Security Systems Catalog

Every detection, response, and counter-attack module in the SCBE security stack. All priced by one law.

H(d, R) = R^(d²)

Patent Pending — USPTO #63/961,403

Core Engine

Hyperbolic Cost Engine

The single decision point. Every system feeds through this. One formula, one verdict.

Cost Engine LIVE

Central pricing function for all attack vectors

Formula	`H(d,R) = R^(d²)`
Inputs	depth (d), radius (R), Sacred Tongue domain
Outputs	cost, cost_class, blocked (bool), verdict dict
Tongue Weights	KO=1.0, AV=1.618, RU=2.618, CA=4.236, UM=6.854, DR=11.09
Cost Classes	TRIVIAL <10 \| LOW <1K \| MODERATE <1M \| HIGH <1T \| PRICED_OUT
RAM	<5MB
Dependencies	None (pure Python)
Domain	ALL TONGUES

Event Correlator SPEC

Cross-component event correlation via sliding windows

Method	SQLite event bus, sliding window queries
Integration	All monitors + tripwires write events; correlator reads
Key Feature	Same IP across 2+ systems = summed depth. Exponential cost compound.
Example	Port scan (d=2) + canary touch (d=5) = d=7 → cost explodes
RAM	~5MB (SQLite in-process)
Disk	~1MB/day at 1 event/sec
Latency	<10ms per correlation
Domain	KO Control & Orchestration

SOAR Playbook Engine SPEC

Automated response orchestration via directed action graphs

Method	DAG of conditional actions: trigger → decision → action
Escalation	OBSERVE → ALERT → COUNTER → LOCKDOWN
Actions	Log, alert, evidence collect, block, tarpit redirect, forensic dump
Approval Gates	Destructive actions require human confirmation
Concept From	Enterprise SOAR (Splunk SOAR, Cortex XSOAR)
RAM	<10MB
Domain	KO Control & Orchestration

Detection

Detection Systems

Eyes on the network, filesystem, and processes. Each feeds the cost engine.

Port Watcher LIVE

Monitors listening ports, flags unknown services

Method	`ss -tlnp` polling
Depth Model	Fixed d=2.0 (port exposure layer)
Radius Model	port_number / 1000 (higher port = wider scope)
Interval	30s default (configurable)
False Positives	~30% (dev servers flag as unknown)
RAM	<5MB
Domain	AV I/O & Messaging

Connection Tracker LIVE

Monitors active TCP connections, detects repeat offenders

Method	`ss -tnp` polling + IP counting
Depth Model	1.0 + (0.5 × repeat_count), caps at d=6
Radius Model	1.5 for standard ports, 3.0+ for unusual ports
Interval	60s default
False Positives	~40% (flags legitimate API connections)
RAM	<5MB
Domain	UM Security & Privacy

Scapy Packet IDS SPEC

Real-time packet inspection with custom detection rules

Method	`scapy.sniff()` with BPF filters, per-packet callback
Detects	SYN floods, port scans, payload anomalies, protocol violations
Depth Model	Rule-dependent: scan=2, exploit=3, payload_anomaly=4
Latency	<1ms per packet
Throughput	~10K packets/sec on Celeron N4020
Requires	CAP_NET_RAW or root
RAM	40-80MB
Domain	AV I/O & Messaging

Behavioral Baseline Engine SPEC

Learns "normal" from /proc, alerts on statistical anomalies

Method	/proc sampling + EWMA (alpha=0.1) + 3-sigma alerting
Baselines	Process count, FD count, connection count, outbound bytes, DNS entropy
Warm-up	1-2 hours before baselines are meaningful
Depth Model	sigma_deviation / 2 (3-sigma = d=1.5, 6-sigma = d=3)
Radius Model	Learned from baseline — replaces static values
False Positives	~10% after warm-up, ~80% during warm-up
RAM	~20MB for 1000 entities
Concept From	Darktrace NDR, Zeek behavioral analysis
Domain	CA Logic & Computation

Entropy Analyzer SPEC

Shannon entropy of payloads and DNS queries. Spikes = exfil or encoding.

