Rosetta//Cybersecurity

Rosetta Cybersecurity Adapter

Compiled Physics for Defended Zones

The Cybersecurity adapter translates the universal stability equation into the forces governing AI-assisted attack pressure. Lambda (Λ) transforms into Attack Surface Pressure, representing live load across the kill chain. Gamma (Γ) becomes Defense Posture, the structural buffer that segmentation, monitoring coverage, and detection latency produce.

This translation converts noisy telemetry into deterministic physics. The adapter computes a stability score per zone, per tick. SOC analysts see structural drift in the lookahead window where intervention is still cheap, before the engine returns an active intrusion verdict.

Telemetry, Not Heuristics

SIEM correlation rules describe symptoms. EDR scoring produces probabilistic verdicts under distribution shift. Anomaly detectors flood operators with low-precision alerts during the windows where precision matters most.

The adapter consumes a normalized cyber metric schema covering attack-surface pressure, lateral movement, exfiltration velocity, segmentation depth, monitoring coverage, and detection latency. It rejects non-finite values and clamps out-of-range telemetry through the artifact's scaling layer.

KAIROS Substrate computes a structural margin from this schema. The decision is hash-bound, replay-deterministic, and reproducible across processes.

A Stability Score, Not a SIEM Rule

Substrate models a defended zone as a dynamical system governed by two forces.
Lambda (Λ) represents attack surface pressure aggregated with critical_max.
Gamma (Γ) represents defense posture aggregated with critical_min.

The engine computes a stability score at every tick. The system escalates when 𝒮 drops below the deployment floor. Aggregation reflects cyber reality: one severe kill-chain indicator drives the zone score; one collapsed defensive control drives the buffer.

S =
ΓA + ΓB
ΛA + ΛB

Equation: The stability score per zone

The system escalates when the score drops below the threshold.

Deterministic

Identical telemetry produces identical envelopes (ϵ = 10-6).

Zone-scoped

Each defended zone gets its own stability score. A breach in one zone does not blind the engine to others.

Zero-dependency

The Rust adapter requires no API calls or network access at evaluation time.

Memory-safe

The core engine contains zero unsafe blocks.

Three Gates. Cyber Read.

Every snapshot and proposed SOC action passes through a layered gate chain. Any gate will reject an action that violates structural integrity.

01

State Gate

Evaluates structural health before considering any action. If gamma (Γ) falls below the zone's deployment floor, the engine refuses further action and emits the warning envelope.

02

Action Gate

Previews proposed SOC responses against zone reachability. Host isolation, broad containment, credential reset. Reversible actions map to stabilizing moves; blast-radius actions trigger escalation.

03

Hazard Gate

Detects basin collapse and dual-administrator paradoxes: defensive automation and human operator commands diverging inside the same zone under exogenous attacker pressure.

Intervention That Escalates

The adapter produces operator-facing recommendations from the engine's structural verdict. Recommendations reflect the stability margin, never bypass it.

01

Investigate Anomaly

Warning active at low to moderate level. The recommendation prompts analyst review while the zone retains structural headroom.

02

Escalate Incident

Active intrusion: warning level reaches 0.50, kill-chain indicators reach the imminent stage, or steps-to-impact drops below three.

03

Containment Review

Critical compromise risk. The engine returns RejectState, RejectBasinCollapse, or RejectParadox. Human review is required before any further action.

Cryptographic Operator Authority

A SOC operator authorizing a non-standard containment carries the same cryptographic burden as a frontier model operator authorizing an out-of-policy action.

  1. Substrate signals HUMAN_ESCALATION and halts.
  2. The operator reviews the rejection context, zone telemetry, and stability state.
  3. Authorization requires an RSA-PSS signed override token.
  4. The token binds to the specific evaluation request via SHA-256 digest.
  5. The HITL coordinator records the decision in a durable audit trail.

The system fails closed. If the coordinator is unreachable, the engine blocks the action.

Two-Layer Policy Architecture

A dual-layer system separates platform authority from operator customization, identical to the AI Safety policy contract.

Base Policy

The platform provider sets the structural floor. This policy defines minimum gamma thresholds, enforcement modes, and HITL authorities. It is signed with RSA-PSS and remains immutable for downstream operators.

Operator Overrides

Operators tighten policy within base layer bounds. They will raise the gamma floor or restrict enforcement modes. They cannot lower safety thresholds.

Enforcement Modes

Observe
Evaluates telemetry without rejection for baselining.
State Gate
Refuses when zone Γ falls below the floor.
State + Action Gate
Full preview of SOC actions against zone reachability.

Tested Against the Mythos Shape

The fixture corpus includes a Mythos-shaped sandbox-escape scenario. The sequence reflects the structural pattern of AI-assisted attacker behavior: privilege pressure rises first, segmentation collapses next, exfiltration arrives after.

