Built for engineers who need proof, not hope.

The problem with probabilistic security

Most AI security products work at the inference layer. They scan prompts, score outputs, and raise alerts when semantic patterns look suspicious. This is useful. It is also fundamentally probabilistic: a sufficiently clever adversary — or a sufficiently unusual legitimate workload — will produce false negatives and false positives with no way to tell them apart.

When a CISO asks "did this agent behave correctly during the incident window?", a probabilistic answer is not an answer. A DORA Art. 17 auditor does not accept "our model thought it was probably fine." Regulated environments require evidence — documented, timestamped, tamper-evident, reproducible.

Why the kernel layer

An agent process cannot lie about its syscalls. It can lie in its outputs. It can be instructed to lie via prompt injection. It cannot instruct the Linux kernel scheduler to lie. The kernel event stream is the only ground truth available at runtime — below the application, below the LLM, below the tool-call layer.

H7 attaches an eBPF probe at execve. From that moment, every scheduling event, every process relationship, every outbound connection attempt, every ptrace operation on the monitored namespace is observable. Not sampled. Not approximated. Observed.

This is the same principle behind flight data recorders: you instrument the physical layer, not the pilot's intentions. The kernel is the physical layer of software.

The .cal certificate: proof by construction

When H7 detects behavioral drift, it does not send a webhook to a cloud service. It signs a certificate — offline, with an Ed25519 key whose private half never leaves your host. The .cal artifact contains the agent identity, the nanosecond-precision timestamp, the full syscall sequence preceding the detection, and the alert action taken.

Any party with the published public key can verify this certificate without network access, without a CA, without calling home to Pulsaride. The certificate is either valid or it is not. There is no probabilistic interpretation. That is what "proof" means in this context.

What H7 refuses to be

• A content moderation layer. H7 does not read prompt content, model outputs, or tool call arguments. It observes what the agent does at the kernel layer — never what it says.
• An auto-isolation system. H7 detects, attests, and alerts. Containment is operator-initiated. Automated kill switches in production AI systems introduce their own risk surface, and DORA requires documented human decision-making in incident response.
• A SaaS dependency. Every component — the eBPF probe, the behavioral analysis, the certificate signing, the verification — runs on your host. H7 makes zero runtime network calls after license validation at startup. Air-gap deployments are fully supported.
• A magic classifier. H7 detects kernel-behavior drift and namespace-level injection. It does not identify malware families, classify attack intent, or predict future behavior. It reports what happened at the syscall layer, signs it, and lets you decide.

The design constraint that shaped everything

Every design decision in H7 was made against a single constraint: a DORA Art. 17 auditor must be able to verify the forensic artifact offline, using only the published public key, without any trust in Pulsaride's infrastructure.

This constraint rules out cloud telemetry, probabilistic scoring without deterministic re-derivation, and any signature scheme requiring a CA. It forces the product to be cryptographically honest by construction.

The result is a product that works the way cryptographic protocols work: you either verify the signature or you don't. There is no interpretation. There is no configuration that makes it "more accurate." It either observed the behavior and signed it, or it did not.