This scenario ships in the demo kit. Clone the kit and reproduce this exact detection in 10 minutes — no cloud account, no signup required. github.com/pulsaride/h7-demo-kit ↗
What happened
On April 21, 2026, at 03:14 UTC, a third-party CI agent integrated into a cloud deployment pipeline was compromised via a supply-chain injection. The attacker used living-off-the-land (LOTL) techniques — leveraging only legitimate system calls already whitelisted by EDR tools — to establish lateral movement across the pipeline.
Traditional security tooling saw nothing anomalous: the syscalls were individually benign. Prompt-injection filters had no signal. Network traffic was within expected bounds. The agent looked, to every existing monitor, exactly like a healthy CI runner.
H7, operating at the kernel level via an eBPF probe, was not watching individual syscalls. It was watching behavioral sequences — the structural fingerprint of the agent at baseline, compared against its runtime behavior. The sequence ptrace→process_vm_readv had never appeared in the agent's baseline. The behavioral divergence measure crossed the detection threshold, triggering an alert and certificate emission.
Detection timeline
Kernel-level event log — agent: agent-ci-runner-49 — 2026-04-21 03:14 UTC
Baseline established
H7 records the behavioral fingerprint of agent-ci-runner-49 at startup: expected syscall sequence execve→openat→mmap.
Normal execution window
Agent operates within baseline. 21 batches processed without deviation.
Structural drift detected
Behavioral divergence measure crosses the detection threshold. Unexpected ptrace→process_vm_readv sequence not present in baseline. H7 flags as living-off-the-land candidate.
ALERT emitted
H7 raises LIVING_OFF_THE_LAND event and begins emitting the signed .cal certificate. Containment action is operator-initiated.
.cal certificate signed
Ed25519-signed attestation certificate incident-2026-04-21.cal generated with full kernel trace. Detection-to-certificate: 10ms. Artifact is offline-verifiable and DORA-ready.
Technical breakdown
Behavioral fingerprinting
H7 builds a syscall-sequence model at agent startup. The baseline captures expected call-graph patterns under normal operation, not individual call types.
Drift detection
A behavioral divergence measure between the live syscall sequence and the baseline profile. When divergence crosses the detection threshold, H7 emits a signed .cal certificate and raises an alert. Containment is operator-initiated.
Ed25519 .cal certificate
Upon alert, H7 signs the full kernel trace with an Ed25519 key. The certificate is verifiable offline using only the published public key — no CA required.
DORA forensic readiness
The .cal bundle includes: agent identity, breach timestamp (ns precision), full syscall sequence, divergence measure reading, and alert action — satisfying Art. 17 documentary requirements.
make attack-exfil and watch H7 emit the .cal certificate. Contact contact@pulsaride.com to request a live walkthrough with your infrastructure.See H7 detect this attack in your environment
The demo kit ships with the attack scripts for this scenario. Run it locally and watch H7 detect and certify the compromise in real time.