The behavioral baseline
When H7 attaches to an agent process, it begins a 30-second baseline window. During this window, H7 records the agent's expected behavioral fingerprint across all five detection channels.
The baseline is nota list of allowed syscalls. It is a structural model of the agent's behavior — the distribution of scheduling events, the causal graph of process relationships, the set of network destinations it contacts, and the sequences of kernel operations it performs.
After the baseline window, H7 enters continuous monitoring mode. Every new batch of kernel events is compared against the baseline model. A deviation that crosses the detection threshold produces an alert and a signed .cal certificate — regardless of whether the individual syscalls are "allowed."
Five detection channels
Each channel operates independently. A single deviation on any channel produces an alert.
Scheduling-entropy drift detection
H7 watches the kernel scheduler event stream for each monitored process namespace. It models the agent's expected scheduling behavior during a 30-second baseline window, then continuously compares the live event distribution against that baseline. A divergence measure is computed per batch; when it crosses the detection threshold, H7 emits an alert and a signed .cal certificate.
Scheduling event distribution across monitored agent namespaces.
Individual syscall content or argument values.
DRIFT_DETECTEDLIVING_OFF_THE_LANDProcess-execution classification
When an AI agent spawns a shell interpreter (bash, sh, python, etc.) as a child process, H7 classifies the resulting process-execution event. Shell spawns are a canonical signal of prompt-injection and living-off-the-land attacks: the agent was instructed to run an OS command it was not designed to run.
Child process execve events from agent namespaces — specifically interpreter spawns.
The content of shell commands or arguments passed to the interpreter.
LLM_AGENT_HIJACKStructural process-causality analysis
H7 builds a causal graph of process relationships from the kernel event stream — which process opened which file, which process forked which child, which sequences of calls follow each other. Structural deviations from the baseline causal graph (unexpected directed cycles, unfamiliar call-graph patterns) are flagged independent of any single syscall.
Process-relationship graph derived from the kernel event stream.
File contents, network payloads, or memory contents of monitored processes.
STRUCTURAL_DRIFTCAUSAL_CYCLE_DETECTEDNetwork egress detection
H7 hooks the kernel's outbound connect and sendmsg paths for AI-runtime namespaces. It monitors destination addresses against a configurable allowlist and detects egress call-rate bursts. An agent connecting to an unknown destination or sending at anomalous rates raises a network alert — without inspecting any packet content.
Destination address and egress call rate from monitored namespaces (ADR-019).
Payload content, TLS handshakes, DNS queries, or packet bodies.
UNKNOWN_DESTINATIONNET_EGRESS_BURSTProcess-attach detection
H7 monitors for ptrace ATTACH and SEIZE operations targeting agent processes. Process-attach is used by debuggers, memory scrapers, and lateral-movement tools to read or modify a running process's memory — a technique invisible to application-level security layers. Any unexpected ptrace operation on a monitored agent triggers an immediate alert.
ptrace ATTACH/SEIZE syscalls targeting monitored agent processes.
Legitimate debugger use outside monitored namespaces.
PTRACE_ATTACH_DETECTEDThe .cal certificate
Every detection event produces one signed artifact. It is the only output H7 generates.
agent_idUnique identifier of the monitored processts_nsNanosecond-precision timestamp of the detection eventhostHostname of the machine running the H7 sensorchannelDetection channel (L1–L5) that triggered the alertdivergenceBehavioral divergence measure at time of alertsyscall_traceKernel event sequence preceding the detectionactionAlert action taken (ALERT_EMITTED; containment is operator-initiated)signatureEd25519 signature over all fields — verifiable with the published public keyThat a specific agent process exhibited a specific behavioral sequence at a specific nanosecond-precision timestamp on a specific host — and that this record has not been modified since H7 signed it.
Any party with the published Ed25519 public key — your auditor, your CISO, your legal team, or a regulatory body. No network access, no external CA, no SaaS dependency required.
H7 detects, attests, and alerts. It does not automatically terminate or isolate agents. Containment requires an explicit operator action — preserving human control and audit trail continuity.
Architecture: zero external dependencies
All telemetry stays on the host. The Ed25519 public key is the only external dependency.
eBPF probe — on host
The H7 sensor runs as a Rust no_std eBPF program attached to the Linux kernel. Zero heap allocation. No kernel module. No root filesystem writes.
Behavioral analysis — on host
All detection computation happens locally. No telemetry is sent to a cloud service. No API call is required for detection to function.
.cal emission — on host
The signed certificate is written to the local filesystem. The Ed25519 signing key never leaves the host. Verification uses only the published public key.
Alert delivery — your infrastructure
H7 pushes alerts to a local sinkhole process. You integrate that with your SIEM, Slack, PagerDuty, or incident management system — H7 makes no external calls.
See all five channels detect in 10 minutes
The demo kit ships with attack scripts for L1, L2, L4, and L5. Clone it and run the detection cycle on your machine — no cloud account required.