HATS lets insurers replay the policyholder's operational state at the moment of loss and verify whether controls actually existed.
Today, cyber claims are adjudicated from screenshots, exported SIEM logs, and vendor attestation letters. The insurer cannot independently verify whether controls existed at the moment of loss. The policyholder controls the evidence.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls.
Three real-world fraud patterns that governance replay detects from cryptographic evidence alone.
Policyholder claims encryption-at-rest was enforced when the breach occurred. Governance replay reveals: the encryption policy was created 72 hours after the incident. The hash chain shows no attestation for the policy at the claimed enforcement time. The timestamp on the policy creation attestation post-dates the breach notification.
Policyholder claims MFA was enforced on all privileged accounts. Governance replay reveals: MFA policy attestations show a 14-day enforcement gap on the admin account that was compromised. The gap aligns exactly with the lateral movement window in the forensic timeline.
Policyholder claims an AI trading agent acted within its authorized scope when it executed unauthorized trades. Governance replay reveals: the agent's delegation chain expired 6 hours before the trades. The agent continued operating without valid authorization attestations.
With governance replay, insurers do not rely on policyholder-provided evidence. They reconstruct the operational state from cryptographic receipts using their own verifier.
The insurer downloads the attestation evidence, runs the verifier offline, and gets a deterministic governance reconstruction. No H33 account needed. No API calls. No vendor dependency.
A structured pilot program for insurers to evaluate governance replay on real or simulated claim evidence.
Deploy HATS attestation on a policyholder test environment. Begin producing governance attestations for MFA, encryption, access control, and key management policies.
Continuous attestation produces a governance evidence chain. Simulated incidents trigger replay exercises. Insurer claims team runs the verifier independently.
Inject known fraud scenarios (retroactive policy insertion, MFA gap, scope violation). Measure detection accuracy and time-to-detection against current claims process.
Compare fraud detection rates, claims adjudication time, and reserve accuracy between governance replay and traditional evidence review.
Watch a simulated claim replayed from cryptographic evidence. See exactly what the insurer sees.
Traditional cyber claim investigation relies on forensic consultants reviewing logs, interviewing stakeholders, and assembling narrative timelines. Cryptographic replay replaces narrative with mathematical proof. The table below compares these approaches across the dimensions that determine whether a claim investigation reaches defensible conclusions.
| Dimension | Traditional Claim Investigation | H33 Cryptographic Replay Verification |
|---|---|---|
| Evidence source | Logs, screenshots, vendor reports, stakeholder interviews. Evidence quality depends on the policyholder's cooperation and infrastructure. | Cryptographic attestations. Hash-chained, triple PQ-signed. Evidence integrity is mathematically verifiable independent of the policyholder. |
| Investigation timeline | Weeks to months. Forensic consultants must collect evidence, correlate across systems, and produce reports. | Minutes to hours. The replay engine reconstructs governance state deterministically from the attestation bundle. |
| Tamper detection | Difficult. Sophisticated policyholders can modify logs, backdate configurations, and fabricate compliance evidence. | Automatic. Any modification breaks signatures or hash chains. The replay engine reports the exact location and type of tampering. |
| Fraud detection | Relies on investigator expertise and intuition. Different investigators may reach different conclusions from the same evidence. | Deterministic. Retroactive MFA enablement, backdated policies, stale keys, and scope violations are mathematically detectable. Two investigators always reach the same conclusion. |
| Cost per claim | $50,000-$500,000+ for forensic investigation of complex claims. Costs scale with claim complexity and dispute duration. | Fraction of traditional costs. Automated replay eliminates most manual forensic work. Complex disputes are resolved with mathematical evidence, not expert testimony. |
| Dispute resolution | Adversarial. Policyholder and insurer each hire experts who produce conflicting interpretations of the same evidence. | Deterministic. Both parties run the same replay engine on the same evidence bundle and get identical results. Disputes become questions of fact, not interpretation. |
| Legal defensibility | Challenged by opposing counsel on log integrity, completeness, and chain of custody. Expert witnesses required. | Mathematical evidence. The attestation either verifies or it does not. No interpretation, no chain-of-custody challenges, no conflicting expert opinions. |
Traditional forensic investigation remains necessary for understanding attacker tactics and techniques. Cryptographic replay does not replace forensic analysis -- it provides an independently verifiable evidence foundation that makes forensic conclusions defensible.
H33 cyber claim verification uses governance replay to transform claim investigation from interpretive forensics into mathematical proof. The system produces independently verifiable evidence of what controls were in place, when they were active, and whether they were operating as claimed.
During normal operation, every security-relevant event -- MFA status changes, key rotations, policy modifications, access control changes, agent scope adjustments -- is recorded as a cryptographic attestation. Each attestation is signed with three independent post-quantum families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) and hash-chained to its predecessor using SHA3-256. This creates a tamper-evident directed acyclic graph of governance evidence that accumulates over the life of the policy.
When a claim is filed, the insurer receives the attestation evidence bundle and runs the replay engine targeted at the incident timestamp. The engine reconstructs the exact governance state at that moment: which users had MFA active, when keys were last rotated, what policies were in effect, which agents were operating and within what scope. The reconstruction is deterministic -- the insurer's replay produces identical results to the policyholder's, eliminating the adversarial dynamic that plagues traditional investigations.
The replay engine automatically detects common fraud patterns. Retroactive MFA enablement is detected when the attestation chain shows MFA was disabled at incident time but enabled afterward -- the timestamps and hash-chain positions are immutable. Backdated policy changes are detected when new attestations claim to represent historical state but their hash-chain positions are inconsistent with the claimed timestamps. Stale keys are detected by comparing the attested key rotation schedule against the policy's rotation requirements. Each detection is reported with the specific attestations that constitute the evidence.
HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. For cyber insurance, HATS certification means the policyholder has a continuous, cryptographically verifiable record of their security posture. Insurers can offer premium reductions for HATS-certified organizations because claim verification is faster, cheaper, and more reliable.
Cryptographic claim verification addresses the information asymmetry between insurers and policyholders that drives up costs across the cyber insurance market.
HATS detects fraud by replaying governance state from cryptographic evidence. Every control -- MFA status, key rotation schedule, policy configuration, agent scope -- is recorded as a post-quantum signed attestation hash-chained to its predecessor. When a claim is filed, the replay engine reconstructs the exact state at the time of the incident. Retroactively enabled controls, backdated policy changes, and fabricated compliance evidence are mathematically detectable because they break the hash chain or fail signature verification.
No. Every attestation is signed with three independent post-quantum signature families (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f) and hash-chained to its predecessor using SHA3-256. Modifying any attestation invalidates its signatures. Removing one breaks the hash chain. Inserting a fake attestation fails verification. The replay engine reports the exact location and nature of any tampering attempt.
Cryptographic replay detects retroactive MFA enablement (MFA was off during the breach but enabled afterward), backdated policy changes, stale or unrotated cryptographic keys, AI agent scope violations, fabricated compliance documentation, and gaps in continuous monitoring. Each detection is based on mathematical evidence from the attestation chain, not log interpretation or investigator judgment.
Initial automated verification typically completes in minutes, not months. The replay engine processes attestation chains at hundreds of thousands of verifications per second on production hardware. Complex claims spanning months of operational history can be fully replayed in minutes. The detailed fraud detection report is generated automatically as part of the replay output.
No. The replay verifier is an open-source CLI that runs offline. Insurers download the verifier, receive the attestation evidence bundle from the policyholder, and run replay on their own infrastructure -- including air-gapped machines. No H33 API key, account, or connectivity is required. Third-party implementations of the verifier produce identical results.
The 90-day pilot is a structured onboarding program where an organization deploys HATS governance attestation across its critical controls. During the pilot, the organization builds 90 days of continuous cryptographic governance evidence. At the end, the organization has independently verifiable proof of its security posture that can be used for insurance underwriting, premium negotiation, and claims defense. The pilot requires minimal infrastructure change -- governance attestation integrates at the API boundary.