Ward³

Three judges. One verdict. Zero blind spots.

Ward³ puts Adversarial Neural Mediation into practice: deliberately different AI judges review every flow, a calibrated consensus decides, and their disagreement becomes a security signal of its own — with a false-positive rate bounded per tenant, not merely tuned.

ward3 · mediator/flow:0xa7f2…91c4
live
Judge L
Sequence · neural
93%
Judge G
Relational · neural
97%
Judge R
Rule engine · deterministic
88%
verdict BLOCKd_max = 0.04 · consensus = 0.97
kubernetes.NetworkPolicy applied (ns: payments) nftables.set: Quarantine ← 10.41.7.22 ledger.append (post-quantum) block #482917
94.1%
detection under PGD
vs 23.7% single-model
Bounded
false-positive rate
conformal · per tenant
<10ms
p99 mediation latency
commodity hardware
Post-quantum
audit ledger
NIST-aligned signatures
Built on standards your SOC already runs
Kubernetes
native enforcement
eBPF / XDP
line-rate capture
OpenTelemetry
instrumented
Sigstore
attested
MITRE ATT&CK
mapped
NIST PQC
ML-KEM · ML-DSA
The problem

Single-model NDR is too much of a bet.

Vectra, Darktrace, ExtraHop: most NDR products were built around a simple idea, that one well-trained ML model can catch advanced attacks. In 2017, that was a reasonable bet. In 2026, it is brittle.

Open-source adversarial tools such as ART, CleverHans, and Foolbox have made gradient-based evasion far more accessible. A single deployed model can be fooled, so the real question is what catches the attack next.

FGSMPGDTransfer attacksModel extractionLabel poisoning
Empirical
Detection rate drop under PGD perturbation (ε=0.02)
Reproduced in-lab
DoS Hulk
98.7%41.3%
Slowloris
86.4%11.9%
Botnet C2 beacon
91.2%23.7%
−45 to −70 pts
less detection on a typical single-model NDR. In a SOC, that can be the gap between an actionable alert and an attack that stays quiet.
The landscape

The attacks that get through are already inside the network.

By the time an alert fires, the intruder has usually already moved. Endpoint-only tooling watches the host; the lateral path across the network is where modern intrusions actually live — and where a single ML model is easiest to slip past.

204days
median time to identify a breach
~70%
of intrusions rely on lateral movement
hours
from initial access to real impact
1model
is all it takes to evade a single-model NDR

Figures reflect widely reported industry medians, not Ward³ measurements — they are why detection has to be network-aware, layered, and hard to evade. Those are the design goals behind ANM.

The solution

Three judges. Architecturally orthogonal.

Adversarial perturbations transfer most easily between models that read traffic the same way. Ward³ makes three genuinely different viewpoints work together.

Judge LTemporal patterns within a flow
Sequence judge
Temporal analysis over packet windows
  • Bidirectional neural encoder
  • Attention pooling
  • Per-flow windowed inference
  • Adversarial-robust training
Judge GTopological & relational patterns
Relational judge
Topology analysis across flows
  • Multi-layer graph encoder
  • Sliding src→dst windows
  • Cross-flow context
  • Adversarial-robust training
Judge RDeterministic, non-differentiable
Rule judge
Deterministic engine of expert invariants
  • Hand-curated invariants
  • Max packets · entropy · rate
  • Immune to gradient attacks
  • Inspectable, by construction
The mediator

Disagreement matters as much as the score .

A stealthy attacker who fools one judge usually leaves the others inconsistent. A calibrated meta-consensus weighs the judges together, and the mediator fails closed under disagreement and emits XAI_DIVERGENCE_HIGH — a signal a single-model NDR cannot produce. A separate unsupervised judge flags flows unlike anything the deployment has seen before, so zero-days the trained judges never met still surface.

d_LG = |p_L − p_G|d_max = max(d_LG, d_LR, d_GR)verdict = consensus(p_L, p_G, p_R) if d_max < θ else fail-closed
LGRmediator
How Ward³ runs

Three judges. Three response times. Three surfaces.

Some decisions happen in microseconds, right next to the traffic. Others need a few milliseconds at the tenant layer, or broader platform-wide correlation. Network and endpoint still report into the same mediator.

