Building the Jig (Again): Claiming the Time Dimension

We're about to open-source a large part of our scanning system, and infrastructure. To most people, this might seem borderline weird, especially for a company building inline defence. Alas, it makes sense! Right now, the most important thing we can build isn't another feature - it's a jig. If you're not into tooling, jog on.

Why We're Open-Sourcing the Scanner

The scanning system we're releasing isn't a toy. It's an offensive suite of tools designed to test our infrastructure, services, systems.

It's a full orchestration stack:

• A fast, ergonomic CLI
• Distributed workers
• Vector databases
• LLM-driven analysis
• Stateful scan planning
• Results that compound over time

We use it internally to scan real infrastructure, uncover real exposure, and test real assumptions. And we've reached a simple conclusion:

The system only gets better if more people use it.

Open-sourcing it is about increasing the temporal surface area for learning - more environments, more behaviour, more time-based signal. That's how you build something you can trust.

It is not just a bunch of wrappers on top of some open-source tools already, although it started that way and we continue to use tools like nmap, masscan etc.

The Difference Between Code and a Jig

We've written plenty of code. Too much code. All the code? Most of the code. 1000s of lines of codes, daily. But we've spent even more time building jigs - controlled ways to test, measure, and reason about systems before you let them act. Jigs are good.

A jig is:

• A way to learn safely
• A way to measure uncertainty
• A way to explore limits without breaking things

If you skip the jig and jump straight to enforcement, you're not building defence - you're rolling the dice. Now calm down, ain't no dice to be seen here. So yes, we're deliberately spending more time on the jig than the final mechanism.

What's Actually New Here

The scanner we're open-sourcing isn't interesting because it "finds ports". Everyone can find ports, port scanning is not cool (or legal in some, if not all places). The scanner is interesting because of how it understands behaviour over time. This is what we started calling Temporal Resonance Scanning (TRS). That's a lot, I get it.

What does this actually mean? Instead of asking what a service claims to be, TRS observes how it behaves when touched as lightly as possible - and how that behaviour changes over time.

This lets the system:

• Compare services by behaviour, not banners
• Detect synthetic or deceptive infrastructure
• Learn which interactions are noisy, safe, or suspicious
• Build confidence before taking action

We'll go deep on TRS in follow-up posts. For now, the claim is simple:

Time is a stronger signal than content.

Why This Matters for Inline Defence

Inline defence is powerful. It's also dangerous. Not dangerous in the sense someone will get injured, dangerous in the sense that good packets will be blocked and bad packets will be allowed. Dangerous sounds good though.

We're not rushing here, this is not a drill.

The scanner is the jig that lets us answer questions like:

• Do we actually know what this service is?
• Is this behaviour real or deceptive?
• How confident are we in that assessment?
• What happens just before enforcement would trigger?

Without those answers, inline defence is guesswork. With them, it becomes earned.

Claiming the Time Dimension

Open-sourcing the scanner is the start, not the end.

Next, we'll be writing about:

• Why temporal signals are harder to fake than content
• Behavioural fingerprints vs signatures
• What it means to earn autonomy in security systems
• Why inline defence fails without a jig
• How this feeds directly into Guard

We're not hiding the jig, we're publishing it and claiming the "time dimension" while we're at it.

The scanner will be released shortly - we'll update this post with links when it's live.