NewIntroducing ANM — a new category of network defense→

Three judges.
One verdict. Zero blind spots.

Ward³ is the first reference implementation of Adversarial Neural Mediation — three architecturally orthogonal AI judges that mediate every flow, with divergence treated as a first-class security signal. Built for the era of adversarial AI.

Request access Read the ANM whitepaper

ward3 · mediator/flow:0xa7f2…91c4

live

Judge L

Sequence · neural

93%

Judge G

Relational · neural

97%

Judge R

Rule engine · deterministic

88%

verdict BLOCKd_max = 0.04 · consensus = 0.97

→ kubernetes.NetworkPolicy applied (ns: payments)→ nftables.set: Quarantine ← 10.41.7.22 → ledger.append (post-quantum) block #482917

94.1%

detection under PGD

vs 23.7% single-model

3×

orthogonal judges

Sequence · Relational · Rules

<10ms

p99 mediation latency

commodity hardware

Post-quantum

audit ledger

NIST-aligned signatures

Built on the standards your SOC already runs

Kubernetes

native enforce

eBPF / XDP

line-rate capture

OpenTelemetry

instrumented

Sigstore

attested

MITRE ATT&CK

mapped

NIST PQC

ML-KEM · ML-DSA

The problem

Single-model NDR is no longer enough.

Vectra. Darktrace. ExtraHop. They all assumed one ML model could catch sophisticated attacks. That assumption was reasonable in 2017. It is not reasonable in 2026.

Open-source adversarial frameworks — ART, CleverHans, Foolbox — now put gradient-based evasion in commodity attackers' hands. Any single deployed model can be fooled.

FGSMPGDTransfer attacksModel extractionLabel poisoning

Empirical

Detection rate drop under PGD perturbation (ε=0.02)

Reproduced in-lab

DoS Hulk

98.7%→41.3%

Slowloris

86.4%→11.9%

Botnet C2 beacon

91.2%→23.7%

−45 to −70 pts

detection collapse on a typical single-model NDR. In a SOC, that's the difference between seeing the breach and missing it entirely.

The solution

Three judges. Architecturally orthogonal.

Adversarial perturbations transfer across models that share inductive bias. They do not transfer across models that encode the world in fundamentally different ways. Ward³ runs three.

Judge LTemporal patterns within a flow

Sequence judge

Neural learner over packet windows

Bidirectional neural encoder
Attention pooling
Per-flow windowed inference
Adversarial-robust training

Judge GTopological & relational patterns

Relational judge

Neural learner over flow topology

Multi-layer graph encoder
Sliding src→dst windows
Cross-flow context
Adversarial-robust training

Judge RDeterministic, non-differentiable

Rule judge

Boolean engine of expert invariants

Hand-curated invariants
Max packets · entropy · rate
Immune to gradient attacks
Inspectable, by construction

The mediator

Divergence is a first-class security signal.

A stealth attacker who fools one judge produces high divergence with the others. The mediator fails closed under disagreement and emits XAI_DIVERGENCE_HIGH — a signal no single-model NDR can produce, by definition.

d_LG = |p_L − p_G|d_max = max(d_LG, d_LR, d_GR)verdict = consensus(p_L, p_G, p_R) if d_max < θ else fail-closed

How Ward³ runs

Three judges. Three latencies. Three surfaces.

Edge in microseconds. Tenant in milliseconds. Platform-wide correlation in tens of milliseconds. Network and endpoint, unified under one mediator — the Ward³ trinity, executed end to end.

Tiered execution

Tier 1Edge

μs

target latency

Decisive on the obvious

Rule judge (pure Rust)
Threat-intel cache hits
TLS fingerprint match
eBPF preprocessing & tagging
Local endpoint enforce

60–80 % of traffic resolved here

Tier 2Tenant

target latency

Primary ML mediation

Sequence judge
Relational judge
Endpoint process & file judges
Mediator + divergence
Adversarial-robust scoring

Verdict + enforcement signal

Tier 3Platform

10s ms

target latency

Cross-host, cross-tenant

Async enrichment (no hot-path block)
Endpoint correlation
Long-horizon baselines
Kill-chain reconstruction
Federated threat intel

XDR posture, multi-tenant

Per-decision pipeline

μs → ms → audit

01eBPF / XDP

Capture

IPv4 + IPv6
Retransmits, TTL var.
Per-flow runtime vector
Line-rate

02L · G · R

Three judges

Sequence judge
Relational judge
Rule judge
Cryptographically signed

03Divergence

Mediation

Pairwise spread
Fail-closed on disagree
Consensus on align
XAI_DIVERGENCE_HIGH

04K8s / nft

Enforce

NetworkPolicy injection
nftables Block/Quarantine
War mode 4-eyes
Rate-limit / principal

05PQ ledger

Audit

Hash-chained log
Post-quantum signed
Tamper-evident
Replayable

Adversarial training

Criterion 3

Both ML judges trained against gradient-based attacks. Documented threat model, hyperparameters, and reproducible runs.

