Invariant Vector Defense logo Control-plane security infrastructure
Technology

How IVD works in practice.

IVD is easier to evaluate when the machinery is stated plainly. The network prong turns related hostile traffic into a limited router decision. The ACP prong checks whether an artifact, command, or tool action should be trusted before execution.

This page is the technical hub for the public site. It explains the workflow, deployment patterns, validation scope, and operational constraints without implying production deployment, accreditation, or prevention of named public incidents.

Observation Layer

Traffic, artifacts, commands, and tool actions are observed before damage spreads.

Correlation Layer

A compact traffic fingerprint or trust signal is reduced into a limited decision unit.

Policy Layer

The policy engine decides whether to monitor, rate-limit, drop, withdraw, allow, sandbox, require review, or quarantine.

Enforcement Layer

Router filters or execution gates apply the defined result with explicit scope and logging.

Audit Layer

Decisions are time-limited, logged, reviewable, and intended to be reversible.

Reference Architecture

IVD reference architecture

IVD has two prongs that share one operating pattern. IVD-N observes and acts on coordinated traffic behavior before it reaches the protected edge. IVD-ACP evaluates inputs before they inherit trusted authority. The two prongs can be evaluated independently, but both use the same pattern: observe, decide, enforce, and log.

IVD-N

Network-control path

Telemetry source or edge observerControlled test traffic, PCAP or test harnesses, or operational telemetry.
Edge sensorObservable packet, header, and timing behavior is collected.
Regional or coordination serviceRelated behavior is grouped for policy evaluation.
Policy EngineLimited monitor, rate-limit, drop, or withdraw decision.
FlowSpec ControllerRule translation happens where supported.
Router enforcement pointScoped router action is installed where policy allows it.
Audit or evidence logLifecycle records are retained for review.
IVD-ACP

Admission-control path

Package, prompt, command, document, or tool callArtifact reaches a trusted workflow boundary.
ACP admission gateEvaluation occurs before trust or execution.
Policy Engine and authority-state decisionConfigured policy determines the permitted state.
ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECTUnsafe actions are narrowed, isolated, reviewed, or denied.
Protected workflow or quarantine and review pathOnly the permitted form reaches the protected system.
Audit or evidence logDecision records are retained for review.
Inside Customer or Operator Evaluation Boundary
  • Telemetry observation
  • Policy decisioning
  • Controlled enforcement
  • Logs and evidence capture
Outside or Dependent on Operator Participation
  • Cross-provider suppression earlier in the path
  • Third-party carrier FlowSpec acceptance
  • Federal lab validation

This reference view is a public evaluation diagram. It shows where IVD decisions and enforcement points sit; it is not a production deployment claim.

IVD-N Walkthrough

How IVD-N works in practice

Traffic is observed at a network edge or test edge. From packet, header, and timing behavior, IVD-N creates a compact traffic fingerprint. On this site, that fingerprint is called a Psi-vector.

Related abnormal traffic patterns are then grouped into one grouped attack object. On this site, that limited internal representation is called a macro-object.

The Policy Engine decides whether the pattern should be monitored, rate-limited, dropped, or withdrawn. If enforcement is required, a router filtering rule is emitted through FlowSpec, a BGP mechanism for distributing router filtering rules. The rule is time-limited, logged, and withdrawn when conditions normalize.

Walkthrough Summary
  • Observe traffic at the edge or test edge.
  • Create a Psi-vector, meaning a compact traffic fingerprint.
  • Group related abnormal traffic into one attack object, called a macro-object.
  • Decide whether to monitor, rate-limit, drop, or withdraw.
  • Emit a FlowSpec-compatible router rule if needed.
  • Log, expire, and withdraw the rule when conditions normalize.
Review IVD-N trace
Where IVD-N Sits

Where IVD-N sits

IVD-N does not replace a firewall, scrubbing service, WAF, SIEM, or SOC. It sits where traffic behavior can be observed, grouped, converted into limited policy decisions, and translated into router-enforceable rules where supported.