Method	Shannon entropy: H = -Σ p(x) log2 p(x)
Detects	Encrypted exfiltration, base64 C2 comms, DNS tunneling
Threshold	Normal text ~4.5 bits, encrypted >7.5 bits
Depth Model	entropy / 2 (7.5 bits = d=3.75)
RAM	<5MB
Implementation	~30 lines Python
Domain	CA Logic & Computation

Rootkit Scanner SPEC

Wraps rkhunter + chkrootkit with cost engine integration

Tools	`rkhunter` + `chkrootkit` (run both, different coverage)
Depth Model	Rootkit finding = d=5 (kernel-level compromise)
Radius Model	R=10 (full system access implied)
Schedule	Daily cron scan
Limitation	Cannot detect kernel-level rootkits reliably
RAM	<30MB during scan
Domain	UM Security & Privacy

Traffic Analyzer (tshark) SPEC

Deep packet inspection and protocol dissection

Method	`tshark` capture + custom filter scripts
Protocols	HTTP, DNS, TLS (JA3 fingerprint), SMB, SSH
Depth Model	Protocol anomaly severity mapping
Output	PCAP files + structured JSON for correlator
RAM	30-80MB per capture session
Disk	PCAP rotation: 24h retention
Domain	AV I/O & Messaging

File Integrity Monitor (AIDE) SPEC

Full-system file integrity verification via AIDE

Method	AIDE database comparison: baseline vs current
Scope	All binaries, configs, system files
Schedule	Daily cron, results fed to cost engine
Depth Model	Binary change = d=4, config change = d=2.5
RAM	<50MB during scan
Disk	~5MB for database
Domain	DR Types & Structures

Process Genealogy Tracker SPEC

Builds process parent-child DAGs, scores suspicious lineage

Method	/proc traversal, build process trees, score chains
Detects	Shell spawned by web server, unexpected privilege chains
Depth Model	Process tree depth = attack depth d
Concept From	CrowdStrike Storylines, SentinelOne DAGs
RAM	~15MB
Domain	RU Policy & Constraints

Integrity & Tripwires

Integrity Systems

Canaries, Merkle trees, and cryptographic proof. Any tampering hits the cost engine.

Canary Tripwires LIVE

Decoy files that should never be touched. Any access = alarm.

Method	SHA-256 baseline + periodic check
Canaries	Fake .env, credentials, SSH keys
Depth Model	Canary touch = d=5 (deep intrusion confirmed)
False Positives	~0% (no legitimate access to canary files)
RAM	<5MB
Domain	UM Security & Privacy

HMAC Merkle Tripwires SPEC

Cryptographically signed integrity tree. Attacker can't forge after compromise.

Method	HMAC-SHA256 per file, Merkle tree to root hash
Upgrade Over	Plain SHA-256 (current) — adds secret key requirement
Verification	O(log N) per file, verify single file without full scan
Key Storage	Off-device (USB or env var at boot). Never on disk.
RAM	<1MB
Implementation	~50 lines Python
Domain	UM Security & Privacy

Real-time Filesystem Watcher SPEC

Instant detection via kernel inotify. Replaces polling.

Method	`watchdog` library + inotify kernel events
Latency	<100ms from file touch to alert
Replaces	Cron-based tripwire checks
Limitation	~8192 inotify watches (Linux default), can't cross mount boundaries
RAM	~15MB resident
Domain	DR Types & Structures

Counter-Attack

Counter-Attack Systems

Active defense. Waste attacker time, collect evidence, escalate response.

Response Engine LIVE

Escalating countermeasures triggered by cost verdicts

Levels	OBSERVE → ALERT → COUNTER → LOCKDOWN
OBSERVE	cost <1K: log to disk
ALERT	cost ≥1K: alert file + log
COUNTER	cost ≥1M: evidence snapshot (processes, connections, logins, env)
LOCKDOWN	cost ≥1T: full forensic dump + lockdown report
RAM	<10MB
Domain	KO Control & Orchestration

TCP Tarpit SPEC

Accepts connections, drips data at 1 byte/sec. Wastes attacker sockets.