Model integrity

Criterion 4

Inference artifacts cryptographically signed at build, verified at load. Append-only registry with full provenance.

Auditable trail

Criterion 5

Every decision — per-judge scores, divergence, applied rules — replayable to validate reasoning end to end.

Performance · Run #9 final

+30 to +60 pts of detection under adversarial pressure.

Evaluated on held-out traffic and on out-of-distribution networks (log formats, attack families, and IoT botnets never seen during training). Adversarial robustness measured under gradient-based evasion.

0.998

AUC-ROC (clean)

94.1%

under PGD ε=0.02

89.6%

under transfer attack

0.87

AUC-ROC out-of-distribution

~2× inference latency vs single-model — still <10ms p99 per flow on commodity hardware.

Adversarial robustness

held out from training

Metric	Single-judge	Ward³ 3-judge	Δ
F1 (clean)	0.66	0.97	+0.31
AUC-ROC (clean)	0.89	0.998	+0.108
Detection · PGD ε=0.02	23.7%	94.1%	+70.4 pts
Detection · transfer	31.4%	89.6%	+58.2 pts

Out-of-distribution generalization

never seen in training

Metric	Single-judge	Ward³ 3-judge	Δ
AUC-ROC	0.71	0.87	+0.16

The ANM definition

Five criteria for category membership.

A product belongs to the ANM category if and only if it implements all five. Ward³ is the first reference implementation — proof the category is achievable, not a marketing slogan.

Read the full whitepaper

01
At least three judges, architecturally distinct
Not three random seeds. Not three window sizes. Three different inductive biases — sequence, graph, rule.
02
Explicit divergence detection
Real-time disagreement measure between judges, treated as a security signal — not just a confidence score.
03
Adversarial training of ML judges
Gradient-based attack training. Documented threat model. Untrained judges are easy to fool individually.
04
Model integrity & watermarking
Cryptographic signing, verified at load. Append-only registry with provenance. Without it, mediation is meaningless.
05
Auditable decision trail
Per-judge scores, divergence, applied consequences — persisted in a tamper-evident log. Robustness has to be provable.

Category map

ANM coexists with EDR, NDR & XDR — it doesn't replace them.

ANM owns the network layer when adversarial-grade attackers come for your ML. The rest of your stack stays where it is.

Capability	EDR	NDR	XDR	MDR	ANM (Ward³)
Endpoint visibility	yes	no	yes	depends	yes
Network visibility	no	yes	yes	depends	yes
ML-based detection	yes	yes	yes	varies	yes
Architecturally orthogonal judges	no	no	no	no	yes
Divergence as a security signal	no	no	no	no	yes
Adversarial training documented	rare	rare	rare	no	yes
Model integrity verification	partial	partial	partial	no	yes
Tamper-evident audit ledger	no	no	no	no	yes

Platform

Built for SOCs that already have an opinion.

Ward³ exposes the surfaces your team already speaks. eBPF on the wire, Kubernetes at the edge, Prometheus on the wall, Sigstore on the build.

kernel-level

eBPF/XDP capture

Line-rate flow capture on Linux. IPv4 + IPv6, retransmits, TTL variance, per-flow runtime vector. Mock probe for non-Linux dev.

3 backends

Kubernetes-native enforce

Verdicts translated into K8s NetworkPolicies — or Linux nftables sets (Block / Quarantine), or dry-run.

FIPS-track

Post-quantum crypto

NIST-aligned post-quantum primitives for quorum and ledger. Shamir secret sharing. Argon2id + JWT RS256 + mTLS.

Append-only

Tamper-evident ledger

Hash-chained, post-quantum signed audit log. Tip-hash sealable. Replayable for forensics, retraining, regulator review.

Quorum

War Mode · 4-eyes governance

High-impact line-rate blocks require two human admins to approve. Designed for ops teams that need to prove restraint.

Runtime

Honey Traps runtime

Active deception — attacker burns time on instrumented decoys while the mediator collects high-confidence labels.

Continuous

Shadow Mode

Offline auto-labeling pipeline + retrain trigger. Continuous improvement without trusting production verdicts blindly.

OTel · Sigstore

Observability native

Prometheus metrics + reference Grafana dashboards + OpenTelemetry tracing. Plus Sigstore attestation for artifacts.

Reference implementation available

Defend with three judges.
Or be fooled by one.

Ward³ ships today as the reference ANM implementation. Banks, telcos, defense contractors, critical infrastructure: that's who this is for. If that's you, let's talk.

Request access Read the whitepaper

Star us on GitHubBook a demo

Three judges.One verdict. Zero blind spots.

Single-model NDR is no longer enough.

Three judges. Architecturally orthogonal.

Divergence is a first-class security signal.

Three judges. Three latencies. Three surfaces.

+30 to +60 pts of detection under adversarial pressure.

Five criteria for category membership.

ANM coexists with EDR, NDR & XDR — it doesn't replace them.

Built for SOCs that already have an opinion.

Defend with three judges.Or be fooled by one.

Three judges.
One verdict. Zero blind spots.

Defend with three judges.
Or be fooled by one.