Tiered execution
Tier 1Edge
μs
target latency
Act quickly when the signal is clear
  • Rule judge (pure Rust)
  • Threat-intel cache hits
  • TLS fingerprint match
  • eBPF preprocessing & tagging
  • Local endpoint enforce
60–80 % of traffic can be handled here
Tier 2Tenant
ms
target latency
Primary ML mediation
  • Sequence judge
  • Relational judge
  • Endpoint process & file judges
  • Mediator + divergence
  • Adversarial-robust scoring
Verdict + enforcement signal
Tier 3Platform
10s ms
target latency
Cross-host and cross-tenant correlation
  • Async enrichment (no hot-path block)
  • Endpoint correlation
  • Long-horizon baselines
  • Kill-chain reconstruction
  • Federated threat intel
XDR view, multi-tenant
Per-decision pipeline
μs → ms → audit
01eBPF / XDP
Capture
  • IPv4 + IPv6
  • Retransmits, TTL var.
  • Per-flow runtime vector
  • Line-rate
02L · G · R
Three judges
  • Sequence judge
  • Relational judge
  • Rule judge
  • Cryptographic signatures
03Divergence
Mediation
  • Pairwise gap
  • Fail-closed on disagreement
  • Consensus on alignment
  • XAI_DIVERGENCE_HIGH
04K8s / nft
Enforce
  • NetworkPolicy injection
  • nftables Block/Quarantine
  • War mode 4-eyes
  • Rate-limit / principal
05PQ ledger
Audit
  • Hash-chained log
  • Post-quantum signed
  • Tamper-evident
  • Replayable
Adversarial training
Criterion 3

Both ML judges are trained against gradient-based attacks. The threat model, hyperparameters, and reproducible runs are documented.

Model integrity
Criterion 4

Inference artifacts are signed at build time and verified at load. The registry stays append-only, with full provenance.

Auditable trail
Criterion 5

Every decision — per-judge scores, divergence, applied rules — can be replayed to understand the reasoning end to end.

Performance · Run #9 final

+30 to +60 pts of detection under adversarial pressure.

Measured on held-out traffic and out-of-distribution networks: log formats, attack families, and IoT botnets never seen during training. Adversarial robustness is measured under gradient-based evasion.

0.998
AUC-ROC (clean)
94.1%
under PGD ε=0.02
89.6%
under transfer attack
0.87
AUC-ROC out-of-distribution

Inference latency is roughly 2× a single model, while staying under 10ms p99 per flow on commodity hardware.

Adversarial robustness
held out from training
MetricSingle-judgeWard³ 3-judgeΔ
F1 (clean)0.660.97+0.31
AUC-ROC (clean)0.890.998+0.108
Detection · PGD ε=0.0223.7%94.1%+70.4 pts
Detection · transfer31.4%89.6%+58.2 pts
Out-of-distribution generalization
never seen in training
MetricSingle-judgeWard³ 3-judgeΔ
AUC-ROC0.710.87+0.16
Bounded false positives

A false-positive rate you can put a number on.

Most tools cut false positives empirically — a better model, more tuning, a smaller number on a slide. Ward³ turns every judge's raw score into a conformal p-value against a per-tenant baseline of benign traffic. Alert at p ≤ α and the false-positive rate is bounded by α, by construction, with a finite-sample guarantee — not an average measured once on someone else's network.

p = (1 + #{ benign ≥ score }) / (n + 1)
split-conformal upper-tail p-value · distribution-free · finite-sample
Per-tenant, per-judge

Calibration is stratified by (tenant, judge, model version). Each deployment gets a bound tuned to its own normal, so a noisy tenant never inflates a quiet one.

No retrain to re-tune

Tightening or loosening the budget changes α, not a training run. War mode simply lowers α to make the whole platform stricter in a single move.

Fail-closed by design

A brand-new model or an empty calibration window yields p = 1 — the judge abstains instead of guessing. Robustness has to hold on day one, not only at steady state.

vs. empirical claims

“xx% fewer false positives” is an average measured on one benchmark. A conformal bound is a property of the method that holds on your traffic — the difference between a marketing number and a guarantee.

The ANM definition

Five criteria for real ANM.

To deserve the ANM name, a product has to meet all five criteria. Ward³ is the reference implementation that shows the approach works in engineering terms, not just on a slide.

Read the full whitepaper
  1. 01
    At least three judges, architecturally distinct

    Not three random seeds. Not three window sizes. Three different ways to read traffic: sequence, graph, and rules.

  2. 02
    Explicit divergence detection

    Disagreement between judges is measured in real time and treated as a security signal, not as ordinary uncertainty.

