Invariant Vector Defense
IVD is a control-plane security platform built to detect and enforce before large-scale network attacks converge and before unauthorized execution is allowed to run.
Most security systems detect problems after they start. IVD operates at the control plane — the layer where routing decisions and execution decisions are made — and intervenes before those decisions cause harm.
It is built for environments where the cost of failure is high: carriers, utilities, federal infrastructure, enterprise edge networks, and AI pipeline operators. IVD is supported by a TRL-6 validation posture, a foundational provisional filing, and two non-provisional U.S. patent applications.
Two enforcement planes:
IVD Core
Network control-plane defense. Detects large-scale distributed attacks by extracting invariant traffic signatures (Ψ-vectors), builds a compact representation of the attack, and pushes suppression rules upstream via Border Gateway Protocol (BGP) FlowSpec before the target is overwhelmed.
IVD-ACP
Execution control-plane defense. Evaluates commands, inputs, and artifacts before they run. Assigns one of three authority outcomes — permitted, sandboxed, or blocked — based on policy. Designed for AI pipelines, agentic systems, and administrative surfaces where a single malicious instruction can have cascading consequences.
/// IVD does not monitor and alert. It enforces. The difference is whether the attack runs or not.
Who IVD is for
Get In Touch
IVD Endpoint Posture Scanner (IVD-EPS)
A free Windows security and inventory scanner from the IVD team. No data leaves your machine.
IVD-EPS is a free readiness tool we make available to smaller organizations and general users. It is not the core IVD platform. It is a locally-executed Windows scanner that checks basic security posture, produces a hardware and software inventory, and generates a structured report you can use for insurance documentation, audit preparation, or general awareness. Nothing is transmitted. All processing happens in your browser.
No Telemetry
Scan results never leave your machine. The JSON file is processed entirely in your browser.
No Installation
Single executable. Run it, get the JSON output, drop it into the portal. Done.
Free to Use
No license, no account, no subscription. Download, run, and keep the output.
How It Works
-
1
Download the scanner
Download IVD_EPS_Scanner.exe from the button above. No installer required.
-
2
Run on Windows
Double-click or run from PowerShell. The scan completes in under 60 seconds and writes results to your Documents folder.
-
3
Drop into the portal
Navigate to the EPS Results Portal and drop your JSON file. Your posture report renders instantly, client-side only.
What It Checks
IVD-EPS is provided free of charge as a public readiness tool. It does not install any persistent components, does not connect to the internet, and does not transmit scan results. The JSON output is processed entirely in your local browser session when dropped into this portal.
EPS Readiness Portal
Drop your ivd_eps_local_scan.json file to evaluate endpoint posture.
Drop ivd_eps_local_scan.json here
or click to browse
v1.3.4 Scan Logic Active
File parse error
Technical Posture
—
Scan Summary
Top Concerns
Technical Findings
Local Asset Inventory
Network Device Inventory best-effort
Insurance Inventory: A separate ivd_eps_insurance_inventory.json file was generated alongside this scan in your Documents\IVD_Reports folder. It contains a formatted asset and peripheral inventory for cyber insurance, property and casualty, and audit use.
Group 1: Identity & Access Control
01Administrative MFA — Is Multi-Factor Authentication (MFA) enforced for all system and network administrative accounts?
02SaaS / Email MFA — Is MFA enforced for all end-user email platforms (e.g., M365, Google Workspace) and critical SaaS applications?
03Endpoint Protection — Do all business-critical endpoints utilize a managed Endpoint Detection and Response (EDR) solution?
04BYOD Policy — Are personal mobile devices permitted to access company data? (Yes = risk exposure)
05Device-Email Linking — Is business email currently accessed on personal, unmanaged mobile devices? (Yes = risk exposure)
Group 2: Data Integrity & Recovery
06Off-site Backups — Is critical business data backed up to a physically off-site, immutable location (e.g., air-gapped or write-once-read-many)?
07Recovery Testing — Are backup recovery procedures tested for viability at least quarterly?
