Most cybersecurity stacks are a drawer full of unrelated tools. The firewall speaks in IPs and ports. The antivirus speaks in signatures. The EDR speaks in behavioral scores. The SIEM tries to correlate all of it after the fact, in a language none of the underlying tools actually use. The Hyperbolic Security Suite, which now lives at ~/cyber-suite/, was built from scratch to fix exactly that problem: every module emits the same currency — hyperbolic cost.
Every detection in the suite — packet, file, syscall, kernel hook, DNA strand, synesthesia frame — is converted into a single scalar through H(d, R) = R^(d²), where d is hyperbolic distance from a trusted manifold and R is a realm-dependent radius. Risk becomes arithmetic.
Off-the-shelf security tools are excellent at what they do, but they were never designed to share a cost space. If the firewall says "score 78" and the malware scanner says "confidence 0.9," there is no principled way to compare them. You end up weighting by hand, tuning thresholds for months, and calling the result "intuition." The SCBE-AETHERMOORE thesis is that security should be a single convex optimization in hyperbolic space. To get there, every sensor had to be rewritten to emit a geometric distance, not a vendor-specific score.
Packets are embedded as points in a 6D Poincaré ball based on source, destination, protocol, payload entropy, temporal cadence, and peer-reputation. A TCP handshake from a familiar peer sits near the center. A burst of UDP to a never-seen ASN sits near the boundary, where hyperbolic volume explodes and H(d, R) returns an enormous cost. The "rule" is geometry, not an ACL.
Instead of signature hashing, the scanner unpacks binaries, extracts an import graph, and embeds it via the PHDM-21D model. Known-good software clusters tightly; polymorphic and packed malware lands near the boundary because its import graph is geometrically abnormal. False positives drop because the scanner does not match strings — it measures distance.
The detector compares two views of the kernel: the syscall table as reported by the running kernel, and the syscall table as reconstructed from /proc/kallsyms plus a direct memory scan through /dev/mem on supported hosts. The two views are embedded independently. Anything beyond an infinitesimal hyperbolic delta between them is a kernel-level hook.
Borrowed from biology and described in detail in the DNA audit article, two analysis strands run in opposite directions through a codebase. Strand A goes architecture → code → tests → deployment. Strand B goes dependencies → files → integration → system. Findings only count where the two strands form a base pair. False positives die at the seam.
The most unusual module. It treats program behavior as three simultaneous signals — data flow as light, event cadence as sound, AST structure as code waveform — and looks for cross-domain anomalies. Full writeup in Tri-Synesthesia: Detecting Threats with Light, Sound, and Code.
Each module is a sensor. Each sensor emits a (d, R, tongue) triple — hyperbolic distance, realm radius, and which of the Six Sacred Tongues flagged it. A central aggregator sums the costs with golden-ratio weights and decides whether to allow, quarantine, or escalate. Because the cost function is R^(d²), doubling the distance does not double the cost — it squares the exponent. Attackers do not get a linear bill, they get a geometric one.
The full suite source is part of the SCBE-AETHERMOORE monorepo at github.com/issdandavis/SCBE-AETHERMOORE. Benchmark results, attack pricing tables, and a module-by-module breakdown live on the security systems research page. If you want to see the pricing engine run live against an adversarial input, open the governance gate demo.