Mythos Smoke Results

Zones
agent-sandbox, identity-plane, data-layer
Active intrusion reached
Tick 3 (before exfiltration jump)
Gamma weak link
networkSegmentation
Exfiltration jump
Tick 4 drives Lambda ≥ 0.90
Detection latency clamp
7,200,000 ms (no reject)

The Read

Aggregating Gamma with critical_min traces the collapse to networkSegmentation, not to the top-level defensePosture rollup. Aggregating Lambda with critical_max ensures the exfiltration jump dominates the zone score even when other indicators stay moderate.

Read the adapter implementation plan →

One Engine. Four Surfaces.

The Rust codebase compiles to four specific deployment targets.

Native Library

Embeds into hypervisors, brokers, and on-prem SOC infrastructure via C FFI.

CLI Binary

kairos cyber provides replay, evaluation, action preview, and policy-check.

Python SDK

PyO3 bindings for SOC analytics pipelines and pilot integrations.

WASM Module

Browser-based advisory evaluation and dashboard visualization.

Use Cases for Security Organizations

The adapter delivers structural guarantees across diverse deployment shapes.

  • Frontier-vendor SOC action gating: previews host isolation, broad containment, and credential reset against zone reachability before execution.
  • Multi-zone governance: separate stability tracking for DMZ, identity plane, prod-API, data layer, and control plane.
  • Incident reconstruction: replay-deterministic envelopes pinned to artifact and policy version. Two operators reach the same answer.
  • Pre-deployment CI gate: kairos cyber policy-check enforces safe defaults before a pilot policy ships.
  • Escalation discipline: the engine emits recommendation tiers, not severity scores. Recommendations track structural margin.
Read the Cyber Adapter Documentation

Compared to Existing Tooling

Substrate provides a structural guarantee where existing tools produce statistical guesses or pattern matches.

Approach Mechanism Deterministic? Aggregation
SIEM correlationPattern matchingImplementation-definedLogical OR
EDR / XDR scoringStatistical classifierNoWeighted sum
Substrate cyber adapterStability physicsYescritical_max / critical_min

Pattern matchers describe what an analyst would have written into a rule. Substrate computes the structural margin the system actually has.

Technical Specifications

Engine

Language
Rust (Stable)
Latency
Sub-millisecond per evaluation
Determinism
ϵ = 10-6
Default topology
Per-zone actor

Artifact & Policy

Artifact schema
v1, domain cybersecurity
Lambda aggregation
critical_max
Gamma aggregation
critical_min
License + HMAC
RSA-PSS signed, secret via file or env

Request Early Access to KAIROS

KAIROS Substrate is shipping to design partners ahead of general availability. Active pilots: the cybersecurity adapter (redacted telemetry) and the AI safety adapter (agent trajectories) — see the partner briefs for what a contribution looks like and what comes back.

Compliance and regulatory teams, agent-eval researchers, and investors are also welcome to reach out. Submit your details or use the Contact tab.

Request received. We'll be in touch.

Privacy Policy

Effective: February 2026

1. Data We Collect

When you sign up for early access or our newsletter, we collect your email address. We do not collect personal data beyond what you voluntarily provide.

2. How We Use Your Data

Your email is used solely to send product updates, early-access invitations, and research announcements from AnankeLabs. We do not sell, rent, or share your data with third parties.

3. Cookies & Analytics

This site does not use tracking cookies or third-party analytics. We may use server-side request logs for basic traffic monitoring.

4. Data Storage & Security

Submitted data is stored on secure, encrypted infrastructure. We retain your information only as long as necessary to provide the services you requested.

5. Your Rights

You may request deletion of your data at any time by contacting us. We will process deletion requests within 30 days.

6. Contact

For privacy inquiries, email [email protected].

Terms of Use

Effective: February 2026

1. Acceptance

By accessing this site, you agree to these terms. If you do not agree, discontinue use immediately.

2. Intellectual Property

All content, software, research, and materials on this site are the property of AnankeLabs. The KAIROS engine, Rosetta adapter layer, Spindle simulation framework, and Serious Gaming SDK are proprietary technologies. No license is granted except as explicitly stated in a signed agreement.

3. Early Access Program

Early access is provided on an as-is basis. AnankeLabs reserves the right to modify, suspend, or terminate early access at any time without notice.

4. Limitation of Liability

AnankeLabs provides this site and its materials "as is" without warranty of any kind. We are not liable for any damages arising from your use of this site or reliance on its content.

5. Simulation Outputs

KAIROS simulation outputs are analytical tools, not predictions. They should not be used as the sole basis for financial, military, policy, or safety-critical decisions.

6. Governing Law

These terms are governed by the laws of Sweden.

7. Contact

For legal inquiries, email [email protected].