How SPNT Works
SPNT has three structural pieces: a shared data layer (the substrate), seven intelligence layers that feed signals into it, and ten modules that read from and write to it — including an agentic action layer that acts on the graph and a sovereign inference layer the modules reason on.
This page is the bird's-eye view. Each piece has its own deeper page in this documentation.
The substrate
A shared data layer that every part of the platform reads from and writes to. Everything lives here: discovered assets, confirmed findings, the evidence that proves each finding exists, normalised telemetry events, external intelligence signals, the health status of every security control, and the written analysis the platform produces.
Because every module shares the substrate, the platform never reconciles data between modules. There is no integration layer between detection and governance — they read the same records.
Read more → The Substrate Model
The seven intelligence layers
Seven layers continuously bring different categories of security signal into the substrate.
OSINT Intelligence Layer. Watches the outside world. Pulls signals from certificate transparency logs, vulnerability disclosure feeds, code-leakage monitors, threat intelligence feeds, supply-chain integrity sources, credential-exposure monitors, passive DNS, and more. Every signal is normalised and correlated to the assets it affects.
Operational Telemetry Layer. Watches the inside. Ingests cloud-audit and identity-platform events from your environment — AWS CloudTrail, Kubernetes audit, Entra ID, GitHub, Okta, Azure Activity, GCP Cloud Audit — and validates whether your security controls are actually being enforced.
Decision Intelligence Layer.Reads the substrate and produces written analysis. Five structured reasoning outputs (Operational Digest, Prioritization Output, Consequence Analysis, Remediation Sequence, Confidence Assessment) plus an autonomous research engine that investigates concerning patterns on its own. Every claim cites the substrate records it's based on.
Threat Intelligence Layer. Aggregates and correlates threat actor TTPs, malware indicators, campaign tracking, and emerging attack patterns. Maps external threat landscape to your specific asset inventory and exposure profile.
Exposure Intelligence Layer. Continuously monitors your external attack surface — exposed services, leaked credentials, dark web mentions, brand impersonation, and supply chain dependencies. Correlates exposure signals with internal vulnerability state.
Behavioral Intelligence Layer. Analyzes patterns of activity across identity, network, and application layers. Detects anomalous behavior, policy violations, and indicators of compromise that signature-based detection misses.
Agent Intelligence Layer. Watches AI agents and MCP tools acting in your environment. Captures agent invocations, tool calls, and machine-identity activity — feeding tool-poisoning detection, agent-as-identity governance, and reachability analysis across the graph.
The ten modules
Ten product capabilities. They are not separate products that happen to share a UI. They are ten ways of reading from and writing to the same substrate.
Detection (Odbrana). Continuous scanning of web applications, APIs, infrastructure, and cloud assets. Every finding carries an evidence chain — an immutable record of exactly what was observed to prove the issue exists.
Hardening (Postava). Automated hardening for Linux hosts: firewall, SSH, kernel parameters, and intrusion detection. Applied once, then a drift agent monitors every parameter forever. Any deviation becomes a signal across the platform.
Offense Verification (Napad). Controlled exploit verification. Proves which vulnerabilities in your environment are actually exploitable today, in your network topology, with your service configuration. Bounded by explicit caps and fully auditable.
Governance (Regulativa). Continuous compliance monitoring across 35+ frameworks and 3,000+ obligations. Every substrate finding, every control health record, every telemetry event is mapped to the obligations it affects, in real time. Evidence packets are generated from the substrate on demand.
Investigation (Istraga). Adversarial reasoning engine. Synthesizes signals across all modules, predicts emerging risk, and produces written analysis grounded in substrate evidence. The intelligence layer that turns data into actionable insight.
Oversight (Nadzor). Identity security and access governance. Monitors privilege escalation, dormant accounts, excessive permissions, and identity-based attack paths. Continuous validation that access policies match actual enforcement.
Classification (Podatoci). Data discovery and classification across cloud storage, databases, and repositories. Identifies sensitive data, tracks data flows, and maps data assets to compliance obligations and access controls.
AI-Security (ProtivAI).Secures AI/ML infrastructure — model registries, training pipelines, inference endpoints. Detects prompt injection attempts, model poisoning, and AI-specific attack vectors. Ensures AI systems don't become security blind spots.
Agent Control (Zastapnik). The agentic action layer. Governs the AI agents and MCP tools that act inside your environment — tool-poisoning detection, agent-as-identity enforcement, and reachability analysis over the graph. Agents act on the substrate; Zastapnik makes sure they only do what they are authorized to.
Sovereign Inference (Jadro).The sovereign brain the agentic modules reason on. Runs the platform's reasoning either on managed cloud models or on a local, air-gapped model with zero egress. Investigation, offense, and agent control reason on Jadro so your security graph and prompts never leave your environment.
Deployment
SPNT is delivered as a managed service hosted on European Union infrastructure. Data does not leave the EU by default. A sovereign deployment mode for regulated public-sector buyers — with EU inference enforcement and a self-hosted large-language-model option — is available on the Sovereign tier.