Telemetry source or edge observerControlled test traffic, PCAP or test harnesses, or operational telemetry.
Edge sensorObservable packet, header, and timing behavior is collected.
Regional or coordination serviceRelated behavior is grouped for policy evaluation.
Policy EngineMonitor, rate-limit, drop, or withdraw is chosen.
FlowSpec ControllerRule translation happens where supported.
Router enforcement pointRule is installed with explicit scope.
Audit or evidence logLifecycle records are retained for review.

Telemetry may come from controlled test traffic, PCAP or test harnesses, or operational telemetry sources such as NetFlow, IPFIX, sFlow, or packet and header metadata, depending on deployment.

Broader suppression across providers depends on operator participation, routing policy, and FlowSpec acceptance. IVD does not assume third-party carriers will automatically accept externally originated filtering rules.

Representative Trace

Example: from traffic pattern to router rule

  1. A distributed traffic pattern appears in a controlled test or monitored edge environment.
  2. The edge sensor creates a compact traffic fingerprint from observable packet, header, and timing behavior.
  3. Related abnormal behavior is grouped into one limited attack object.
  4. The Policy Engine chooses monitor, rate-limit, drop, or withdraw.
  5. The FlowSpec Controller emits a FlowSpec-compatible router filtering rule where supported.
  6. The rule is logged, time-limited, and withdrawn when conditions normalize.
  7. Evidence records are retained for review.

This is a representative controlled-environment trace, not a claim of carrier-scale production validation.

Workflow Diagram

How IVD-N works

Traffic at network edgeObserved at edge or test edge.
Edge sensor observes behaviorPacket, header, and timing signals are collected.
Compact traffic fingerprintPsi-vector summary is created.
Related patterns groupedAbnormal traffic becomes one grouped attack object.
Policy Engine chooses actionMonitor, rate-limit, drop, or withdraw.
FlowSpec-compatible rule sentRouter filter is emitted with explicit scope.
Router enforces and logsRule lifecycle is time-limited and recorded.

IVD-N is designed to move from many attack flows to one limited policy decision before traffic concentrates at the protected edge.

Representative Controlled Trace

Representative IVD-N trace: DNS-reflection-style controlled scenario

This is a representative controlled-environment trace. It illustrates how an IVD-N test scenario can move from traffic observation to limited router action and withdrawal. It is not a production carrier claim, not a broad router-vendor compatibility claim, and not a claim of live cross-AS propagation.

  1. T+0s - Baseline observation: Edge or test observer receives normal background traffic. No mitigation rule is active.
  2. T+1s - Abnormal UDP-heavy pattern appears: A distributed DNS-reflection-style traffic pattern appears in the controlled environment. Observable packet, header, and timing behavior begins to deviate from baseline.
  3. T+2s - Compact traffic fingerprint created: The edge sensor creates a Psi-vector, meaning a compact traffic fingerprint derived from observable packet, header, and timing behavior.
  4. T+3s - Attack object formed: Related abnormal traffic is grouped into one macro-object, meaning one limited internal representation of the coordinated traffic pattern.
  5. T+4s - Policy decision made: The Policy Engine chooses a limited action such as monitor, rate-limit, drop, or withdraw, depending on test policy.
  6. T+5s - FlowSpec-compatible rule emitted: The FlowSpec Controller emits a FlowSpec-compatible router filtering rule where supported by the test environment and operator policy.
  7. T+6s - Enforcement and evidence logging: The router enforcement point applies the rule within the controlled test scope. Rule lifecycle, policy decision, and evidence records are logged.
  8. T+60s or condition-normalized - Withdrawal: When test conditions normalize or the rule expires, the rule is withdrawn and cleanup behavior is logged.

This trace is intentionally simplified for public review. Full evidence materials, including structured logs and lifecycle records, are reserved for qualified technical review.

IVD-ACP Walkthrough

How IVD-ACP works in practice

A package update, install script, prompt, command, dependency action, or artifact enters a trusted workflow. ACP evaluates it before execution, before indexing, before retrieval eligibility, or before a privileged action is allowed to proceed.

ACP then assigns an explicit outcome: ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECT. In practice, a quarantined or sandboxed item may then be routed to human review. The protected system receives only the permitted form of the artifact or action, and the decision is logged for later review.

