Block the impossible.
Detect the rest.

SPR{K3 Defend installs a lightweight agent on your infrastructure. It learns what normal behavior looks like — then fires when something happens that is structurally impossible. A tokenizer making outbound DNS calls. A training worker opening raw sockets. A downloaded file executing 12 seconds later. Each event alone is benign. The combination is a breach.

Static scanning finds what you know about. We find what you don't.

Built by the researchers who break ML infrastructure for a living — 14 CVEs across NVIDIA, findings confirmed by Microsoft, Meta, Amazon, Google, and Intel. The same research that finds the vulnerabilities powers the detection that stops them.

Choose Your Entry PointHow It WorksTry the scanner →
Runs locally · metadata only · free tier available

We found the bugs. Now we block them.

sprk3 defend — trust audit
$ sprk3 scan --engines all

# scanning 16 frameworks, 760 patterns...

IMPOSSIBLE tokenizer resolved outbound DNS
  → capability_acquisition violation
IMPOSSIBLE embedding pipeline enumerated IAM roles
  → trust_flow violation
IMPOSSIBLE inference node accessed ~/.ssh
  → economic_behavior violation
DRIFT      checkpoint hash changed post-deploy
  → provenance violation

✓ 4 impossible states detected
✓ trust score: 0.41 → action required
✓ NIST AI RMF report: ./reports/nist.pdf
$
PyTorch
TensorFlow
HuggingFace
NVIDIA TRT-LLM
LangChain
Semantic Kernel
ONNX Runtime
JAX
SageMaker
MLflow
ClearML
safetensors
NCCL / ProcessGroup
pickle / torch.load
AutoGluon
DLRover
What we catch

Behaviors that are structurally impossible under legitimate operation

Each event alone may be benign. The structural context makes it impossible. That's the difference between an alert and a finding.

A tokenizer resolves outbound DNS. Tokenizers process text locally. Unexpected network egress means execution has escaped the tokenizer’s declared role.
An embedding pipeline enumerates IAM roles. Embeddings compute vectors. Identity enumeration is reconnaissance.
An inference node accesses ~/.ssh. Inference serves predictions. SSH key access from an inference process is lateral-movement behavior, not serving behavior.
A training worker opens a raw socket. Training computes gradients. Raw sockets bypass the declared application transport path.
A checkpoint hash changes after deployment. Production artifacts are not expected to mutate post-deployment. When they do, it means substitution or tampering.
Download → write → delay → execute. Each step is benign. The sequence is impossible under legitimate intent.
Proof of detection

One impossible state

May 2026. A PyPI package named mistralai appears on the public registry. 244,000 downloads in 18 hours. The name matches a major AI vendor. The package imports normally.

On import, it opens an outbound connection to 83.142.209.194. Downloads a payload to /tmp/transformers.pyz. Checks geolocation. Rolls a 1-in-6 random gate. Fires rm -rf /.

Five events. Each one individually benign. An import. A network call. A file write. A conditional check. A delete.

The sequence is impossible under legitimate intent. No ML library downloads executables on import, gates execution on geography, and rolls dice before destroying the filesystem. Legacy security sees five benign events. We see one impossible state — and we see it before the payload fires.

We don’t need to recognize this malware. Import plus outbound connection plus payload write is an impossible sequence — the process dies before the dice roll.

Based on CVE-2026-45321 (Mini Shai-Hulud). Publicly documented supply chain attack targeting ML infrastructure.

Our approach

System physics,
not better signatures

Traditional security asks: "Does this match a known bad thing?"

SPR{k3 asks: "Is this behavior possible under legitimate intent?"

We define the physics of valid behavior across AI infrastructure. Violations aren't alerts. They're impossible states — structural impossibilities that no legitimate operation can produce.

This isn't theory. The gaming industry solved this exact problem over twenty years. Anti-cheat systems evolved from signature matching to impossible-state detection because signatures couldn't keep pace with adversarial adaptation. AI infrastructure is entering the same transition — and the convergent answer is the same.

Order matters. Timing matters. Staging matters. Most AI security tooling evaluates isolated events. We evaluate the structural trajectory.

Physics layer
What "valid" means
Trust flow
Data crosses trust boundaries only through verified channels
Provenance
Every artifact has attestable lineage to a known origin
Execution ordering
Operations follow causal sequences consistent with declared intent
Capability acquisition
Components access only resources required by their function
Economic behavior
If it costs more than it should, it is doing more than it should
Intelligence architecture

Five layers of one system

Not a feature list. A unified model of what valid behavior looks like — and five ways to detect when it breaks.

