The evidence layer is open. Verify without trusting us.
The core of Sectum AI is Apache-2.0: the marker substrate, the attack catalog, the backend adapters, the evidence chain, and an independent verifier. Anyone can reproduce a run and check a Sectum AI evidence pack end-to-end, with no Sectum AI installation and no trust in us required.
See it run
The four-command flagship workflow on a fresh checkout: seed synthetic tenants, run the probe suite, build the signed evidence pack, then verify it independently. Reproduce it from the runnable OSS example.
$ sectum-ai seed --workdir .sectum-ai
seeded 4 synthetic tenants and 96 documents → .sectum-ai/substrate.json
$ sectum-ai probe --workdir .sectum-ai --output json
{
"retrieval_pivot_rate": 0.954,
"confirmed_findings": 264,
"false_positives": 0
}
$ sectum-ai report --workdir .sectum-ai --tsa --rekor
wrote .sectum-ai/evidence.json + audit-pack.pdf
anchored: RFC 3161 timestamp + Sigstore Rekor inclusion proof
$ sectum-ai verify .sectum-ai/evidence.json
VERIFIED run digest ok · manifest hash ok · TSA token ok · Rekor inclusion ok
What's open What's in the Apache-2.0 core
Marker substrate
Synthetic tenants seeded with three classes of cryptographic canary markers and a hashed ground-truth manifest, deterministic, reproducible, and manifest-grounded for zero false positives.
Attack catalog
11 cross-tenant attack classes across 13 AI surfaces: the organic entity-bleed RAG pivot, semantic-cache contamination, the MCP confused-deputy, memory contamination, embedding inversion, and more.
Backend adapters
Live adapters for the common vector DBs, caches, agent frameworks, and MCP servers, so the probe suite runs against a real deployment rather than a mock.
Evidence chain + verify
Canonicalize, hash, RFC-3161 timestamp, Sigstore-Rekor log, wrap in an
in-toto envelope, render to a PDF, and sectum-ai verify
checks the whole chain with no Sectum AI install required.
An attestation you can't check is just a claim
If the only way to trust an isolation report is to trust the tool that produced it, it isn't an attestation. That's why the evidence layer is open: an auditor, a customer's security team, or a regulator can take a Sectum AI evidence pack and verify the run digest, the manifest hash, the RFC-3161 timestamp, and the Rekor inclusion proof themselves, including the negative result that nothing leaked. The boundary between the open evidence layer and the commercial tooling is documented in ADR-0002.
Get startedClone it, run it, verify it
Apache-2.0. Star the repo, open an issue, or reproduce a run from the examples. When you need an attestation for a buyer or an auditor, the engagements build on this same open core.