Method	`asyncio` server, deliberate sleep per byte
Capacity	Thousands of trapped connections simultaneously
Integration	Every trapped connection → event bus → correlator
Trade-off	Exposes ports (increases surface by design)
RAM	~5MB base + 100 bytes per connection
Domain	AV I/O & Messaging

Labyrinth Filesystem SPEC

FUSE-based infinite fake directory tree. Logs every access.

Method	`fusepy` generates dirs on-the-fly with plausible names
Purpose	Burns attacker time traversing nonexistent data
Detection	Any access = malicious (no legitimate users in the labyrinth)
RAM	~10MB
Implementation	~100 lines Python
Domain	DR Types & Structures

Adaptive Rate Limiter SPEC

Token bucket + exponential backoff. Each failure makes the next harder.

Method	Token bucket per source IP, SQLite-backed state
Penalty	delay = min(base × 2^N, cap) per failed attempt
Integration	Failed attempts increase depth in cost engine
Concept From	Enterprise WAF rate limiting, API gateway patterns
RAM	<5MB + SQLite
Domain	RU Policy & Constraints

Honeytoken Network SPEC

Fake credentials scattered across the system. Any use = confirmed compromise.

Types	Fake AWS keys, API tokens, SSH keys, DB credentials, DNS canaries
Monitoring	`watchdog` inotify on token files + DNS listener for canary domains
Detection	100% true positive rate, 0% false positive
Depth Model	d=5 (confirmed compromise)
Concept From	Attivo Networks, Thinkst Canary
Domain	UM Security & Privacy

Forensic Collector SPEC

On-detection evidence snapshot with chain-of-custody hashing

Captures	/proc trees, network state, file timelines, env vars, login history
Integrity	SHA-256 hash of every collected artifact, append-only log (chattr +a)
Memory	Optional /proc/kcore dump, analyzed via Volatility 3
Trigger	Automatic at COUNTER and LOCKDOWN response levels
Domain	CA Logic & Computation

Enterprise Architecture

Enterprise-Grade Concepts

Core logic extracted from enterprise systems. Lightweight Python implementations of billion-dollar ideas.

SIEM Correlator SPEC

Temporal event correlation with sliding-window state machines

Method	Sigma-style rules: "5 failed logins in 60s from same IP → success"
Scoring	credibility × relevance × severity → maps to H(d,R)
Correlation depth	Chain length = depth d in cost function
Concept From	Splunk, Wazuh, IBM QRadar
Domain	KO Control & Orchestration

XDR / EDR Engine SPEC

Process genealogy DAGs with per-node threat scoring

Method	Directed acyclic graph of process events, causality-linked
Detection	Parent-child anomalies, API call sequences, memory allocation patterns
Scoring	Per-node score + graph aggregate. DAG depth = attack depth.
Concept From	CrowdStrike Storylines, SentinelOne ActiveEDR
Domain	RU Policy & Constraints

Zero Trust Scoring SPEC

Per-request trust evaluation with time-decay

Formula	access = trust_score ≥ resource_sensitivity
Inputs	Identity confidence, device posture, network context, behavioral consistency
Decay	Trust scores decay over time, forcing re-verification
Maps to H(d,R)	Trust decay fits hyperbolic distance metrics naturally
Concept From	Google BeyondCorp, Zscaler ZPA
Domain	RU Policy & Constraints

NDR Baseline SPEC

Per-device behavioral clustering, distance-from-centroid anomaly detection

Method	Feature vectors per entity, unsupervised clustering, deviation scoring
Features	Peers, protocols, data volumes, timing patterns, TLS fingerprints
Detection	Device changes cluster → flag. Distance-from-normal = radius R.
Concept From	Darktrace, Zeek/Bro network analysis
Domain	CA Logic & Computation

MITRE ATT&CK Mapper SPEC

Tags every detection with ATT&CK technique IDs, scores kill-chain completeness

Method	STIX/TAXII JSON graph: indicators, malware, threat-actors, relationships
Tactics	14 tactics, ~200 techniques mapped to detection rules
Scoring	Kill-chain completeness metric: more phases covered = higher depth
Concept From	MITRE ATT&CK Framework
Domain	CA Logic & Computation

