Research
Defensible artefacts. Reproducible methods.
What we publish, what we ship as code, and what we'll publish next. Findings are reproducible; data and scripts live on GitHub.
On Earned Autonomy.
On Earned Autonomy: Delegating Network-Lethal Authority to Machines
Simon Morley · January 2026
The paper argues that the central barrier to autonomous defence is a governance gap, not a capability gap. It introduces earned autonomy as a framework for closing it - machines prove judgment in observation before they are granted authority to act.
Read the paper · DOI 10.5281/zenodo.18406828 →Substrate.
The data-layer companion to earned autonomy.
Substrate is the data layer underneath earned autonomy: an open bundle format for adversarial behaviour, a taxonomy spanning 9/10 vulnerability families, and a 1,092-bundle proprietary corpus covering 19 attack primitives. The format is open. The corpus is proprietary.
Coordinated disclosure.
Disclosures will be published here as they're cleared for release. We coordinate with affected parties first; nothing is published before it's patched. Until that point, the page stays empty by design.
The code we publish.
Tooling we open-source under the NullRabbit Labs organisation.
Trusted Reasoning Substrate - bundle format and verifier.
Adversarial corpus generator and red-team scaffolding.
Validator infrastructure scanner used in our defence research.
Longform research.
Introducing Substrate: An Open Format for Validator Threat Intelligence
Validator threat intelligence has no shared format. We're publishing a bundle spec, a ten-family taxonomy, and seeding a 1,092-bundle corpus to fix that.
Read →We Scanned 5,700 [Solana, Eth, Sui, Atom] Validators. Here's What We Found.
NullRabbit scanned 5,715 validator hosts across Solana and Sui, running 10,139 scans and identifying 1,340 CVE findings across 155 hosts. Here's what the validator attack surface actually looks like.
Read →Slashr: Real-Time Validator Incident Tracking Across Four Networks
Slashr tracks validator delinquency, jailing, slashing, and missed votes across Solana, Ethereum, Sui, and Cosmos in real time. Wallet checks, rankings, automated scanning, and reliability reports -- all from on-chain data.
Read →Connecting Slashr to Your AI Workflow via MCP
Slashr now has a Model Context Protocol server. Any MCP-compatible AI tool -- Claude Code, Claude Desktop, or custom agents -- can query live validator incident data, scan results, and network summaries directly.
Read →Introducing Slashr: A Live Feed of Every Validator Incident
Validators go down constantly. Almost nobody is watching it happen in real time, across chains, in one place. So we built slashr.dev, a live incident feed tracking Solana, Ethereum, Sui, and Cosmos.
Read →DeFi Under the Microscope: 1,075 Hosts, 3,001 Ports, One Timing Scan
A first look at what DeFi validator infrastructure looks like at the kernel level. We crack open the consolidated dataset -- embedding galaxies, jitter fingerprints, RTT ridgelines, and 10,000 anomaly events across 642 silent hosts.
Read →What Does a DeFi Network Actually Look Like?
Every blockchain network has a physical fingerprint. We pointed our eBPF/XDP scanner at 1,075 hosts across multiple DeFi validator networks and mapped 3,001 timing fingerprints to reveal the structure underneath the consensus layer.
Read →The Kernel Doesn't Care About Your Restart Script
Building a production BPF/XDP scanner is an exercise in humility. Orphaned XDP programs, async Rust deadlocks, stale binaries, silent TC failures -- here is everything that broke and what we did about it.
Read →What We Found Scanning the Sui Validator Network
We scanned 138 Sui validators across 20 countries using kernel-level temporal fingerprinting. 41% have SSH exposed, 57 run unexpected internet-facing services, and 9 confirmed CVEs sit on 4 hosts -- including 2 critical at CVSS 9.8. Here is what we found and why it matters for DeFi.
Read →Open-Sourcing Our Autonomous Defence Arsenal: Here's What's Inside
We're open-sourcing the tooling behind NullRabbit's autonomous kernel-level network defence: the scanning, intelligence, observation, and adversarial validation layers that feed our enforcement pipeline. Six tools, MIT licensed, with more coming.
Read →