ACP does not claim to replace software composition analysis, endpoint detection, web application firewalls, identity controls, SBOM work, or human security review. It sits earlier in the trust path and decides whether something should inherit trusted authority at all.

npm / CI/CD Example
  • A dependency update, package, or install script enters the pipeline.
  • ACP evaluates the package, script, prompt, command, or artifact before execution.
  • The result is ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECT.
  • The build or workflow receives only the permitted form of the action.
  • The decision is logged for review and audit.
Review ACP trace
Where IVD-ACP Sits

Where IVD-ACP sits

IVD-ACP is not one universal hook into every execution path. It is deployed at specific admission surfaces where an input or action can be evaluated before trust or execution.

ACP is not a magic external monitor. It must be placed at an admission surface: CI/CD gate, package proxy, API gateway, RAG pre-index gate, agent/tool-call gateway, or administrative workflow gate. If a workflow bypasses that admission surface, ACP does not govern that path.

  • CI/CD gate
  • Package or artifact intake proxy
  • API gateway or pre-processor
  • RAG pre-index gate
  • AI agent or tool-call gateway
  • Administrative workflow gate

Different environments require different integration points. ACP does not claim to intercept every execution path in every enterprise environment.

Representative Trace

Example: package entering a CI/CD workflow

  1. A package, dependency update, script, or artifact enters a build workflow.
  2. ACP evaluates it before execution, indexing, retrieval eligibility, or privileged action.
  3. ACP considers policy context, package metadata, script behavior, provenance signals, or other configured checks.
  4. ACP assigns one outcome: ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECT.
  5. The protected workflow receives only the permitted form of the package or action.
  6. Non-admissible material is routed to quarantine or review.
  7. The decision is logged.

This is a representative admission-flow example, not a claim that ACP detects every malicious package or replaces SCA, SBOM, EDR, IAM, WAF, sandboxing, CI/CD security, or human review.

Workflow Diagram

How IVD-ACP works

Package, prompt, command, document, or tool call entersArtifact arrives at a trusted workflow boundary.
ACP gate evaluatesReview occurs before trust, execution, indexing, or retrieval.
Outcome is assignedPolicy selects the permitted operating state.
ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECTUnsafe actions can be narrowed, isolated, reviewed, or denied.
Protected system receives only the permitted formExecution path gets the reduced or approved result.
Decision is loggedReview trail remains available for audit.

IVD-ACP is designed to decide whether an input or action should be trusted before it reaches execution, indexing, retrieval, or privileged workflow authority.

Representative Controlled Trace

Representative IVD-ACP trace: typosquatted npm package in CI/CD

This is a representative controlled-environment trace. It illustrates how ACP can evaluate a suspicious package before trusted execution or build authority is granted. It is not a claim that ACP detects every malicious package, replaces software-composition analysis, or eliminates human security review.

  1. T+0s - Package enters workflow: A package or dependency update enters a CI/CD workflow.
  2. T+1s - ACP gate receives admission request: The package, metadata, install script behavior, provenance signal, or configured policy context is sent to the ACP admission surface before execution.
  3. T+2s - Policy evaluation: ACP evaluates the request against configured policy and available signals. The evaluation occurs before trusted execution, indexing, retrieval eligibility, or privileged workflow authority is granted.
  4. T+3s - Outcome assigned: ACP assigns one outcome: ALLOW, READ_ONLY, SANDBOX, QUARANTINE, or REJECT.
  5. T+4s - Protected workflow receives permitted form: If allowed, the workflow proceeds within policy. If sandboxed, the package is routed to isolated evaluation. If quarantined or rejected, it is blocked from trusted execution and sent to review or retained as evidence.
  6. T+5s - Audit record created: The decision, policy context, selected outcome, and routing result are logged for review.

ACP is deployed at specific admission surfaces such as CI/CD gates, package or artifact intake proxies, API preprocessors, RAG pre-index gates, agent or tool-call gateways, or administrative workflow gates. It does not claim to intercept every execution path in every enterprise environment.

Deployment Models

Deployment models

IVD-N deployment model

  • Edge telemetry sensor or test observer
  • Regional or coordination service
  • Policy Engine
  • FlowSpec Controller
  • Router enforcement point
  • Audit logs

These are deployment patterns for evaluation and pilot design. They should not be read as claims of production deployment or accreditation.

