IVD / PORTAL / HOME
Evaluation Preview

The Deterministic Edge

Invariant Vector Defense is a control-plane security architecture that enforces stability before systems converge and before execution occurs.

Conventional systems detect and react after damage has begun. IVD operates upstream, where control decisions are made. It identifies invariant structure in distributed activity, constructs bounded representations of that activity, and applies deterministic enforcement before the network or system state becomes unstable.

Two coordinated enforcement planes exist:

IVD CORE

Operates in the network control plane. It detects distributed attack behavior as invariant macro-objects and enforces bounded upstream mitigation using BGP Flow Specification.

IVD-ACP

Operates in the execution control plane. It evaluates commands, artifacts, and system states before execution and assigns authority states that determine whether execution is allowed, sandboxed, or denied.

/// This is not monitoring. This is not reactive filtering. This is deterministic control of admissibility and propagation.

GET IN TOUCH

Upstream Control-Plane Enforcement

IVD Core is a distributed control-plane defense system for detecting and suppressing large-scale coordinated traffic before it destabilizes the network.

EDGE TELEMETRY SENSORS

Extract fixed-length invariant vectors from packet headers and timing at the edge. Correlation and macro-object synthesis occur at regional and global layers.

POLICY ENGINE

Converts each macro-object into a bounded set of mitigation rules. These rules are propagated upstream through authenticated BGP sessions using Flow Specification. Rule deployment is constrained by stability policies including minimum lifetimes, safe update rates, and bounded rule counts.

This architecture prevents:

  • control-plane exhaustion from per-flow defenses
  • route flapping caused by reactive mitigation
  • collateral suppression of unrelated traffic

The system does not track sessions or sources. It does not perform deep packet inspection. It enforces stability by acting on invariant structure.

Execution Boundary and Admissibility Control

Deterministic admissibility enforcement with current TRL-6 validation in a controlled environment. Production persistence hardening is part of TRL-7 field transition.

It evaluates command-bearing artifacts, administrative actions, and ingestion events and determines whether they are admissible within the system’s current authority state. Each request is assigned one of three authority outcomes:

READ_ONLY The request is admissible and may proceed without modification.
SANDBOXED The request is conditionally admissible and is executed in an isolated environment with constrained side effects.
QUARANTINED The request is not admissible and is blocked prior to execution. The artifact or command is retained for audit.

Decisioning is deterministic and policy-driven. It is not probabilistic scoring and does not depend on behavioral prediction. Identity and authentication are externalized; ACP enforces admissibility at the control-plane boundary.

This boundary prevents:

  • [X] destructive administrative commands
  • [X] poisoned artifact ingestion into retrieval or training systems
  • [X] invalid system states entering execution paths

ACP IS NOT AN OBSERVABILITY LAYER. IT IS AN EXECUTION GATE.

Pre-execution admissibility enforcement and authority-state routing are covered under pending U.S. patent applications.

Invariant Representation of Distributed Activity

IVD represents distributed attacks as macro-objects rather than collections of flows.

Each macro-object is constructed from invariant vectors derived from packet headers and timing. Correlation occurs across sensors and regions using distance and temporal overlap in invariant space.

A macro-object contains:

01
Invariant structure of the activity
02
Affected prefixes and temporal boundaries
03
Classification of attack behavior
04
Policy constraints for mitigation
This allows millions of flows to collapse into a single bounded representation. Mitigation operates on the macro-object, not on individual sources.
Constant-time invariant extraction at the edge.
Bounded macro-object synthesis and bounded mitigation rule emission.
Invariant-based detection and macro-object synthesis are covered under pending U.S. patent applications.

TRL-6 Validation and Reproducibility

Both IVD Core and IVD-ACP are validated at Technology Readiness Level 6.

THE VALIDATION POSTURE INCLUDES:

  • controlled lab environment using a 60-node routing topology
  • reproducible test harnesses with fixed attack profiles
  • structured logs, metrics, and router state capture
  • bounded mitigation behavior with no route flapping
  • convergence and withdrawal stability under load
  • Frozen evidence bundles with independent local verification
ACP validation includes deterministic authority-state assignment across administrative and ingestion scenarios, with full audit logs and frozen evidence artifacts.
root@ivd-validate:~#sha256sum -c TRL6_EVIDENCE_MANIFEST.sha256
IVD_ACP_TRL6_Validation_Bundle.tar.gz: OK
All results are anchored to reproducible runs and verifiable artifacts. Claims are limited to demonstrated behavior within the validated environment.
[SYS_WARNING]: Cryptographic verification rendered via web UI provides no forensic value. Verification must occur locally against the anchor hash.

Transition to TRL-7

IVD is designed for controlled transition into operational environments.

INITIAL DEPLOYMENT TARGETS

  • upstream network providers and enterprise edge environments
  • administrative control planes with high-impact privileges
  • retrieval and indexing systems vulnerable to poisoned inputs
  • orchestration and automation systems with execution authority

TRL-7 PROGRESSION FOCUS

  • deployment in live network and execution environments
  • validation of stability under real-world conditions
  • integration with existing routing policy and identity systems
  • operator workflow and audit integration

Early deployments are structured as controlled pilot environments with bounded scope and measurable outcomes.

Pilot Deployment Expectations

Controlled Introduction of Deterministic Control-Plane Enforcement.

