Open source

The evidence layer is open. Verify without trusting us.

The core of Sectum AI is Apache-2.0: the marker substrate, the attack catalog, the backend adapters, the evidence chain, and an independent verifier. Anyone can reproduce a run and check a Sectum AI evidence pack end-to-end, with no Sectum AI installation and no trust in us required.

View on GitHub → Read the docs

Live demo

See it run

The four-command flagship workflow on a fresh checkout: seed synthetic tenants, run the probe suite, build the signed evidence pack, then verify it independently. Reproduce it from the runnable OSS example.

$ sectum-ai seed --workdir .sectum-ai
seeded 4 synthetic tenants and 96 documents → .sectum-ai/substrate.json

$ sectum-ai probe --workdir .sectum-ai --output json
{
  "retrieval_pivot_rate": 0.954,
  "confirmed_findings": 264,
  "false_positives": 0
}

$ sectum-ai report --workdir .sectum-ai --tsa --rekor
wrote .sectum-ai/evidence.json + audit-pack.pdf
anchored: RFC 3161 timestamp + Sigstore Rekor inclusion proof

$ sectum-ai verify .sectum-ai/evidence.json
VERIFIED  run digest ok · manifest hash ok · TSA token ok · Rekor inclusion ok
What's open

What's in the Apache-2.0 core

Marker substrate

Synthetic tenants seeded with three classes of cryptographic canary markers and a hashed ground-truth manifest, deterministic, reproducible, and manifest-grounded for zero false positives.

Attack catalog

11 cross-tenant attack classes across 13 AI surfaces: the organic entity-bleed RAG pivot, semantic-cache contamination, the MCP confused-deputy, memory contamination, embedding inversion, and more.

Backend adapters

Live adapters for the common vector DBs, caches, agent frameworks, and MCP servers, so the probe suite runs against a real deployment rather than a mock.

Evidence chain + verify

Canonicalize, hash, RFC-3161 timestamp, Sigstore-Rekor log, wrap in an in-toto envelope, render to a PDF, and sectum-ai verify checks the whole chain with no Sectum AI install required.

Why open

An attestation you can't check is just a claim

If the only way to trust an isolation report is to trust the tool that produced it, it isn't an attestation. That's why the evidence layer is open: an auditor, a customer's security team, or a regulator can take a Sectum AI evidence pack and verify the run digest, the manifest hash, the RFC-3161 timestamp, and the Rekor inclusion proof themselves, including the negative result that nothing leaked. The boundary between the open evidence layer and the commercial tooling is documented in ADR-0002.

Get started

Clone it, run it, verify it

Apache-2.0. Star the repo, open an issue, or reproduce a run from the examples. When you need an attestation for a buyer or an auditor, the engagements build on this same open core.

sectum-ai on GitHub → Security research