IVD-ACP deployment model

  • API gateway or pre-processor
  • CI/CD gate
  • Package proxy or artifact intake gate
  • RAG pre-index gate
  • Agent or tool boundary
  • Audit logs

These are deployment patterns for evaluation and pilot design. They should not be read as claims of production deployment or accreditation.

Operational Constraints

Operational constraints

IVD is designed to move decisions earlier, but placement still matters. IVD-N can provide single-domain value where observation, policy, and enforcement are controlled by the operator. Broader suppression across providers depends on operator participation, routing policy, and FlowSpec acceptance. IVD-ACP must be placed at an admission surface. If a workflow bypasses that surface, ACP does not govern that path.

  • FlowSpec enforcement depends on router support, operator policy, rule limits, and lifecycle governance.
  • ACP admission control depends on placement at CI/CD gates, package proxies, API gateways, RAG pre-index gates, agent/tool-call gateways, or administrative workflow gates.
  • ACP does not make LLM behavior predictable. It makes the trust decision explicit and repeatable after policy evaluation.
  • Current validation does not claim production carrier deployment, broad router-vendor certification, completed federal-lab validation, or prevention of named public incidents.
Threat Model

Threat model and boundaries

Failure Class 1

Network convergence failure

IVD-N is designed for cases where distributed traffic becomes harmful because many sources converge on protected infrastructure faster than downstream systems can absorb, classify, or filter it.

In plain terms, the risk is not just that bad packets exist. The risk is that coordinated traffic becomes expensive and destabilizing once it collapses onto the victim edge.

Failure Class 2

Trusted execution failure

IVD-ACP is designed for cases where packages, prompts, commands, documents, tool calls, or other artifacts become harmful because they are trusted or executed before a policy decision is made.

In plain terms, the risk is not just that unsafe content exists. The risk is that it is admitted into trusted execution, indexing, retrieval, or privileged workflow authority too early.

Boundary Condition

IVD is not a universal security tool

IVD is designed around these two failure classes. It does not replace existing security layers, operational policy, or human review. IVD-N complements DDoS mitigation, routing controls, downstream filtering, and SOC workflows. IVD-ACP complements IAM, EDR, WAF, SCA, SBOM, sandboxing, CI/CD security, and human review.

Use the practical walkthroughs on this page to understand where each prong sits, what decision it makes, and what it does not claim to solve.

Validation Scope

Validation scope

IVD has controlled-environment validation evidence. Public site statements should not imply production deployment, production accreditation, or prevention of named public incidents.

Current maturity posture: IVD has controlled-environment validation evidence supporting a TRL-6-style posture within its tested scope. TRL-7-oriented independent testing is underway with Gear Six Labs, a European third-party software testing lab, with completion targeted for June 25, 2026. Federal lab evaluation remains a separate pending pathway and has not yet been completed. IVD is not presented as production-accredited or as having completed federal-lab validation at this stage.

References to Gear Six Labs describe the current independent testing pathway and do not indicate completed TRL-7 validation until the final testing report is complete.

Review Path

Use this page together with the Federal Evaluation page and the Evaluation FAQ when reviewing validation boundaries. The public claims are intentionally narrower than a production launch narrative.

  • Current: Controlled-environment validation evidence, TRL-6-style tested-scope posture, and frozen evidence bundles.
  • Underway: TRL-7-oriented independent third-party testing with Gear Six Labs, targeted for June 25, 2026.
  • Pending: Federal lab evaluation pathway and broader operationally representative testing.
  • Not claimed: Production accreditation, federal validation, national-lab certification, or production deployment.
Review what was tested Request qualified-review evidence materials
Safety and Failure Model

Safety and failure model

Failure Behavior

Failure behavior

For IVD-N, if coordination authority is unavailable, new mitigation decisions are not emitted. Existing rules remain subject to configured lifecycle controls such as expiry, withdrawal, operator review, or rollback.

For IVD-ACP, failure behavior is deployment-policy dependent. High-risk privileged actions may fail closed; lower-risk availability-sensitive workflows may fail open, READ_ONLY, or last-known-good depending on operator configuration. ACP is designed to make that choice explicit rather than implicit.

