Every binary that runs on your infrastructure gets a substrate attestation at deploy time — SHA3-256 hash, three post-quantum signature families, 74-byte permanent proof. A runtime watchdog scans every process every 60 seconds. Anything unattested is killed.
curl -sSL https://h33.ai/install/sentinel | sudo bash
h33-sentinel attest /opt/myapp/server --label my-app
Hashes the binary (SHA3-256), creates a substrate attestation with three PQ signature families, stores a sealed receipt. Each attestation = 1 API credit.
Use ExecStartPre=h33-sentinel verify /path/to/binary in systemd. If the hash doesn't match the attestation, the process never starts.
Every 60 seconds, Sentinel re-hashes every running process and checks against its attestation. Tampered binary? Killed. Unattested binary? Killed. Zero-day malware that was never attested? Killed.
| Traditional AV | H33 Sentinel | |
|---|---|---|
| Detection model | Pattern-match known bad (signatures) | Mathematically prove known good (attestation) |
| Zero-day protection | None until signature update | Immediate — unattested = blocked |
| False positives | Common (heuristic guessing) | Zero (binary either matches its attestation or doesn't) |
| Performance impact | Continuous scanning, high CPU | 60-second hash check, negligible |
| Cryptographic proof | None | SHA3-256 + 3 PQ signature families per binary |
| Tamper detection | AV itself can be disabled | Receipt sealed with HMAC — tampering detected |
| Supply chain | Trusts the AV vendor's signatures | Trusts your own attestation at build time |
Sentinel uses your existing H33 API credits. Each binary attestation = 1 API credit. The watchdog itself is free — it runs locally and never calls the API. You only pay when you attest a new or updated binary.