  3. 03
    Adversarial training of ML judges

    ML judges are trained against gradient-based attacks, with a documented threat model. Otherwise, each one remains too easy to fool alone.

  4. 04
    Model integrity & watermarking

    Each model is signed, verified at load, and tied to append-only provenance. Without that chain, mediation loses its value.

  5. 05
    Auditable decision trail

    Per-judge scores, divergence, and actions taken are all kept in a tamper-evident log. Robustness has to be provable.

Category map

One platform for EDR, NDR & XDR.

Ward³ brings together what these categories usually handle separately: endpoint, network, and multi-tenant correlation. One mediator, one audit ledger, one governance layer.

Endpoint visibility
EDR
yes
NDR
no
XDR
yes
MDR
depends
ANM (Ward³)
yes
Network visibility
EDR
no
NDR
yes
XDR
yes
MDR
depends
ANM (Ward³)
yes
ML-based detection
EDR
yes
NDR
yes
XDR
yes
MDR
varies
ANM (Ward³)
yes
Architecturally orthogonal judges
EDR
no
NDR
no
XDR
no
MDR
no
ANM (Ward³)
yes
Divergence as a security signal
EDR
no
NDR
no
XDR
no
MDR
no
ANM (Ward³)
yes
Calibrated false-positive bound
EDR
no
NDR
no
XDR
no
MDR
no
ANM (Ward³)
yes
Unsupervised novelty (zero-day)
EDR
varies
NDR
varies
XDR
varies
MDR
no
ANM (Ward³)
yes
Multi-MSSP tenant isolation
EDR
depends
NDR
depends
XDR
depends
MDR
yes
ANM (Ward³)
yes
Adversarial training documented
EDR
rare
NDR
rare
XDR
rare
MDR
no
ANM (Ward³)
yes
Model integrity verification
EDR
partial
NDR
partial
XDR
partial
MDR
no
ANM (Ward³)
yes
Tamper-evident audit ledger
EDR
no
NDR
no
XDR
no
MDR
no
ANM (Ward³)
yes
Platform

Built for SOCs that are already tooled and opinionated.

Ward³ speaks the language your team already uses: eBPF on the wire, Kubernetes for enforcement, Prometheus and OpenTelemetry for observability, Sigstore for the build chain.

kernel-level
eBPF/XDP capture

Line-rate flow capture on Linux: IPv4 and IPv6, retransmits, TTL variance, and a per-flow runtime vector. A mock probe keeps non-Linux development simple.

3 backends
Kubernetes-native enforcement

Verdicts become K8s NetworkPolicies, Linux nftables sets (Block / Quarantine), or dry-run results depending on the mode.

FIPS-track
Post-quantum crypto

NIST-aligned post-quantum primitives for quorum and ledger. Shamir secret sharing, Argon2id, JWT RS256, and mTLS stay built in.

Append-only
Tamper-evident ledger

Hash-chained audit log with post-quantum signatures. It can be sealed, replayed, and used for forensics, retraining, or regulator review.

Quorum
War Mode · 4-eyes governance

High-impact blocks require approval from two human admins. Useful when ops teams need to show they remain in control.

Runtime
Honey Traps runtime

Active deception: the attacker spends time on instrumented decoys while the mediator collects higher-confidence labels.

Continuous
Shadow Mode

Offline auto-labeling and retraining triggers. Continuous improvement moves forward without blindly trusting production verdicts.

OTel · Sigstore
Native observability

Prometheus metrics, reference Grafana dashboards, OpenTelemetry tracing, and Sigstore attestation for artifacts.

Bounded FPR
Conformal calibration

Each judge score becomes a p-value against a per-tenant benign baseline, so the false-positive rate is bounded by construction — not chased with thresholds.

Zero-day
Unsupervised novelty judge

A per-tenant reconstruction judge scores how unlike the deployment's normal traffic a flow is, surfacing zero-days the supervised judges were never trained on.

Gray-zone
Digital twin arbiter

Gray-zone verdicts are re-scored off the hot path inside a sealed twin — with case files and 4-eyes — before anything high-impact is enforced.

RLS-isolated
Multi-MSSP, multi-tenant

Row-level isolation per (MSSP, tenant), per-tenant judge config and thresholds, and a war-mode kill-switch that always resolves to the strictest policy.

Reference implementation available

Defend with three judges.
Do not bet everything on one.

Ward³ is available as the reference ANM implementation. If you defend a bank, telco, critical infrastructure, or another regulated environment, we can look at where it fits.