01
Behavioral Integrity
Resource behavior reveals hidden intent. Economic impossibility, capability acquisition anomalies, structural violations no legitimate workload produces. Poisoning, sandbagging, drift.
02
Runtime Trust
Agent mesh, process monitoring, orchestration boundaries. Continuous observation of how components actually behave — not how they claim to.
03
Temporal Intelligence
Trust isn't a snapshot, it's a trajectory. Persistence tracking, mutation detection, convergence modeling. Sequence matters more than any single event.
04
Provenance & Lineage
Checkpoint integrity, supply chain trust, static scanning. Where did this artifact come from, and has anything in its chain been compromised?
05
Adaptive Intelligence
Proprietary runtime intelligence, exploit-informed scoring, and adaptive noise reduction. Detection hypotheses that consistently identify real threats survive. Those that generate noise decay. Higher signal, fewer alerts.
Trust trajectory

Trust score — 30 day trajectory

1.00.80.60.4Day 1Day 10Day 20Day 30drift detectedcheckpoint anomaly↑ recovered↑ recovered0.97trust scoredrift eventhealthy zone
Trust isn't binary. It moves. A model update shifts behavioral patterns, a checkpoint hash changes after retraining, an agent boundary moves during orchestration. SPR{k3 tracks the movement — so you see the trend before it becomes an incident.

Most AI security monitors prompts and policies.
We monitor the infrastructure beneath them.

Traditional AI security tools inspect prompts and models. We analyze the infrastructure paths that execute them. Orchestration trust, distributed state integrity, behavioral drift, economic anomalies — the layer where systems fail silently. The artifact may be legitimate. The model may work perfectly. The exploit may be latent. That's why impossible-state detection matters before the payload activates.

Model cognitive health. BrainGuard detects agent degradation, model poisoning, and capability drift before permanent damage — the AI equivalent of catching brain rot while it's still reversible.
Offense feeds defense. Every vulnerability we discover becomes a detection pattern. 14 CVEs and counting — not threat reports about what could happen, but proof of what we found.
Cross-repository correlation. Coordinated attacks span multiple repos simultaneously. Single-repo scanners see isolated bugs. We see campaigns.
LLM-generated code detection. Attackers use AI to write malicious code. We detect the machine fingerprint — behavioral symmetries no human produces.
Preservation intelligence. Recurring patterns aren't technical debt — they're evolutionary stability. We identify what must be preserved, not just what to eliminate.
Temporal trajectory. Trust isn't a snapshot. We track behavioral drift, mutation velocity, and convergence modeling over time — catching slow-burn attacks that point-in-time scans miss.
Plugin integrity. Major agent frameworks ship with zero plugin integrity verification. No hash pinning. No signature validation. No allowlisting. We defend against it.
Instruction file scanning. AI coding agents read behavioral instructions from project files. CLAUDE.md, .cursorrules, .mcp.json — checked into repos, loaded on trust. Nobody reads them. We scan them. Try it free — sign up to scan more.
Model loading safety. ML frameworks load models through deserialization — torch.load, pickle, trust_remote_code. Each is a code execution path. Try it free — sign up to scan more.
Why this matters

Trust is now an operational signal.

AI infrastructure evolves while running. Models update, agents orchestrate each other, checkpoints propagate across pipelines, and trust assumptions shift with every deployment.

Traditional security tools were designed for systems that hold still between scans. AI systems don't. The result: invisible trust failures — orchestration drift, silent lineage corruption, behavioral degradation that compounds undetected.

SPR{k3 was built for infrastructure that changes continuously — providing the same operational visibility into trust that you already expect for uptime, latency, and throughput.

Zero interference

Your operations run freely. Only annihilation is stopped.

Normal operations are never touched. No inline proxy, no request interception, no added latency. Defend watches process behavior, scores trust, and surfaces impossible states on the dashboard. But when something structurally impossible happens — behavior that no legitimate workload can produce — Defend acts. Your infrastructure runs freely within the physics. Only annihilation is blocked.

Passive observation. The agent reads process tables and event streams. It never modifies, intercepts, or injects into your runtime.
No inline path. Defend is not a proxy, not a firewall, not a gateway. Nothing in your data path touches it. Zero latency impact.
Block only annihilation. Impossible states are logged, scored, and surfaced. Destructive operations — filesystem wipes, fork bombs, credential exfiltration — are killed before they complete. Everything else: you decide.
Uninstall in seconds. One command removes the agent completely. No kernel drivers, no boot-time hooks, no residual services.
Your data, your machines

Privacy-first. Mostly local.

No file contentsWe never read your code, data, models, or documents.
No credentialsWe never see passwords, tokens, API keys, or env vars.
No network sniffingWe don't capture or inspect your connections.
Metadata onlyProcess names and event types. That's it.
Local firstYour code, models, and conversations never leave your machine.
Defend AgentsAll detection runs client-side. Server sees metadata only.
Where we monitor

Trust transitions across your AI stack

Every boundary where data, models, or instructions pass between components is a trust transition. We monitor them.