These are architecture and deployment-policy behaviors. Production high-availability, split-brain, and multi-tenant hardening remain validation and deployment-scope topics.

Operational Error Modes

False positives and false negatives must both be expected in operational environments. Tested-scope results should be described only as tested-scope results. Any serious pilot needs explicit review, override, relief, quarantine, and tuning workflows so that mistakes can be seen and corrected.

  • False positives must be reviewed and governed.
  • False negatives remain possible and must be measured during operational validation.
  • Rule counts must be limited and governed.
  • Rule churn must be governed.
Control and Enforcement Limits

Network enforcement depends on router support, TCAM capacity, operator policy, and clean rule withdrawal. ACP deployment depends on explicit fail-open or fail-closed behavior for each protected workflow. Pilot designs should never leave failure behavior implicit.

  • Rules must expire and be withdrawn cleanly.
  • FlowSpec and router enforcement depend on platform support and operator policy.
  • Router TCAM and rule limits are real operational constraints and should be governed.
  • Unreachable coordination behavior must be explicit for pilots.
Service Relief

Service Identity Layer relief is intended to soften, narrow, or adjust mitigation for authenticated legitimate services. It does not mean all legitimate traffic will always be unaffected.

  • Service Identity Layer relief requests are intended to narrow mitigation for authenticated legitimate services.
  • ACP should define fail-open or fail-closed behavior per protected surface.
  • Protected workflows should define rollback and recovery procedures before pilot use.
  • Operational validation must confirm how relief, override, and quarantine behave under stress.
Example: False-Positive Relief Through SIL

Example: false-positive relief through SIL

SIL does not put identity into BGP. SIL informs the Policy Engine, which may then adjust router-enforceable rules within operator policy.

SIL relief governance was exercised in staged IVD-N validation. A valid signed relief request was accepted within policy, an invalid signature was rejected, and cleanup confirmed no router state was changed.

During active mitigation, a legitimate registered service may be affected by a broad rule. SIL is intended to let that service submit an authenticated relief request. If the request is valid and policy allows it, the Policy Engine can narrow the rule, soften a drop action to rate-limit, or create a scoped exception while leaving the broader mitigation active. The relief action is logged, time-limited, and subject to operator policy.

These results support controlled-scope SIL governance claims. They do not claim universal preservation of all legitimate production traffic or live production router mutation.

SIL is not a guarantee that every legitimate flow will be preserved. It is a governance mechanism for authenticated, registered services. It does not remove the need for operator review, rule limits, expiry, rollback, and false-positive monitoring.

  1. A mitigation rule is active.
  2. A registered legitimate service detects impact.
  3. The service submits a signed relief request.
  4. The Policy Engine validates identity, prefix or scope, and safety limits.
  5. The rule is narrowed, softened from drop to rate-limit, or left unchanged.
  6. The decision is logged and time-limited.
Glossary

Plain-English glossary

Psi-vector

A compact traffic fingerprint derived from observable packet, header, and timing behavior, such as protocol mix, packet-size distribution, timing behavior, and other metadata features available in the tested environment.

macro-object

A macro-object is not a new packet type or router object. It is IVD's bounded internal representation of one coordinated traffic pattern. For example, many related UDP flows in a controlled DNS-reflection-style scenario may be represented as one bounded attack object for policy decisioning.

admissibility

The decision about whether something is allowed to become trusted or executable.

ALLOW

Permitted to proceed through the trusted path under policy.

READ_ONLY

Viewed or summarized only; no state change, tool call, memory write, or execution.

SANDBOX

Routed to isolated evaluation before any production effect is allowed.

QUARANTINE

Blocked from trusted execution, indexing, or retrieval paths and retained for review.

REJECT

Denied before admission to the protected workflow.

deterministic

The enforcement result is explicit and repeatable once policy evaluation is complete; it does not mean perfect certainty about every attack.

upstream

Earlier in the path, before traffic convergence or trusted execution.

SIL

Service Identity Layer; a way for registered services to request authenticated mitigation relief.

FlowSpec

A BGP mechanism used to distribute traffic-filtering rules.