News Part of the AUTHREX Application Set: one Kernel architecture, six application profiles
VIEWING 01 / 06MISSIONAUTHREX-AGENT-CYBER
● AUTONOMOUS CYBER-DEFENSE AUTHORITY · REFERENCE ARCHITECTURE

AUTHREX-AGENT-CYBER
Who Authorizes the Autonomous Defender?

DARPA’s AI Cyber Challenge proved autonomous cyber-reasoning systems can find and fix flaws with no human in the loop. The unanswered question is authority, not capability: a system that can rewrite the code running a power grid can also break it. AGENT-CYBER governs the patch: provenance, finding/action consistency, multi-system quorum, and authority scaled to target criticality.

4 AUTHORITY GATES0 OFFENSIVE FUNCTION23,748 TLA+ STATESAIxCC FOLLOW-ONTRL 3-4 SELF-ASSESSED REFERENCE
[ The Concept ]

Govern the Action, Not the Reasoner.

  • Blanket human review: slow, defeating the speed advantage of autonomous defense
  • Or ungated autonomy: dangerous on critical systems
  • No screen for a patch inconsistent with its stated finding, the signature of a poisoned system
  • Single-system verdicts applied unchecked to live infrastructure
  • The cyber-reasoning system stays a black box; only its proposed action is governed
  • ADARA screens finding/action consistency before anything executes
  • MAIVA requires multi-system agreement before a patch is trusted
  • HMAA keeps full speed on test targets and forces human handoff plus pre-armed rollback on live OT
VIEWING 02 / 06WHO IT SERVESAUTHREX-AGENT-CYBER
[ Who It Serves ]

Speed Where Safe. A Human Where Not.

Defensive Cyber Teams

A blue team can deploy autonomous patching against fast-moving threats without granting the autonomous system unmediated authority to rewrite production systems. High-criticality patches slow down for human confirmation; everything is logged.

Infrastructure Defenders

Defenders of power, water, and pipeline systems get the speed of autonomous patching with a structural control, asserted across the packaged simulation scenarios: a patch to a live controller cannot execute without a human in the loop and a pre-armed rollback.

IC & Defense

Intelligence and defense organizations get an authority layer that is compatible with the Five Eyes guidance on agentic AI, expressed as an enforceable decision (execute / handoff / abort) rather than a policy aspiration.

VIEWING 03 / 06NATIONAL CASEAUTHREX-AGENT-CYBER
[ The National Case ]

The Authority Layer Above a Demonstrated Capability.

Autonomous cyber-defense is a stated U.S. priority, and the AIxCC result made the authority question urgent and concrete:

It answers a question AIxCC opened

DARPA proved autonomous cyber-reasoning works. The immediate follow-on question, who authorizes an autonomous patch to a live system, is exactly what AGENT-CYBER governs. It is a proposed authority-governance layer addressing a gap identified in the reviewed public record, above a capability the government recently demonstrated.

It aligns with Five Eyes guidance

The Five Eyes "Careful Adoption of Agentic AI Services" (1 May 2026) calls for careful, bounded adoption of autonomous agents. AGENT-CYBER is a concrete bounding mechanism: tiered authority, human handoff, pre-armed rollback, signed audit.

It is defensive by construction

The application has zero offensive function. It governs whether a defensive patch may execute. That makes it adoptable under defensive-cyber authorities without raising offensive-capability concerns.

It maps to supply-chain law

NDAA §1513 addresses AI-specific threats and supply-chain risk. An autonomous patching agent is itself a supply-chain actor; AGENT-CYBER provides the provenance attestation and audit trail that §1513 concerns call for.

VIEWING 04 / 06HEILMEIER CATECHISMAUTHREX-AGENT-CYBER
[ The DARPA Questions ]

The Heilmeier Catechism, Answered Plainly.

Govern whether an autonomous cyber-reasoning system is allowed to apply a patch to a given target, scaled by how critical that target is. No jargon: decide if the robot defender is allowed to touch the real thing, or only the test copy.

