"My audit evidence depends on the SIEM staying up. My logs depend on me not being compromised."
Cryptographic integrity at creation. Tampering requires breaking three independent crypto stacks.
Related · tier-1 reading. For what a portable artifact actually is, see Portable Artifact.
SIEM-independent audit trail by construction
Every privileged action, configuration change, and security event emits a PQ-signed proof. The audit trail survives the SIEM vendor, the retention contract, and the system.
Tamper-evident by signature, not by storage controls
Integrity rests on three post-quantum signature families. An attacker who owns the SIEM still cannot forge proofs. Integrity is structural, not contractual.
Incident response evidence chain-portable
Detection, classification, containment decisions, and notifications all emit proofs the regulator can verify directly. 72-hour reporting becomes cryptographically anchored.
Post-quantum durability through Q-Day
Three independent PQ families (ML-DSA-65, FALCON-512, SLH-DSA-128f). When the host chain's signatures break, the receipt's integrity does not.