Three judges.
One verdict. Zero blind spots.
Ward³ puts Adversarial Neural Mediation into practice: deliberately different AI judges review every flow, a calibrated consensus decides, and their disagreement becomes a security signal of its own — with a false-positive rate bounded per tenant, not merely tuned.
Single-model NDR is too much of a bet.
Vectra, Darktrace, ExtraHop: most NDR products were built around a simple idea, that one well-trained ML model can catch advanced attacks. In 2017, that was a reasonable bet. In 2026, it is brittle.
Open-source adversarial tools such as ART, CleverHans, and Foolbox have made gradient-based evasion far more accessible. A single deployed model can be fooled, so the real question is what catches the attack next.
The attacks that get through are already inside the network.
By the time an alert fires, the intruder has usually already moved. Endpoint-only tooling watches the host; the lateral path across the network is where modern intrusions actually live — and where a single ML model is easiest to slip past.
Figures reflect widely reported industry medians, not Ward³ measurements — they are why detection has to be network-aware, layered, and hard to evade. Those are the design goals behind ANM.
Three judges. Architecturally orthogonal.
Adversarial perturbations transfer most easily between models that read traffic the same way. Ward³ makes three genuinely different viewpoints work together.
- Bidirectional neural encoder
- Attention pooling
- Per-flow windowed inference
- Adversarial-robust training
- Multi-layer graph encoder
- Sliding src→dst windows
- Cross-flow context
- Adversarial-robust training
- Hand-curated invariants
- Max packets · entropy · rate
- Immune to gradient attacks
- Inspectable, by construction
Disagreement matters as much as the score .
A stealthy attacker who fools one judge usually leaves the others inconsistent. A calibrated meta-consensus weighs the judges together, and the mediator fails closed under disagreement and emits XAI_DIVERGENCE_HIGH — a signal a single-model NDR cannot produce. A separate unsupervised judge flags flows unlike anything the deployment has seen before, so zero-days the trained judges never met still surface.
Three judges. Three response times. Three surfaces.
Some decisions happen in microseconds, right next to the traffic. Others need a few milliseconds at the tenant layer, or broader platform-wide correlation. Network and endpoint still report into the same mediator.
- Rule judge (pure Rust)
- Threat-intel cache hits
- TLS fingerprint match
- eBPF preprocessing & tagging
- Local endpoint enforce
- Sequence judge
- Relational judge
- Endpoint process & file judges
- Mediator + divergence
- Adversarial-robust scoring
- Async enrichment (no hot-path block)
- Endpoint correlation
- Long-horizon baselines
- Kill-chain reconstruction
- Federated threat intel
- IPv4 + IPv6
- Retransmits, TTL var.
- Per-flow runtime vector
- Line-rate
- Sequence judge
- Relational judge
- Rule judge
- Cryptographic signatures
- Pairwise gap
- Fail-closed on disagreement
- Consensus on alignment
- XAI_DIVERGENCE_HIGH
- NetworkPolicy injection
- nftables Block/Quarantine
- War mode 4-eyes
- Rate-limit / principal
- Hash-chained log
- Post-quantum signed
- Tamper-evident
- Replayable
Both ML judges are trained against gradient-based attacks. The threat model, hyperparameters, and reproducible runs are documented.
Inference artifacts are signed at build time and verified at load. The registry stays append-only, with full provenance.
Every decision — per-judge scores, divergence, applied rules — can be replayed to understand the reasoning end to end.
+30 to +60 pts of detection under adversarial pressure.
Measured on held-out traffic and out-of-distribution networks: log formats, attack families, and IoT botnets never seen during training. Adversarial robustness is measured under gradient-based evasion.
Inference latency is roughly 2× a single model, while staying under 10ms p99 per flow on commodity hardware.
| Metric | Single-judge | Ward³ 3-judge | Δ |
|---|---|---|---|
| F1 (clean) | 0.66 | 0.97 | +0.31 |
| AUC-ROC (clean) | 0.89 | 0.998 | +0.108 |
| Detection · PGD ε=0.02 | 23.7% | 94.1% | +70.4 pts |
| Detection · transfer | 31.4% | 89.6% | +58.2 pts |
| Metric | Single-judge | Ward³ 3-judge | Δ |
|---|---|---|---|
| AUC-ROC | 0.71 | 0.87 | +0.16 |
A false-positive rate you can put a number on.
