Attack vectors H7 detects
Primary attack vectors detected at the kernel behavioral layer.
Living-off-the-Land (LOTL)
CriticalAttacker uses only legitimate OS syscalls — already whitelisted by EDR — to pivot laterally. Invisible to signature-based detection and prompt-injection filters.
H7 detects LOTL via behavioral sequence analysis, not individual syscall inspection. The structural fingerprint of legitimate-but-unexpected call sequences is flagged within seconds.
Runtime Structural Drift
HighAn agent's runtime behavior deviates from its declared specification after deployment — whether from prompt injection, model update, or environment compromise.
H7 continuously compares live syscall sequences against the agent's baseline. Any structural deviation — including subtle ones — raises a scored drift event before damage occurs.
Supply-Chain Agent Injection
HighA third-party agent embedded in a CI/CD pipeline or orchestration layer is compromised upstream, prior to deployment. The agent itself passes static analysis.
H7 establishes a behavioral baseline at first execution. Compromised supply-chain agents will exhibit behavioral patterns inconsistent with the baseline — caught on first run post-injection.
Prompt Injection
MediumMalicious instructions embedded in data processed by an LLM-based agent alter its behavior at inference time — bypassing intent-level guardrails.
H7 does not operate at the inference layer. It operates at the kernel layer. If prompt injection causes an agent to execute unexpected syscalls, H7 detects the structural consequence regardless of the injection vector.
.cal attestation chain of trust
From agent startup to offline-verifiable forensic certificate.
Agent starts
H7 eBPF probe attaches to the process at execve. No code changes to the agent required.
Baseline window
H7 records the agent's expected syscall-sequence model during a configurable baseline window (default: 30s).
Continuous monitoring
Rolling behavioral comparison against baseline. Drift score computed per batch of syscall events.
Detection threshold crossed
When the behavioral divergence measure crosses the detection threshold, H7 emits a signed .cal certificate and raises an alert. Containment action is operator-initiated.
.cal certificate emitted
Ed25519-signed attestation bundle generated: agent identity, timestamps, full trace, divergence measure reading, and alert action.
Offline verification
Any party with the published Ed25519 public key can verify the .cal certificate — no network, no CA, no SaaS.
What H7 does not cover
Inference-time content safety
H7 does not inspect LLM outputs, prompt content, or semantic intent. It is not a content moderation layer.
Network-layer threats
H7 monitors outbound connection destinations and egress call rates from AI-runtime namespaces (ADR-019). It does not inspect payload content, TLS handshakes, or DNS queries.
Windows environments
H7 relies on Linux eBPF. Windows Subsystem for Linux (WSL) has partial support — see the demo kit for compatibility notes.
Hardware-level attacks
H7 does not detect firmware implants, Spectre/Meltdown-class CPU attacks, or physical hardware compromise.
Test the threat model in your environment
The demo kit ships with replay scripts for each attack vector listed above. Run H7 locally and validate detection before committing to a production deployment.