Platform Architecture
Ten modules. One graph. One substrate.
Detection, hardening, offense, governance, investigation, identity oversight, data classification, AI-security, agentic/MCP control, and sovereign inference share one canonical data model. Agents act over the graph; the brain (Claude in the cloud, Jadro on-prem) reasons on it. This is not integration theater. This is architecture.
The Problem
Why dashboards are not platforms
Most security platforms are just aggregation layers with API connectors. That is integration theater.
Connector fatigue
Every tool needs configuration. Every connector breaks. Every upgrade requires re-mapping. You spend more time maintaining integrations than using them.
Context collapse
The same vulnerability appears differently in three tools. Your team triages it three times. Remediation happens without knowing validation status.
Data silos persist
Aggregating data in a dashboard does not make it unified. Context is still lost. Evidence is still duplicated. Compliance still requires manual assembly.
The result: manual correlation, delayed validation, duplicated evidence, and security teams who spend more time managing tools than managing risk.
The Solution
A canonical data model
Serpentine does not aggregate external data. It generates its own findings from its own scanners, all normalized into one schema.
Assets
Single inventory across all security operations
Findings
Normalized vulnerabilities regardless of source
Validations
Exploit confirmation drives real prioritization
Remediations
Hardening actions become compliance evidence
Evidence
Every action produces audit-ready proof
Controls
Framework requirements flow to operations
Identity
Human and non-human identity surfaces privilege and access risks
Classification
Data sensitivity drives finding prioritization
AI-Incidents
AI/LLM risks on the same register as infrastructure
Agents
AI agents and MCP tools governed as first-class identities
Research
Autonomous reasoning grounds prioritization in real threat context
Inference
Sovereign brain the agentic modules reason on — cloud or air-gapped
Every entity is first-class. Every relationship is explicit. Every module reads and writes the same state.
The Loop
How data flows through ten modules
Security becomes continuous when data flows naturally between disciplines — agents act on the graph, the sovereign brain reasons on it.
Odbrana
detects
Postava
hardens
Napad
validates
Istraga
investigates
Regulativa
governs
Nadzor
oversees
Podatoci
classifies
ProtivAI
AI-secures
Zastapnik
controls agents
Jadro
reasons
Intelligence feeds
OSINT
Feeds from public breach, leak, and threat intelligence sources
Threat Intel
IOC and TTP feeds mapped to your asset inventory
Exploit DB
Known exploit availability integrated into validation
Compliance KB
35 frameworks, 3,144 obligations, continuous mapping
Adversary Models
Threat actor profiles for attack path simulation
Agent & MCP Telemetry
Live signals from AI agents and MCP tools acting in your environment
Research Corpus
Academic and industry security research for reasoning
This is not a one-time assessment. The loop runs continuously, with every action updating the shared security graph.
What This Enables
What unified architecture unlocks
Capabilities that fragmented tools cannot provide.
Evidence reuse
A vulnerability scan satisfies SOC 2 CC7.1, ISO A.12.6.1, and GDPR Art. 32 simultaneously. Upload or generate evidence once, map it everywhere.
Example: One Odbrana finding maps to 4 frameworks without manual re-entry
Validated prioritization
Do not prioritize by CVSS alone. Prioritize by actual exploitability. Napad validation feeds directly into remediation queues.
Example: Critical finding downgraded after Napad confirms no exploit path
Continuous operating state
Security is not point-in-time. The platform maintains live state across assets, findings, validation, remediation, and evidence.
Example: Auditor queries current posture, not a 90-day-old report
Example
One vulnerability, the full platform
See how a single finding moves through the entire platform.
Example Finding
Exposed Administrative Endpoint
Web scanner detects /admin/api endpoint responding without authentication
Offensive agent confirms endpoint returns user PII without credentials
Hardening policy applied: endpoint moved behind auth, rate limiting added
Finding and remediation linked to ISO A.9.4.1, SOC 2 CC6.1, GDPR Art. 32
Total time from discovery to audit-ready evidence: automated, continuous, traceable.
Products
Ten modules, one graph
Each module provides a specialized interface. All share the same data layer.
Detection
(ODBRANA)
Finds vulnerabilities across web, API, cloud, code, container, and mobile.
Hardening
(POSTAVA)
Applies hardening fixes and monitors continuously for drift.
Offense
(NAPAD)
Verifies findings via isolated-sandbox exploitation.
Investigation
(ISTRAGA)
LLM-guided investigations and corpus-backed reasoning.
Governance
(REGULATIVA)
Maps findings to 35 frameworks, builds evidence packets.
Oversight
(NADZOR)
Identity intelligence from Entra ID, Okta, and GitHub.
Classification
(PODATOCI)
Data asset catalogue with PII/PCI/PHI classification.
AI-Security
(PROTIVAI)
Protects AI/LLM workloads from prompt injection to supply chain.
Agent Control
(ZASTAPNIK)
Governs AI agents and MCP tools — tool-poisoning detection, agent-as-identity.
Sovereign Inference
(JADRO)
The sovereign brain the agentic modules reason on — local or air-gapped, zero egress.
All modules are GA. Tier indicates minimum plan where module is available.