What the agent does — not what it says
Prompt-injection filters and EDR tools operate on observable text or process names. H7 operates at the syscall layer via eBPF, where there is no abstraction to manipulate. Every execve, mmap, ptrace, and connect is captured with nanosecond timestamps and process-causal attribution — regardless of what the agent reported to the orchestrator.
The probe is a Rust no_std eBPF program. It cannot be observed by the monitored process, cannot be injected from userspace, and adds less than 0.4% CPU overhead under sustained production load.
Intent meets behavior — one unified model
Kernel events (QII) tell you what happened. The semantic channel (SII) tells you what was supposed to happen. H7 correlates both: a legitimate tool call that spawns an unexpected child process is detected even if each half looks normal in isolation.
The SII gateway integrates with LangGraph, vLLM, and any MCP-compatible runtime. No model fine-tuning, no prompt modification, no content inspection. The agent's declared intent is signed and compared against its observed kernel behavior at every decision boundary.
Every event sealed — including the ones we missed
Every kernel event is committed into a SHA-256 hash chain (hash_v2). The chain is sealed periodically with an Ed25519 signature. Any gap — whether from a sensor restart, a ring-buffer drop, or a deliberate blind-spot attack — is itself attested as a SENSOR_GAP event and sealed into the chain. You don't lose the proof of what you couldn't observe.
A BREACH episode produces a .cal certificate: a JSON+Ed25519 artifact that bundles the full incident timeline, the chain tip hash, and the behavioral evidence. Verifiable offline with a single public key. No CA, no SaaS, no network.
Stop the action before the syscall completes
Detection without enforcement is telemetry. The Muraille LSM layer (Linux Security Module) inserts a veto hook before a flagged syscall is allowed to proceed. The malicious action never completes — the agent is contained at the kernel boundary, not after the fact.
Enforcement operates on a signed contract profile: a calibrated behavioral envelope derived from observed nominal sequences. Any attempt to execute outside the envelope in production triggers a cryptographically-attested ATTEMPT_BLOCKED event and, optionally, a circuit-breaker freeze token.
Trap attackers — including AI agents — at the credential layer
A fake .env file placed alongside real configuration contains synthetic credentials wired to a honey-sink. The moment an attacker (human or AI agent delegated to a compromised workspace) uses a canary credential outbound, the honey-sink records a hit — and the brain seals DECEPTION_TRIGGERED with confidence=1.0.
There are zero false positives by construction: a credential that was never issued to any real service cannot produce a legitimate hit. The first use is proof of compromise. The event is sealed into the ledger and certified with the same Ed25519 .cal format as any other breach.
One artifact. Three regulatory frameworks. Zero SaaS dependency.
The .cal certificate produced at every BREACH event is a self-contained compliance artifact: timestamped kernel timeline, behavioral evidence, Ed25519 signature, and chain integrity proof. It satisfies DORA Art. 17 incident reporting, NIS2 Art. 21 supply-chain monitoring, and EU AI Act Art. 9 runtime audit-trail requirements in a single file.
Verification requires no network access, no external CA, no subscription. The Ed25519 public key is the only dependency. Auditors can replay every .cal bundle years after an incident without calling home.
Ready to close the loop?
Deploy all six layers in a 6-week pilot — production or staging, H7 in your environment.