Most tools cut false positives empirically — a better model, more tuning, a smaller number on a slide. Ward³ turns every judge's raw score into a conformal p-value against a per-tenant baseline of benign traffic. Alert at p ≤ α and the false-positive rate is bounded by α, by construction, with a finite-sample guarantee — not an average measured once on someone else's network.
Calibration is stratified by (tenant, judge, model version). Each deployment gets a bound tuned to its own normal, so a noisy tenant never inflates a quiet one.
Tightening or loosening the budget changes α, not a training run. War mode simply lowers α to make the whole platform stricter in a single move.
A brand-new model or an empty calibration window yields p = 1 — the judge abstains instead of guessing. Robustness has to hold on day one, not only at steady state.
“xx% fewer false positives” is an average measured on one benchmark. A conformal bound is a property of the method that holds on your traffic — the difference between a marketing number and a guarantee.
Five criteria for real ANM.
To deserve the ANM name, a product has to meet all five criteria. Ward³ is the reference implementation that shows the approach works in engineering terms, not just on a slide.
Read the full whitepaper- 01At least three judges, architecturally distinct
Not three random seeds. Not three window sizes. Three different ways to read traffic: sequence, graph, and rules.
- 02Explicit divergence detection
Disagreement between judges is measured in real time and treated as a security signal, not as ordinary uncertainty.
- 03Adversarial training of ML judges
ML judges are trained against gradient-based attacks, with a documented threat model. Otherwise, each one remains too easy to fool alone.
- 04Model integrity & watermarking
Each model is signed, verified at load, and tied to append-only provenance. Without that chain, mediation loses its value.
- 05Auditable decision trail
Per-judge scores, divergence, and actions taken are all kept in a tamper-evident log. Robustness has to be provable.
One platform for EDR, NDR & XDR.
Ward³ brings together what these categories usually handle separately: endpoint, network, and multi-tenant correlation. One mediator, one audit ledger, one governance layer.
Built for SOCs that are already tooled and opinionated.
Ward³ speaks the language your team already uses: eBPF on the wire, Kubernetes for enforcement, Prometheus and OpenTelemetry for observability, Sigstore for the build chain.
Line-rate flow capture on Linux: IPv4 and IPv6, retransmits, TTL variance, and a per-flow runtime vector. A mock probe keeps non-Linux development simple.
Verdicts become K8s NetworkPolicies, Linux nftables sets (Block / Quarantine), or dry-run results depending on the mode.
NIST-aligned post-quantum primitives for quorum and ledger. Shamir secret sharing, Argon2id, JWT RS256, and mTLS stay built in.
Hash-chained audit log with post-quantum signatures. It can be sealed, replayed, and used for forensics, retraining, or regulator review.
High-impact blocks require approval from two human admins. Useful when ops teams need to show they remain in control.
Active deception: the attacker spends time on instrumented decoys while the mediator collects higher-confidence labels.
Offline auto-labeling and retraining triggers. Continuous improvement moves forward without blindly trusting production verdicts.
Prometheus metrics, reference Grafana dashboards, OpenTelemetry tracing, and Sigstore attestation for artifacts.
Each judge score becomes a p-value against a per-tenant benign baseline, so the false-positive rate is bounded by construction — not chased with thresholds.
A per-tenant reconstruction judge scores how unlike the deployment's normal traffic a flow is, surfacing zero-days the supervised judges were never trained on.
Gray-zone verdicts are re-scored off the hot path inside a sealed twin — with case files and 4-eyes — before anything high-impact is enforced.
Row-level isolation per (MSSP, tenant), per-tenant judge config and thresholds, and a war-mode kill-switch that always resolves to the strictest policy.
Defend with three judges.
Do not bet everything on one.
Ward³ is available as the reference ANM implementation. If you defend a bank, telco, critical infrastructure, or another regulated environment, we can look at where it fits.