A pilot deployment introduces IVD Core and IVD-ACP into a bounded operational environment to validate stability, enforcement behavior, and integration with existing infrastructure.

The objective is not full production replacement. The objective is controlled exposure to real traffic and real control-plane conditions with measurable outcomes.

DEPLOYMENT SCOPE

Pilot environments are intentionally constrained.

  • One network domain or edge segment for IVD Core
  • One administrative or ingestion surface for IVD-ACP
  • Defined prefix ranges, services, or system boundaries
  • Pre-agreed enforcement policies and thresholds

Propagation scope is explicitly bounded during pilot deployment through operator routing policy, including FlowSpec session controls, route filtering, and export restrictions where required. All mitigation and enforcement actions are intended to remain observable, reviewable, and constrained to the defined pilot environment.

[OP_DEPENDENCY]: FlowSpec containment relies entirely on operator execution. IVD architecture emits the rule; the operator's inbound BGP policy dictates containment boundaries.

WHAT IS NOT CHANGED

Pilot deployment does not replace existing systems.

  • Existing firewalls, DDoS protections, and WAF layers remain in place
  • Routing policy remains under operator control
  • Administrative and application logic is not modified
  • No dependency is introduced on ACP for identity or authentication

ENFORCEMENT MODEL

IVD Core:

  • Detects invariant attack structure and generates macro-objects
  • Emits bounded mitigation rules through FlowSpec
  • Rule deployment is constrained by stability policies
  • Withdrawal behavior is controlled and non-oscillatory

IVD-ACP:

  • Evaluates requests prior to execution & assigns authority states
  • Routes admissible requests normally
  • Redirects conditional requests to sandbox
  • Blocks and retains non-admissible requests

KNOWN BOUNDARIES (TRL-6)

The pilot reflects a validated TRL-6 system. Current boundaries include:

  • [!] ACP state persistence is not yet production-hardened
  • [!] Restart and recovery behavior are managed but not fully externalized
  • [!] Large-scale multi-domain coordination is not yet field-validated
  • [!] Vendor-specific FlowSpec behavior may vary and is validated per environment

SUCCESS CRITERIA

  • Detection and suppression of coordinated traffic without control-plane instability
  • Bounded rule generation and predictable withdrawal behavior
  • No collateral suppression of legitimate traffic within defined scope
  • Deterministic ACP enforcement of admissibility decisions
  • Complete and verifiable audit trail for all enforcement actions

OPERATOR RESPONSIBILITIES

  • Providing defined network scope and test conditions
  • Maintaining FlowSpec import and export controls for the pilot BGP session, including route-maps, community handling, and peer-boundary restrictions where required.
  • Maintaining routing policy and BGP session governance
  • Reviewing audit logs and enforcement outcomes
  • Validating that no unintended collateral impact occurs

The goal is not to prove possibility. That has already been established.
The goal is to prove stability, bounded behavior, and operational fit under real conditions.

Patents and Intellectual Property

Invariant Vector Defense (IVD) and IVD-ACP are covered by a foundational provisional patent and subsequent non-provisional U.S. patent applications defining invariant-based detection, macro-object synthesis, and control-plane enforcement mechanisms.

PATENT STRUCTURE

The intellectual property portfolio is structured across two coordinated but distinct domains:

IVD CORE (NETWORK CONTROL-PLANE)

  • Invariant vector extraction from packet headers and timing
  • Macro-object synthesis across distributed observation points
  • Bounded mitigation via control-plane rule emission (e.g., FlowSpec)

IVD-ACP (EXECUTION CONTROL-PLANE)

  • Pre-execution admissibility evaluation of commands, artifacts, and system states
  • Authority-state assignment and enforcement (READ_ONLY, SANDBOXED, QUARANTINED)
  • Control-plane gating prior to execution, indexing, or system state transition

The provisional filing establishes the architectural foundation of the IVD system.

The two non-provisional filings extend and separate the network and execution control planes.

STATUS

The IVD intellectual property portfolio consists of a foundational provisional filing and two non-provisional U.S. patent applications covering distinct control-plane domains:

  • 01
    Provisional Patent Application 63/919,908 Filed November 18, 2025 | Status: Filed, complete Covers the IVD system: upstream pattern-based mitigation architecture for distributed network attacks
  • 02
    U.S. Patent Application No. 19/458,205 Filed January 23, 2026 | Status: Under USPTO examination Covers the IVD Core network control-plane architecture
  • 03
    U.S. Patent Application No. 19/456,364 Filed January 21, 2026 | Status: Under USPTO examination Covers the IVD-ACP execution control-plane and admissibility enforcement architecture

OWNERSHIP CLARITY

Intellectual property is currently held by the inventor and is structured for assignment or licensing to a dedicated operating entity.

The network control-plane and execution control-plane inventions are designed to operate independently or in coordinated deployment.

The patent descriptions above are illustrative of technical scope and do not define or limit the full set of claims under examination.

Contact

For quotes, technical evaluation, pilot deployment, federal engagement, or investor inquiries:

This address is used for initial intake and routing based on inquiry type.

COMMON INQUIRY CATEGORIES

  • Request a Quote
  • Technical Evaluation
  • Pilot Deployment
  • Federal / Lab Evaluation
  • Investor Information
Structured submission workflow coming in production deployment.