For OT and SOC leadership
Signal at the edge. Sovereignty preserved.
OT telemetry cannot leave the site. IT alerts speak a different dialect. Peer threat intel arrives late or not at all. Arkivist runs agents at the edge with calibrated triage, correlates anomalies across sites without moving raw telemetry, and exchanges verified threats with peer utilities through cryptographic federation.
Hedera Anchor · Testnet
Threat-intel corpus
Testnet today. Mainnet this cycle.
What breaks resilience today.
- OT events and IT alerts use different vocabularies. Correlation between them lives in an analyst's head, not the substrate.
- Edge devices generate noise at scale. Signal needs symbolic context, not another model that hallucinates priorities.
- Threat intel from peer utilities arrives by email, late, or never. There is no infrastructure for verifiable exchange.
- False-positive fatigue is operational risk. Suppressions are silent — no one can audit why an alert was discarded six months ago.
- Raw OT telemetry cannot ship off-site. Cloud-only models are a non-starter for a regulator-facing utility.
Substrate. Reasoning. Federation. Applied to your work.
Edge-resident agents
Bastion VMs run the substrate at the site. Calibrated agents triage events locally; only verified, sovereign-safe facts flow upstream. The plant keeps its data.
Cross-site contradiction & anomaly correlation
Claim networks span sites without raw telemetry crossing site boundaries. Patterns of attack visible across the fleet — invisible to any single SOC console — surface to the operations leader.
Verified peer-utility threat sharing
Share L5-anchored indicators with peer utilities. Each side verifies the anchor against a public ledger. No need to expose your topology or trust the sending utility's database.
Provenance on every alert
Every alert carries its sources, the agent that promoted it, and the supporting evidence. The SOC director knows why something fired before deciding what to do.
Justified suppressions
Alerts suppressed by an agent carry the reasoning. No silent silencing. The audit trail captures both what fired and what did not — and why.
Operator action audit
Every human action against the substrate is recorded as a claim, with the operator's identity and the state they observed. A complete forensic record from edge capture to operator response.
Every alert has a provenance trail. Every threat-share has a hash.
- L1Raw
- L2Corroborated
- L3Verified
- L4Expert
- L5Anchored
Indicators rise from raw extraction through corroboration and calibrated-agent triage to L5 — anchored to the Hedera Consensus Service. Peer utilities verify against a public ledger Arkivist does not control. Sovereignty preserved at every layer.
Hedera Anchor · Testnet
Threat-intel corpus
Testnet today. Mainnet this cycle.
Two live surfaces. Both real.
Peer utilities share threats. Topology stays at home.
Verified facts, not raw data
Peer-utility ISACs run on goodwill, mailing lists, and PDFs. Arkivist replaces that with cryptographic exchange — L5-anchored indicators flow between utilities; the receiving SOC verifies the anchor against a public ledger; no raw telemetry, no topology, no sensitive configuration moves between organisations. Verifiable trust without shared infrastructure.
Run the edge substrate on one site.
A bounded pilot on a single facility. Edge bastion, calibrated triage, peer-share validated against another utility you choose. We will show the math; you will own the data.