Deception Mesh SPEC

Breadcrumb trails + decoy services + honeynet for lateral movement detection

Method	Fake assets planted on real endpoints pointing to decoy systems
Breadcrumbs	Fake SSH keys, RDP shortcuts, credential cache entries
Detection	Any interaction = confidence 1.0 (zero false positives)
Concept From	Attivo Networks, Illusive Networks
Domain	UM Security & Privacy

Infrastructure Tools

Infrastructure Layer

Installable tools that feed the detection and response stack.

nmap SPEC

Port/service scanning for defensive auditing

Install	`apt install nmap`
Usage	`nmap -sV -O localhost`
Disk	~25MB
RAM	50-100MB per scan
Integration	python-nmap wrapper feeds cost engine

tcpdump SPEC

Raw packet capture for offline analysis

Install	`apt install tcpdump`
Usage	Capture to PCAP, analyze with tshark
Disk	~2MB + PCAP storage
RAM	~10MB
Integration	On-demand capture during COUNTER/LOCKDOWN

Log Analyzer (logcheck) SPEC

Filters syslog for anomalous entries

Install	`apt install logcheck`
Method	Cron-based, regex filters, flags unusual log lines
Disk	~2MB
RAM	Negligible
Integration	Anomalous log lines fed to correlator as events

Bandwidth Monitor (iftop/nethogs) SPEC

Real-time per-connection and per-process bandwidth

Install	`apt install iftop nethogs`
iftop	Per-connection bandwidth
nethogs	Per-process bandwidth
Disk	~1MB each
Integration	Bandwidth spikes feed baseline engine

SSH Honeypot (Cowrie) SPEC

Emulates SSH, logs brute-force attempts and attacker sessions

Install	`pip install cowrie`
Captures	Credentials tried, commands run, files uploaded
RAM	~50MB
Integration	Every login attempt → AttackVector → cost engine
Domain	UM Security & Privacy

Resource Budget

Total system: 2.7GB RAM, 10GB disk. All systems must coexist.

System	RAM	Disk	CPU	Status
Cost Engine	<5MB	<1MB	Negligible	LIVE
Port Watcher	<5MB	Log only	Burst every 30s	LIVE
Connection Tracker	<5MB	Log only	Burst every 60s	LIVE
Canary Tripwires	<5MB	~1MB	Burst on check	LIVE
Response Engine	<10MB	~5MB/mo	Burst on trigger	LIVE
Event Bus (SQLite)	~5MB	~30MB/mo	Negligible	SPEC
Filesystem Watcher	~15MB	0	Idle (kernel events)	SPEC
HMAC Merkle	<1MB	<1MB	Burst on verify	SPEC
Behavioral Baseline	~20MB	~10MB/mo	Sampling every 10s	SPEC
Entropy Analyzer	<5MB	Log only	Per-packet	SPEC
TCP Tarpit	~5MB	Log only	Async idle	SPEC
Scapy IDS	40-80MB	~100MB/mo (PCAP)	~10K pps max	SPEC
Cowrie Honeypot	~50MB	~20MB	Per-session	SPEC
TOTAL (all running)	~155MB	~170MB/mo	Fits N4020

Attack Phase Coverage

Which systems detect which attack phases. Combined coverage approaches full spectrum.

System	Recon	Exploit	Persist	Exfil	Lateral
Port Watcher	++	-	-	-	-
Connection Tracker	++	+	-	++	+
Scapy IDS	+++++	+++	-	+++	++
Behavioral Baseline	++	++	+++	++++	+++
Canary Tripwires	-	-	++++	-	++
HMAC Merkle	-	-	+++++	-	+++
Honeytoken Network	-	-	+++++	-	++++
TCP Tarpit	+++	-	-	-	-
Entropy Analyzer	-	+	-	+++++	+
Process Genealogy	-	++++	++	+	++
Cowrie Honeypot	++++	++	+	-	++
COMBINED	+++++	++++	+++++	+++++	+++++

The Law

H(d, R) = R^(d²)

Every system on this page feeds through one formula. Depth compounds. Radius scales. The geometry prices attackers out.