How SPNT Works

SPNT has three structural pieces: a shared data layer (the substrate), three intelligence layers that feed signals into it, and four modules that read from and write to it.

This page is the bird's-eye view. Each piece has its own deeper page in this documentation.

The substrate

A shared data layer that every part of the platform reads from and writes to. Everything lives here: discovered assets, confirmed findings, the evidence that proves each finding exists, normalised telemetry events, external intelligence signals, the health status of every security control, and the written analysis the platform produces.

Because every module shares the substrate, the platform never reconciles data between modules. There is no integration layer between detection and governance — they read the same records.

Read more → The Substrate Model

The three intelligence layers

Three layers continuously bring different categories of security signal into the substrate.

OSINT Intelligence Layer. Watches the outside world. Pulls signals from certificate transparency logs, vulnerability disclosure feeds, code-leakage monitors, threat intelligence feeds, supply-chain integrity sources, credential-exposure monitors, passive DNS, and more. Every signal is normalised and correlated to the assets it affects.

Operational Telemetry Layer. Watches the inside. Ingests cloud-audit and identity-platform events from your environment — AWS CloudTrail, Kubernetes audit, Entra ID, GitHub, Okta, Azure Activity, GCP Cloud Audit — and validates whether your security controls are actually being enforced.

Decision Intelligence Layer.Reads the substrate and produces written analysis. Five structured reasoning outputs (Operational Digest, Prioritization Output, Consequence Analysis, Remediation Sequence, Confidence Assessment) plus an autonomous research engine that investigates concerning patterns on its own. Every claim cites the substrate records it's based on.

The four modules

Four product capabilities. They are not separate products that happen to share a UI. They are four ways of reading from and writing to the same substrate.

Detection (ODBRANA). Continuous scanning of web applications, APIs, infrastructure, and cloud assets. Every finding carries an evidence chain — an immutable record of exactly what was observed to prove the issue exists.

Hardening (POSTAVA). Automated hardening for Linux hosts: firewall, SSH, kernel parameters, and intrusion detection. Applied once, then a drift agent monitors every parameter forever. Any deviation becomes a signal across the platform.

Offense Verification (NAPAD). Controlled exploit verification. Proves which vulnerabilities in your environment are actually exploitable today, in your network topology, with your service configuration. Bounded by explicit caps and fully auditable.

Governance (REGULATIVA). Continuous compliance monitoring across 35 frameworks and 3,144 obligations. Every substrate finding, every control health record, every telemetry event is mapped to the obligations it affects, in real time. Evidence packets are generated from the substrate on demand.

Deployment

SPNT is delivered as a managed service hosted on European Union infrastructure. Data does not leave the EU by default. A sovereign deployment mode for regulated public-sector buyers — with EU inference enforcement and a self-hosted large-language-model option — is available on the Sovereign tier.

Read more → EU Sovereignty