08Data Loss Prevention (DLP) — Does the organization utilize tools to prevent the unauthorized transfer of sensitive data?
Group 3: Governance & Policy
09Incident Response Plan — Does the organization maintain a documented, technical Incident Response (IR) plan?
10Security Training — Do all employees undergo annual security awareness and social engineering training?
11Cyber Liability Insurance — Does the organization carry an active Cyber Liability Insurance policy?
Compliance Integrity Failure
Your technical scan indicates disk encryption (BitLocker) is OFF on this endpoint. Cyber Liability Insurance policies typically require attestation of disk encryption as a baseline control. Attesting to active coverage while this control is absent may constitute a policy compliance gap or contribute to a coverage void in the event of a claim.
12Asset Inventory — Does the organization maintain a formal, updated inventory of all critical hardware and software assets?
13Vulnerability Management — Are system patches and vulnerability scans performed on a documented monthly cycle?
Invariant Vector Defense (IVD) / Endpoint Posture Scanner
Readiness Certificate
Technical Posture
—
Governance Score
—
Overall Verdict
—
Governance Control Summary
Compliance Integrity Flag
Insurance attested while disk encryption is absent. Recommend remediation before policy renewal.
This certificate is generated client-side from scan data and self-reported governance inputs. It does not constitute an audit, insurance attestation, or regulatory certification.
IVD Core: Network Control-Plane Defense
IVD Core detects and suppresses large-scale distributed attacks before they reach the target — by operating at the routing layer, not the edge.
When an attack is distributed across thousands or millions of sources, per-flow blocking doesn't scale. IVD Core takes a different approach: it extracts invariant signatures (Ψ-vectors) from traffic patterns, constructs a compact representation of the attack (a macro-object), and pushes suppression rules upstream via BGP FlowSpec. The rules propagate to upstream providers before the attack converges on the target.
Edge Telemetry Sensors (ETS)
Deployed at network edge points. Extract fixed-length invariant Ψ-vectors from packet headers and timing. Feed telemetry to regional and global synthesis layers for macro-object construction.
Policy Engine and FlowSpec Controller
Converts each macro-object into a bounded set of suppression rules and propagates them via authenticated BGP FlowSpec sessions. Rule deployment is governed by stability constraints: minimum lifetimes, safe update rates, and bounded rule counts per session.
What this prevents:
- ■ Control-plane exhaustion from per-flow defenses
- ■ Route flapping caused by reactive mitigation
- ■ Collateral suppression of legitimate traffic
IVD-ACP: Execution Control-Plane Defense
IVD-ACP intercepts commands, inputs, and artifacts at the execution boundary and decides whether they are permitted to run — before any execution path is entered.
In AI pipelines, agentic systems, and administrative surfaces, a single malicious or manipulated instruction can cascade into broad system compromise. IVD-ACP enforces an admissibility policy at the ingestion point: every command, artifact, or external input is evaluated and assigned one of three outcomes before it runs. The decision is deterministic and policy-driven — not probabilistic, not behavioral, not learned.
Decisioning is deterministic and policy-driven. It does not depend on probabilistic scoring or behavioral prediction.
ACP is not an observability layer. It is an execution gate.
The Macro-Object Model
How IVD represents a distributed attack as a single bounded object rather than millions of individual flows.
A large-scale distributed attack may arrive from hundreds of thousands of source addresses across many networks. Trying to block each source individually doesn't scale and creates control-plane instability. IVD solves this differently.
From packet headers and timing data, IVD extracts a Ψ-vector: a fixed-length statistical signature that captures the invariant structure of the attack traffic. This signature remains stable even when attackers rotate source IPs, vary ports, or distribute sources globally. Multiple Ψ-vectors and their associated prefixes and timing boundaries are combined into a single macro-object. Mitigation operates on the macro-object — one bounded representation — rather than on millions of individual flows.
Control-Plane Evidence
IVD Core and IVD-ACP are both validated at Technology Readiness Level 6 (TRL-6): demonstrated in a relevant environment with reproducible, verifiable results.
