AS Convergence Systems LLC

AS Convergence Systems LLCAS Convergence Systems LLCAS Convergence Systems LLC

AS Convergence Systems LLC

AS Convergence Systems LLCAS Convergence Systems LLCAS Convergence Systems LLC
  • Home
  • Convergence
  • LAIRS
  • SPECTER
  • PRAETOR
  • Execution Provenance Gate
  • SentiNet
  • Lairs Sentinel Modules
  • Current Development
  • More
    • Home
    • Convergence
    • LAIRS
    • SPECTER
    • PRAETOR
    • Execution Provenance Gate
    • SentiNet
    • Lairs Sentinel Modules
    • Current Development
  • Home
  • Convergence
  • LAIRS
  • SPECTER
  • PRAETOR
  • Execution Provenance Gate
  • SentiNet
  • Lairs Sentinel Modules
  • Current Development

EPG

Execution Provenance Gate - Kernel-Level Execution Tracking

 What It Is:


 EPG is the execution-level observation and enforcement layer of the LAIRS platform. Every shell invocation, binary execution, and process spawn within a governed zone is recorded with cryptographically-anchored provenance metadata before the execution is permitted to complete. EPG turns "what ran on this machine" from an inferred answer into a verifiable record.


How It Works:


EPG operates at the kernel boundary, intercepting execution events at the lowest practical layer of the operating system. For each event, EPG records:


- The invoking process and its full ancestry chain

- The binary path, arguments, and cryptographic hash of the executable

- The user, group, and capability context

- The execution timestamp and originating namespace

- The signature of the policy version in force at execution time


Each record is hash-chained to the previous record in the same execution stream — producing an append-only ledger that can be verified end-to-end without trusting EPG itself at audit time.


Operational Modes:


EPG runs in two configurable modes:


- OBSERVE_ONLY — records every execution event without blocking. Used during baseline establishment and for forensic-only deployments.

- ENFORCE_GOVERNED_ZONES — records all events; for declared governed zones, executions outside the signed policy envelope are denied at the kernel boundary.


The default deployment posture is OBSERVE_ONLY for unprotected scopes, ENFORCE_GOVERNED_ZONES for scopes the operator has explicitly declared.


Implementation:

EPG is implemented as a native Rust binary for performance and memory-safety guarantees. The kernel-side hooks integrate via supported eBPF and audit-subsystem interfaces, with no kernel modules required.


Audit Sidecar:


EPG is paired with the EPG Audit Sidecar, a separate service that:


- Tails the EPG event spool

- Builds Merkle-rooted segment seals over collected events

- Cryptographically signs each sealed segment

- Tiers archival across hot (recent), warm (sealed and signed), and cold (long-term retention) storage


The sidecar's signing role is interim and migrates to SPECTER as deployment matures, in line with the platform's minimal-crypto-authority principle.


Integration:


EPG events feed:


- Sentinel Agent for per-host policy reasoning

- SentiNet Collector for cross-host correlation

- GAE (Governed Adversarial Evolution) for adversarial scenario evidence collection

- LAIRS Brain for operator-facing telemetry summaries


Status:


Deployed within Aegis internal validation environment. ENFORCE_GOVERNED_ZONES active for protected scopes;


OBSERVE_ONLY active platform-wide. Audit Sidecar deployed with hot/warm/cold tiering and Merkle-rooted ledger.

AEGIS Secure Convergence Systems LLC logo with a futuristic shield design.

Copyright © 2026 Aegis Secure Convergence Systems LLC - All Rights Reserved.

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept