A ZEOS Product — Patent Pending
Cryptographic Threat Capture & Response
Behavioral threat detection built on the Physics of Data — measuring what attacks change, not what attacks look like.
Data has physical properties the same way matter has physical properties. These properties are measurable, invariant, and governed by mathematical laws — not learned heuristics.
"You don't need to identify the fuel to measure the heat."
— The Physics of Data, Zantoras 2026| Physics of Matter | Measures | CTCR Category | Measures | Detectors |
|---|---|---|---|---|
| Mass | Quantity | VOL | Event magnitude | zscore, cusum, mahalanobis |
| Velocity | Rate of change | TMP | Timing patterns | cadence, spectral, hurst, time_of_day |
| Density | Distribution | DST | Data distributions | benford, zipf, jsd |
| Crystal structure | Internal order | STR | Information content | kolmogorov, entropy_rate, wavelet |
| Phase change | State transition | BHV | Role reversals | reader_writer, talker_quiet, unused_acct |
| Geometry | Form & symmetry | SHP | Traffic shape | symmetric, fixed_payload, dest_freq, composite |
| Bond energy | Persistence | SES | Session lifecycle | idle_session, ghost_session, dns_no_conn |
| Conservation | Energy balance | INT | Data integrity | diff_rate, source_dropout, chain_integrity |
Each category measures an orthogonal dimension of data behavior. Together, they impose mathematically contradictory evasion requirements on any adversary.
Abnormal event magnitude. Z-score spikes, multivariate deviation, cumulative drift.
zscore cusum mahalanobisAbnormal timing. Cadence regularity, spectral periodicity, long-range dependence.
cadence spectral hurst time_of_dayAbnormal data distributions. Benford's Law digit analysis, Zipf rank-frequency, Jensen-Shannon divergence.
benford zipf jsdAbnormal information content. Kolmogorov complexity, entropy rate, wavelet decomposition.
kolmogorov entropy_rate waveletBehavioral role reversals. Read/write inversion, talker-goes-quiet, dormant account activation.
reader_writer talker_quiet unused_accountAbnormal traffic geometry. Symmetric ratios, fixed payload rigidity, destination frequency.
symmetric fixed_payload dest_freq compositeAbnormal session lifecycle. Idle abandonment, ghost sessions, DNS without connections.
idle_session ghost_session dns_no_connAbnormal data integrity. Diff rate spikes, source dropout, cryptographic chain verification.
diff_rate source_dropout chain_integrityThe 8 categories impose mathematically contradictory evasion constraints. An attacker who satisfies all 8 simultaneously is operating at the profile of legitimate traffic. That is not evasion — that is surrender.
| To Evade... | Attacker Must... | Which Exposes... |
|---|---|---|
| VOL (Volume) | Reduce data transfer rate | Rate-limits attack to speed of normal operations |
| TMP (Timing) | Mimic human timing patterns | Constrains throughput, cannot automate at scale |
| DST (Distribution) | Match natural power-law distributions | Concentrates activity, limiting coverage |
| STR (Structure) | Avoid encryption/encoding | Payload visible in plaintext |
| BHV (Behavior) | Maintain historical role patterns | Cannot pivot, escalate, or move laterally |
| SHP (Shape) | Vary packet sizes and destinations | Inefficient C2, unreliable channel |
| SES (Session) | Limit session duration | Cannot maintain persistent access |
| INT (Integrity) | Avoid modifying configurations | Cannot disable defenses or install persistence |
Every claim is tested. Every detector is measured. Every threat is validated. Not inferred — directly verified by the CTCR Attack Engine against a production system.
The CTCR Attack Engine doesn't replay known attack signatures. It generates detector-specific mathematical anomalies — telemetry designed to violate the exact mathematical property each detector measures. This tests whether the instruments work, not whether they recognize a specific threat.
Each of 712 threats is tested individually: the engine generates anomaly flows for that threat's assigned detectors and verifies every detector fired. If any detector fails to fire, the threat fails. This is direct, per-threat-ID validation.
CTCR doesn't learn what attacks look like. It measures what attacks change.
| Signature-Based | AI/ML-Based | CTCR (Mathematical) | |
|---|---|---|---|
| Zero-day detection | None | Partial (depends on training) | Complete |
| Evasion resistance | Low (known bypass) | Medium (adversarial ML) | Mathematical guarantee |
| Training data needed | Attack samples | Large labeled datasets | None (mathematical laws) |
| Model drift | N/A | Requires retraining | None (invariant) |
| Explainability | Rule matched | Black box | Mathematical proof |
| Evidence integrity | No guarantee | No guarantee | SHA-256 hash chain |
| Threat coverage | Known only | Training-dependent | 712/712 (100%) |
Put your security platform to the 712-threat test. The CTCR Attack Engine generates mathematically rigorous anomalies that any detection system should catch. If it doesn't, you have a gap. If it does, you have proof.