Validation Posture
- ✓ 60-node routing topology lab validated
- ✓ Reproducible attack profile test harnesses
- ✓ Structured logs and router state capture
- ✓ Bounded mitigation with no route flapping
- ✓ Convergence and withdrawal stability under load
- ✓ Frozen evidence bundles with local verification
Field Deployment Path
IVD is structured for controlled transition from lab-validated to live operational environments.
Target Environments
- → Upstream network providers and enterprise edge environments
- → Administrative control planes with high-impact privileges
- → RAG and retrieval systems vulnerable to poisoned inputs
- → Orchestration and automation systems with execution authority
TRL-7 Progression
- → Deployment in live network and execution environments
- → Stability validation under real-world traffic and load conditions
- → Integration with existing routing policy and identity infrastructure
- → Operator workflow and audit trail integration
Early deployments are structured as controlled pilots with defined scope, pre-agreed thresholds, and measurable outcomes.
Pilot Deployment Expectations
What a first IVD deployment looks like and what it is designed to prove.
A pilot deployment introduces IVD Core and IVD-ACP into a bounded operational environment to validate stability, enforcement behavior, and fit with existing infrastructure. The scope is deliberately narrow. The goal is not to replace production systems — it is to demonstrate that IVD behaves as specified under real conditions.
Deployment Scope
- ■ One network domain or edge segment for IVD Core
- ■ One administrative or ingestion surface for IVD-ACP
- ■ Defined prefix ranges, services, or system boundaries
- ■ Pre-agreed enforcement policies and thresholds
Known Boundaries (TRL-6)
- [!] ACP state persistence is not yet production-hardened
- [!] Restart and recovery behavior are managed but not fully externalized
- [!] Large-scale multi-domain coordination is not yet field-validated
- [!] Vendor-specific FlowSpec behavior may vary and is validated per environment
Success Criteria
- ✓ Detection and suppression of coordinated traffic without control-plane instability
- ✓ Bounded rule generation and predictable withdrawal behavior
- ✓ No collateral suppression of legitimate traffic within defined scope
- ✓ Deterministic ACP enforcement of admissibility decisions
- ✓ Complete and verifiable audit trail for all enforcement actions
TRL-6 demonstrates that the system works.
A pilot demonstrates that it works in your environment, under your conditions, with your traffic.
Patents & IP
IVD Core and IVD-ACP are protected by a foundational provisional patent and two non-provisional U.S. patent applications covering invariant-based detection, macro-object synthesis, and control-plane enforcement.
| Application No. | Status | Scope |
|---|---|---|
| 63/919,908 | Filed | Foundational Architecture |
| 19/458,205 | USPTO Examining | Network Control Plane |
| 19/456,364 | USPTO Examining | Execution Control Plane |
Technical Resources
White papers documenting the IVD architecture, methodology, and validation evidence. Available for direct download.
White Papers
From Implicit Execution to Deterministic Control: A Unified Control-Plane Architecture for Network and Execution Security
The primary IVD architecture paper. It frames the shared control-plane doctrine across both IVD Core and IVD-ACP, defines implicit execution as the core structural failure, and explains how deterministic admissibility is enforced in both network and execution environments. This is the main reference paper for evaluators and technical reviewers.
Pre-Execution Control Planes for AI and Software Supply Chains: A Deterministic Approach to Admissibility Enforcement
The IVD-ACP technical paper. It explains pre-execution admissibility control for AI systems and software supply chains, including deterministic authority assignment, audit logging, live validation in an agent environment, and the application of the model to incidents such as the Axios npm compromise. Intended for AI platform operators, security architects, and technical evaluators.
Additional technical documentation is available to qualified evaluators under NDA.
Contact to request the full evaluation package including TRL-6 evidence bundle and testbed specifications.
Contact
For technical evaluation, pilot deployment, federal engagement, or partnership inquiries.
Company
Sinteag Ventures, Inc.
Clyde, NC 28721
How to Engage
Send inquiry by email. Include your organization, area of interest, and relevant context. Technical documentation is available before any call or meeting is scheduled.