Today, autonomous patching is either gated by blanket human review (slow, defeating the speed advantage) or ungated (dangerous on critical systems). In the public sources reviewed for this project, no directly comparable criticality-aware authority layer was identified that preserves automated speed on lower-criticality targets while introducing accountable human review for higher-criticality actions. Proprietary, classified, unreleased, or poorly documented capabilities cannot be excluded.

Treating the cyber-reasoning system as a black box and governing only its action, plus screening for finding/action inconsistency (the signature of a poisoned system) and setting authority by target criticality. The defender's speed is preserved on low-criticality targets and bounded on high-criticality ones.

Defensive cyber teams, infrastructure defenders, and the IC care. If it works, autonomous defenders can operate at machine speed where it is safe, while a live grid controller is never patched without a human and a rollback.

The main risks are mis-classifying target criticality and an adversary crafting a finding/action pair that passes the consistency screen. The simulation exposes the decision logic for exactly these challenges; the consistency screen is a research surface, not a solved problem.

The governance logic is software; the signing root is the commodity BLADE-AGENT-HSM (about $199 in parts). The cyber-reasoning system is whatever the operator already runs, AGENT-CYBER does not build or replace it.

The reference architecture, four traced scenarios, and simulation exist now (self-assessed TRL 3 to 4) and are live on the AUTHREX-AGENT page. Independent validation against a real cyber-reasoning system is the next milestone.

Midterm: the gate correctly aborts a poisoned finding and hands off a live-OT patch in simulation. Final: the gate runs in-line with a real autonomous cyber-reasoning system, correctly tiering patches by target criticality.

VIEWING 05 / 06AUTHORIZE THE DEFENDERAUTHREX-AGENT-CYBER
[ Try It ]

Authorize the Defender.

An autonomous cyber-reasoning system proposes a patch. Pick the scenario and run it: the same proposed action gets a different outcome depending on the target and the integrity of the finding. Governance only, no offensive function, not operational validation.

◇ AUTHORIZE THE DEFENDERSELECT · RUN · DECISION
01SATAPatch provenance attestedSTANDBY
02ADARAFinding / action consistency screenedSTANDBY
03MAIVAMulti-system integrity confirmedSTANDBY
04HMAAAuthority tier set by target criticalitySTANDBY
[ READY ] AWAITING PROPOSAL

All scenarios are synthetic; no real system is patched.

VIEWING 06 / 06FOUNDATION & SCOPEAUTHREX-AGENT-CYBER
[ Formal-Methods Foundation ]

Model-Checked, Not Just Described.

Every AUTHREX application shares one model-checked authority core: the HMAA authority state machine, specified in TLA+ and model-checked across the stated finite model. The checker also caught a real S5 view-change regression during development, evidence the method finds defects rather than rubber-stamping them.

The profiles share a model-checked authority-state specification. Results apply to the finite model, properties, and assumptions analyzed and do not validate a spacecraft, vehicle, controller, or operational integration.

23,748 REACHABLE STATES6 PROPERTIES VERIFIED2 VACUOUS AT BOUNDTLA+ FORMAL SPEC
[ Anchors & Honest Limitations ]

What This Rests On, and What It Is Not.

FEDERAL ANCHORS

Five Eyes Careful Adoption of Agentic AI Services (1 May 2026) · DARPA AI Cyber Challenge (DEF CON 33, 2025) · NDAA §1513 · NIST AI 600-1 Generative AI Profile · folds in AUTHREX-ZTAGENT and AUTHREX-MCPGOV as cited variants · hardware anchor: BLADE-AGENT-HSM →

HONEST LIMITATIONS

Reference architecture, self-assessed at approximately TRL 3 to 4: specified and simulated, not fielded with a real cyber-reasoning system. The finding/action consistency screen is an open research surface; a sufficiently crafted adversarial pair is a real risk, stated openly. The criticality-to-tier mapping is one researcher’s analytical judgment, released for independent review. Governance only. No offensive function. No agency adoption or endorsement implied.