Observe · Attest · Enforce · Deceive · Comply

What TLS does for Network Identity,
Pulsaride-H7 does for Software Behavior.

Prompt-injection filters and EDR tools cannot observe what an agent does at the kernel layer — only what it says. Pulsaride-H7 is a six-layer defense platform: it observes via eBPF, attests every event in a tamper-evident ledger, enforces at the kernel veto layer, deceives attackers with cryptographic canaries, and proves compliance to DORA, NIS2 and the EU AI Act — all offline-verifiable, no SaaS dependency.

Apply for a Pilot →Clone Demo Kit (10 min) ↗Read the white paper →
Kernel capture
eBPF
Ledger
hash_v2
Signature
Ed25519
CPU overhead
< 0.4%
Canary FP rate
0%
Verification
Fully offline
Defense in depth · six layers
01Observe
eBPF · syscall capture
02Understand
QII + SII dual-channel
03Attest
hash_v2 · Ed25519 .cal
04Respond
Muraille LSM · kernel veto
05Deceive
canary · DECEPTION_TRIGGERED
conf=1.0 · TRAPPED
06Comply
DORA · NIS2 · EU AI Act

A threat enters at the kernel and is scanned through every layer. What EDR misses, the canary layer catches — first use is proof, zero false positives.

Explore the platform →
Platform overview

Six layers. No blind spots.

Most tools cover one layer. H7 closes the entire loop — from kernel observation to court-admissible attestation, including what it couldn't see.

01
Observe

eBPF syscall probe captures every behavioral event at the kernel layer — no agent can hide from its own syscalls.

eBPF / QIIRust no_std< 0.4% CPU
02
Understand

Dual-channel ingestion (kernel QII + semantic SII) builds a unified intent model: what the agent did AND what it meant to do.

Dual-channel SIILangGraph / vLLMMCP gateway
03
Attest

Every event is sealed into a SHA-256 hash chain and signed Ed25519. The ledger attests even its own blind spots — no interval is silently lost.

hash_v2 ledgerEd25519 .calBlindness attestation
04
Respond

The Muraille LSM layer issues a kernel-level veto before a malicious syscall completes. No alert latency — the action never happens.

LSM / MurailleKernel vetoCircuit breaker
05
Deceive

Cryptographic canaries in fake .env files trap attackers — including AI agents. The first credential-use seals DECEPTION_TRIGGERED conf=1.0. Zero false positives by construction.

Canary .envconf=1.00% FP
06
Comply

One .cal bundle satisfies DORA Art. 17, NIS2 Art. 21, and EU AI Act Art. 9 — offline-verifiable, no SaaS, no third-party CA required.

DORA Art. 17NIS2 · EU AI ActAir-gap verify
CI/CD Agent Compromise — April 2026Realistic scenario — reproducible in 10 min with the demo kit

CI/CD pipeline compromise — detected and certified in 4.8 seconds

A third-party CI runner integrated into a cloud deployment pipeline was compromised via supply-chain injection. The attacker used only legitimate syscalls — invisible to EDR and prompt-injection filters alike.

H7 detected the behavioral drift within 4.8 seconds and emitted a .cal certificate — a non-repudiable forensic artifact satisfying DORA Art. 17 incident reporting requirements.

See the detection scenario →
h7.kernel.log — 2026-04-21 (demo scenario)
03:14:22.001[h7] agent:ci-runner-49 BASELINE_ESTABLISHED
03:14:27.318[h7] syscall_seq: execve→openat→mmap (expected)
03:14:29.441[h7] DRIFT_DETECTED: behavioral_entropy_threshold_crossed
03:14:29.441 unexpected: ptrace→process_vm_readv
03:14:29.443[h7] ALERT: LIVING_OFF_THE_LAND — agent:ci-runner-49
03:14:29.443 action: emit .cal certificate + notify operator
03:14:29.451[h7] .cal signed sha256:a7f3...d9c1 (Ed25519)
03:14:29.451 DORA artifact: incident-2026-04-21.cal ✓
Demo Kit · 10-min replay

