NullRabbit Logo

EARNED AUTONOMY FOR INFRASTRUCTURE

Earn autonomy before you exercise it.

Machines already act at machine speed. The failure is not capability - it's legitimacy when threats are novel and time-critical.

IBSR- Judgment. Observes, learns, records.
Guard- Execution. Acts only on granted authority.
Request shadow-mode accessRead the research

Shadow-mode access is provisioned on an operator-reviewed basis.

The Asymmetry

Autonomous defence already exists. The unsolved problem is legitimacy under adversarial latency.

Attacks
ms → min

Reconnaissance, exploitation, and lateral movement operate at millisecond-to-minute timescales.

Human approval
min → hrs

Review chains, escalation paths, and approval workflows operate at minute-to-hour timescales.

Existing automation
Known only

Pre-authorised playbooks work only for threats that have already been classified.

This is a governance gap, not a tooling gap. The question is not whether machines can act fast enough - it's whether they have the legitimacy to act at all.

Earned Autonomy

The solution is not faster automation. It's a framework where autonomy is earned through evidence, granted by humans, and continuously validated.

1

Bounded authority

Autonomy is granted per abuse class, not as a blanket permission.

2

Rehearsal on live traffic

Shadow mode runs on real traffic without enforcement. No risk.

3

Counterfactual record

Every judgment is logged: what would have been blocked, and why.

4

Explicit human review

Operators review the evidence. This is the legitimising act.

5

Threshold-based grant

Authority is granted only when evidence meets operator-defined thresholds.

6

Continuous validation

Granted authority is continuously verified against live outcomes.

7

Reversibility

All enforcement is auditable and revocable. Nothing is permanent.

Human review is the legitimising act - not a checkbox. The system does not assume trust. It earns it.

IBSR & Guard - The Paired System

Two distinct roles. IBSR produces judgment. Guard executes enforcement. Neither operates alone.

IBSR - Judgment

  • Observes live traffic patterns and learns behavioural baselines.
  • Produces counterfactual records: what would have been blocked, and why.
  • Runs in shadow mode on real traffic without any enforcement risk.
  • Provides evidence for operator review and threshold definition.

IBSR never enforces.

Guard - Execution

  • Kernel-level enforcement via XDP/eBPF at wire speed.
  • Acts only on judgments that have been explicitly authorised by operators.
  • Enforcement is scoped, reversible, and continuously monitored.
  • Fail-open architecture ensures uptime is never compromised.

Guard never decides.

IBSR does not act. Guard does not decide.

IBSR without Guard is incomplete. Guard without IBSR is reckless.

The Operator Path

A serious operational process. Not a sales funnel.

1

Discuss shadow-mode deployment

Scope and constraints are reviewed together. No enforcement, no risk. Deployment follows operator sign-off.

2

IBSR produces a counterfactual record

Evidence for a specific, bounded abuse class. You see exactly what would have been blocked, and why.

3

Operator reviews, defines thresholds, grants authority

This is the legitimising step. Authority is explicitly granted - not assumed. You define the boundaries.

4

Enable Guard

Enforcement is scoped, reversible, and continuously validated. Guard acts only on what you have authorised.

Authority is granted, not assumed. If the evidence doesn't support action, Guard stays dormant. The system waits for legitimacy.

The Uncomfortable Inversion

At some point, the evidence will show that not acting causes more harm than acting.

The counterfactual record makes this trade-off explicit. It allows operators to justify enforcement before the system is granted authority to act. You see the cost of inaction in hard numbers.

This is uncomfortable - and necessary.

This differentiates earned autonomy from “trust us” vendors. We don't ask for faith. We provide evidence, and you decide when the evidence is sufficient.

Start with evidence

Deploy IBSR in shadow mode. No enforcement, no risk. Review the counterfactual record. When the evidence supports action, grant authority to Guard.

What you get:

  • IBSR running on live traffic in observation mode
  • Counterfactual records showing what would have been blocked
  • Guard ready to activate when you grant authority
  • Direct access to engineering during deployment
Discuss shadow-mode deploymentTalk to us

Frequently Asked Questions