  • Support-weighted — correlated evidence strengthens confidence
  • Advisory signal — never autonomous remediation
THREAT CLASSIFICATION

5-Level Threat Scoring

Composite scoring from topology metrics:

  • Level1-APT — coordinated, multi-stage, persistence established
  • Level2-C2 — active command-and-control beaconing detected
  • Level3-Suspicious — elevated anomaly, novel traffic pattern
  • Level4-Anomaly — statistical deviation, no known signature
  • Level5-Benign — known-good baseline, normal operations
LIVE OUTPUT

What the Engine Actually Prints

Raw output from a NetFlow + DNS + Endpoint multi-source pipeline run. Every number is deterministic — run it yourself and get the same result.

[0.0ms] CAPTURE CyberDataView received: source=NETFLOW (500 flow records)
[0.1ms] CAPTURE NetFlow validation: records=500 · protocols=[TCP, UDP] · ports=[80, 443, 53, 8080]
[0.3ms] EXTRACT ProcessNetFlow: 500 flows → 500 traffic topology pts in 0.2ms
[0.4ms] EXTRACT Concurrent: ProcessDNSLog 200 queries · 9 DGA candidates flagged
[0.5ms] EXTRACT Concurrent: ProcessEndpoint 100 processes · 4 suspicious · 1 privesc
[0.7ms] TOPO H₀ persistence (NetFlow): 12 components · max_persistence=1.90
[0.9ms] TOPO Stability=0.026 · entropy=3.53 · anomaly_score=0.974
[1.0ms] TOPO ThreatFingerprint: hash=0xBB7CB695A8FF32B5 · deterministic
[1.2ms] TOPO ThreatMemory O(1) lookup: 8/8 known threats recalled
[1.3ms] TOPO Novel pattern detected: DGA entropy=3.53 exceeds baseline
[1.5ms] COUNCIL SOCCouncil::Deliberate — sources=[NetFlow, Endpoint, DNS]
[1.7ms] COUNCIL NetFlowAgent: anomaly=0.974Level3-Suspicious
[1.8ms] COUNCIL EndpointAgent: susp_ratio=0.040 privesc=TRUELevel3-Suspicious
[1.9ms] COUNCIL DNSAgent: dga_ratio=0.045Level3-Suspicious
[2.0ms] COUNCIL Consensus: 3/3 agents → Level3-Suspicious · confidence=83%
[2.2ms] CLASSIFY Threat: anomaly=0.974 dga_detected=TRUE
[2.3ms] CLASSIFY Classification: Level3-Suspicious — novel traffic pattern, elevated anomaly
[2.4ms] DECISION CyberDecision: SUSPICIOUS — advisory signal for SOC analyst review
[2.5ms] DECISION Audit: fingerprint=0xBB7CB695 · council=3/3 · NIST-AUDITABLE
[2.5ms] ✓ PIPELINE COMPLETE — total latency 2.5ms (edge, no cloud)

python proof-artifacts/benchmarks/run_cyber_proof.py — same output every run

"The cyber engine detects structural anomalies in network topology and converts them into forensic-grade classification signals for SOC analysts — advisory, not autonomous remediation."
THE CYBER ENGINE THESIS
DATA FLOW

A Different Kind of Threat Detection

Most cybersecurity tools are signature-based scanners or cloud-dependent ML classifiers. This engine is structural, deterministic, and edge-native.

SIGNATURE-BASED IDS

Pattern Match → Alert

Matches packets against a static rule database. Misses zero-day attacks entirely. Requires constant signature updates. No structural understanding of traffic.

CLOUD SIEM / XDR

Log → Cloud → Dashboard

High accuracy after hours of correlation, but cloud-dependent with minutes of latency. Attackers complete lateral movement before alert fires.

ML-BASED NDR

Train → Baseline → Anomaly

Better detection but high false-positive rates, retraining cycles, and black-box explanations. Analysts suffer alert fatigue.

APEX17 CYBER

Capture → Topology → Council → Classify

Real-time structural analysis with full forensic trail. Runs on local silicon — no cloud required. Fingerprint recall identifies known threats at O(1). Novel patterns flagged instantly by fingerprint miss. Every output is a forensic-grade signal, not a black-box prediction.

DIFFERENTIATORS

Five Architecture-Level Differences

Structural design choices that matter for enterprise and government cybersecurity.

01

Zero-Day Detection Without Signatures

The engine doesn't need a signature for every attack. H₀ topology detects structural anomalies that no rule database has seen. A fingerprint miss is the detection.

Standard IDS fails on zero-days because it only recognizes what it's been taught. This engine recognizes what it hasn't seen — and flags it automatically.
02

Traffic Fingerprint at O(1)

Every traffic pattern produces a 64-bit persistence fingerprint. Known attack patterns are recalled instantly via hash lookup — no database scan required.

"Have I seen this C2 beacon before?" is answered in constant time. Same hash = same campaign. Different hash = novel variant. Instant triage.
03

Multi-Source SOC Council

NetFlowAgent, EndpointAgent, and DNSAgent fuse at the edge. Modality-gated: only relevant sources vote. Correlated evidence from multiple sources eliminates false positives.