See an agent compromise detected and certified — in 10 minutes

01
Clone
git clone the demo kit — no signup, no cloud account required. Linux + Docker + sudo.
02
Run the attack scenario
Execute a shell-spawn, silent exfiltration, or ptrace scenario. Watch H7 detect at the kernel layer in real time.
03
Verify .cal offline
Verify the emitted .cal certificate with the bundled Ed25519 public key — no network, no CA, no SaaS.
Pulsaride H7 — demo kit (make attack-vercel)
H7 end-to-end demo: living-off-the-land detection, agent isolation, and .cal certificate verification
Design Principles

Technical transparency, by design

Every H7 design decision is auditable. No hidden network calls, no opaque SaaS dependency, no trust requirement beyond a cryptographic key you control.

Zero allocator

Rust no_std

The H7 probe runs as a Rust no_std eBPF program — no heap, no kernel module, no OS dependency beyond the Linux kernel itself.

< 0.4%

CPU overhead

Measured under sustained production load. The kernel sismograph adds no perceptible latency to the agent workload under observation.

Air-gap ready

Fully offline

Verification of any .cal certificate requires no network access, no external CA, no SaaS. The Ed25519 public key is the only dependency.

Any Linux ≥ 5.15

No dedicated hardware

H7 runs entirely in software via eBPF — no DPU, no SmartNIC, no proprietary chip required. Runs on-premise, on sovereign cloud, or on standard VMs. No US hardware supply-chain dependency.

Design Partner Program — Cohort 1 open

Shape the DORA-ready AI agent attestation standard.

We're onboarding regulated EU finance teams as founding partners — H7 in your environment at cost, direct engineering access, and a signed DORA audit package.

Learn more →
6-Week DORA Pilot

From proof-of-concept to DORA-ready in 6 weeks

A fixed-scope engagement: H7 deployed on your agents, .cal certificates in production, and your team fully autonomous on attestation workflows.

6 weeks · Production or staging environment
H7 deployed on target agents
.cal certificate workflow
DORA incident report template
Team knowledge transfer session

Custom pricing available for enterprise contracts. Contact for MSSP and reseller terms.

Active obligation
DORA Art. 17 — in force since January 2025
The EU AI Act Annex III deadline moved to December 2027 — but DORA incident reporting is non-negotiable today. A 6-week pilot anchors your compliance now, while your 2027 teams still have capacity.
Apply for a Pilot →
Regulatory Compliance

One .cal bundle. Three regulatory frameworks.

The same attestation certificate satisfies DORA, NIS2, and the EU AI Act — without requiring separate tooling, separate processes, or separate evidence trails.

In force — Jan 2025

DORA · Art. 17

Digital Operational Resilience Act

DORA mandates documented, reproducible evidence of ICT incident timelines. H7 .cal bundles provide timestamped, cryptographically-signed kernel traces that satisfy Art. 17 incident reporting with a single artifact.

Timestamped incident timeline
Cryptographic non-repudiation
Third-party agent attribution
In force — Oct 2024

NIS2 · Art. 21

Network & Information Security Directive 2

NIS2 requires organizations to implement supply-chain security measures and demonstrate continuous monitoring. H7 provides behavioral attestation of third-party agents across the full software supply chain.

Supply-chain agent monitoring
Continuous behavioral baseline
Exportable compliance reports
High-risk provisions — Aug 2026

EU AI Act · Art. 9

EU Artificial Intelligence Act

The EU AI Act imposes strict logging and audit-trail requirements on high-risk AI systems. H7 .cal certificates serve as the opposable forensic record for autonomous agent runtime behavior demanded by Art. 9.

Agent runtime audit trail
Offline-verifiable proof chain
High-risk AI system runtime audit trail
Apply for a Pilot →