Models
behavioral drift
Agents
orchestration trust
Vector DBs
provenance integrity
Checkpoints
lineage verification
CI/CD Pipelines
supply chain trust
Training Workers
sync integrity
Registries
artifact trust
Runtime APIs
request integrity
Track record

Built on real vulnerability research

Offensive research turned into production defense — continuously. Vulnerability discoveries feed directly into new detection patterns. Deployments generate signal that sharpens the next scan. One closed loop, no manual handoff.

14
CVEs across
NVIDIA bulletins
verify →
760+
Detection patterns
in registry
7
Major vendors
confirmed findings
<3%
False positive rate
vs 30% industry
NVIDIA   META   MICROSOFT   GOOGLE   AMAZON   HUGGINGFACE   INTEL
Resources

Industry context

The problem space SPR{k3 operates in, validated by major frameworks and industry research.

Industry

CVE-to-exploit window: 10 hours in 2026

Why manual red-to-blue handoffs can't keep pace with modern exploit timelines.

Framework

NIST AI Risk Management Framework

The US federal standard for AI risk governance. SPR{k3 reports map directly to NIST AI RMF controls.

Framework

MITRE ATLAS

Adversarial threat landscape for AI systems. TTPs mapped across the ML lifecycle.

Verification

NVIDIA Acknowledgements Page

Dan Aridor, SPR{k3 — listed across three NVIDIA security bulletins. Verify independently.

Research & Insights

From our blog

Field notes from the intersection of offensive research and AI defense.

Research

244,000 Downloads in 18 Hours

The model repository is the new attack surface.

Analysis

Gaming Already Solved Your AI Security Problem

You just don't know it yet.

Analysis

The Allowlist Fallacy

Why “trusted environment” is the most dangerous assumption in AI security.

Product

SPR{K3 Defend

Built exclusively for AI infrastructure.

Research

The Scanner Was the Weapon

When the security tool itself becomes the attack vector.

Dan Aridor, Founder

Dan Aridor

Founder, SPR{k3 Security Research

Columbia Business School — MBA

Lt. Colonel (Res.), Israeli Intelligence Corps — co-headed a counter-intelligence research unit

14 CVEs across NVIDIA NeMo, Megatron-LM, NeMo-Guardrails, Apex

NVIDIA, Microsoft MSRC & Amazon Security Acknowledgements (2025–2026)

Chairman, AEBI-Bio — SoAP biotechnology platform

Founder, inga314.ai & Dan Aridor Holdings Ltd

Disclaimers

Beta software

SPR{k3 Defend is beta software provided "as is" without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.

No guaranteed security

Detection patterns reduce risk but do not guarantee the identification of all vulnerabilities. SPR{k3 is not responsible for undetected vulnerabilities or actions taken based on scan results.

Informational only

Findings are provided for informational purposes and do not constitute legal, compliance, or professional security advice. For critical infrastructure, consult a qualified security professional.

Compliance reports

NIST AI RMF compliance reports assist your compliance process. They do not replace a qualified auditor's assessment and should not be relied upon as standalone certification.

Service provider

Dan Aridor Holdings Ltd (ח.פ. 513416164), 1 Bar Ilan Street, Bat Yam, Israel. For questions, cancellations, or complaints, contact support@sprk3.com.

Governing law

Use of SPR{k3 services is governed by our Terms of Service and Privacy Policy, under the laws of the State of Israel.

Cancellation rights

Under the Israeli Consumer Protection Law (5741-1981, Section 14C), you may cancel a distance selling transaction within 14 days of purchase or receipt of this disclosure, whichever is later. Cancellation fee: the lesser of 5% of the transaction price or NIS 100. Senior citizens (65+), new immigrants, and persons with disabilities may cancel within 4 months. Cancellation by email to support@sprk3.com.

Choose your entry point

Verify trust at rest

Scan your codebase and model artifacts for supply chain risks, unsafe deserialization, and lineage gaps.

Static scanning — provenance, integrity, known vulnerabilities
Compliance — NIST AI RMF report on demand
Learn more →

Monitor trust in motion

Detect orchestration drift, prompt injection, and tool misuse across your agent runtime.

Agent monitoring — trust scoring, heartbeat, relay detection
Agent degradation — reasoning decline, hallucination spikes, capability loss
Runtime defense — process-level visibility, anomaly detection
Learn more →

Observe trust continuously

Full trust observability across your AI infrastructure. Static, runtime, and behavioral — one continuous signal.

All layers — behavioral integrity, runtime trust, temporal intelligence
BrainGuard — model health, degradation, drift tracking
Compliance — continuous NIST AI RMF reporting
View engagement options →
Start free

Get your API key

Email in, key out — no payment, no verification. One key unlocks both static scanning and the runtime agent.