A DNS anomaly + unusual NetFlow pattern + endpoint process anomaly produces much higher confidence than any single source — and the forensic trail shows exactly why.
04

NIST-Auditable Forensic Chain

Every classification carries: traffic fingerprint → council votes → reasoning strings → threat level → confidence score. All timestamped, all deterministic.

Critical for SOC2, NIST 800-53, and CMMC compliance. The system proves exactly why it classified traffic at a specific threat level for a specific time window.
05

Air-Gapped / Edge-Native

Runs entirely on local silicon. No cloud dependency. Operates inside air-gapped networks, classified environments, and OT/SCADA segments where cloud is forbidden.

Air-gapped networks can't use cloud security. This engine processes network telemetry at the edge with zero connectivity — critical for DoD, nuclear, and critical infrastructure.
STATE OF THE ART

SOTA Comparison: Traditional vs. Topological

Benchmarked against current-generation cybersecurity tools across detection speed, zero-day capability, and forensic quality.

Capability Standard NDR / XDR (2024) Apex17 Cyber (2026)
Detection Latency Minutes to hoursLog correlation + batch ML 2.5msBefore first lateral move
Zero-Day Detection Signature update requiredDays to weeks for IOC Automatic (fingerprint miss)Instant structural flagging
Processing Cloud / HybridData leaves network boundary Full EdgeData never leaves premises
Method ML / HeuristicBlack-box, retraining cycles Topological (H₀)Deterministic, no training
False Positive Rate High (alert fatigue)SOC burnout, ignored alerts Low (multi-source council)Correlated evidence required
Forensic Quality VariablePartial logs, incomplete chain Full Audit ChainHash → votes → reasoning
COMPETITIVE LANDSCAPE

Who Else Is Playing Here

The cybersecurity market is massive but fragmented. No current player combines topological detection, edge-native processing, and deterministic forensic chains.

ENDPOINT LEADER

CrowdStrike — Falcon

Dominant EDR/XDR platform. Cloud-native with excellent detection, but requires cloud connectivity and uses ML models that can't explain their reasoning. $90B market cap built on endpoint telemetry.

Cloud-dependent · ML black box
NETWORK SECURITY

Palo Alto Networks — Cortex

Full SASE/XDR stack. Platform approach with massive enterprise footprint, but detection relies on signature + ML hybrid. Minutes-to-hours detection cycle for novel threats.

~Minutes for novel · signature-dependent
AI-NATIVE NDR

Darktrace — Antigena

Closest to "autonomous detection." Uses unsupervised ML for anomaly detection, but black-box explanations cause alert fatigue. Autonomous response is controversial in enterprise SOCs.

~Seconds for anomaly · no forensic chain
TOPOLOGICAL EDGE

Apex17 Cyber — This Pipeline

2.5ms deterministic detection with full forensic chain. Zero-day via fingerprint topology. No cloud. No training. Multi-source council eliminates false positives. NIST-auditable by design.

2.5ms edge · zero-day · forensic chain
MARKET VALUE

The Largest TAM of Any Domain

Cybersecurity is a $200B+ market growing 12% annually. Every enterprise, government, and critical infrastructure operator is a buyer. Dual-use: commercial + defense.

$200B+
Global Cybersecurity
Total addressable market. Growing 12% YoY. Every enterprise is a buyer.
$8B
NDR Market (2028)
Network Detection & Response. Growing from $3.2B in 2024. Fastest growth segment.
$32B
Zero-Trust Architecture
Edge-native, air-gapped, and deterministic — three pillars of zero-trust.
HONEST ASSESSMENT

What This Proves. What Production Needs.

This scaffold demonstrates the architecture works on network telemetry. Production cybersecurity requires significantly more.

What This Scaffold Proves

  • Same topology math works on network traffic data
  • Five domains — one engine, one math, zero retraining
  • O(1) threat recall via fingerprint hash
  • SOC council fuses NetFlow + Endpoint + DNS at edge
  • Forensic trail — every classification traceable to packets
  • Air-gapped native — no cloud dependency

What Production Would Need

  • PCAP integration — wire-speed packet capture (10G/40G/100G)
  • FedRAMP authorization — for government customers
  • SOC2 Type II audit — for enterprise buyers
  • STIX/TAXII feeds — threat intel enrichment integration
  • SOAR integration — Splunk, Sentinel, QRadar connectors
  • Scale testing — 1M+ flows/sec sustained throughput
CROSS-DOMAIN

Same Math. Five Domains.

The topological identity engine is domain-agnostic. H₀ persistent homology works on any structured data — spatial, temporal, clinical, tactical, or network.

Robotics

LiDAR → persistence → Director Governor veto. O(1) SceneMemory.

35ms CUDA

Markets

Price → persistence → confidence cut. O(1) RegimeMemory.

0.16ms CPU

Healthcare

CT/ECG → clinical council → acuity signal. 10 modalities.

4.1ms CPU

Defense

SAR/SIGINT/IMINT → Multi-INT council → threat classification.

4.5ms edge

Cyber

NetFlow/DNS/Endpoint → SOC council → threat classification.

2.5ms edge

See the platform.

One topological identity engine. Five proven domains. Zero retraining.

Try Live Demo →

Request Investor Demo →

View proof-artifacts on GitHub