// USE CASES — VERTICAL WEDGEWhere kernel-level
Where kernel-level
actually matters.
We don't sell to everyone. We deploy where userspace observability is a liability — regulated healthcare, proprietary weights, safety-critical robotics.
+
// {c.ind}High-Compliance Healthcare
Kernel-level audit logs as evidence for HIPAA, NOM-024, and FDA SaMD reviews.
HIPAANOM-024FDA · SaMDGDPR · Art. 9
Imagine a hospital network running GPU-backed diagnostic imaging models. Auditors want evidence that PHI never left the host. The Auditor daemon attaches at libcuda.so and the ioctl tracepoint, records every GPU launch and ioctl as a structured event, exposes counts via Prometheus, and forwards alerts to whatever log pipeline you already trust. The audit artifact is the kernel-side event stream, captured below the application.
Audit posture
kernel-side · below the app
Evidence
Prometheus + log stream
Numbers above
design target · not measured
$
// {c.ind}Protecting Proprietary Weights
Flag agentic leaks of trading models, customer PII, and proprietary weights at the ioctl boundary.
SOC 2 · TYPE IIPCI-DSSFFIECNYDFS · Part 500
Imagine a quant desk training proprietary alpha models on H100s. The risk: a contractor's notebook fires a large ioctl that pulls weights off the device. The hot-path heuristic flags transfers above the configured byte threshold; a sample is forwarded to the on-host SLM, which scores risk 0–100 and returns a reason. Above threshold, the daemon writes a structured alert and (if mode = kill) SIGKILLs the offending PID before the next ioctl batch lands. No data leaves the host at any point.
Action
alert · or SIGKILL (opt-in)
Privacy
no host egress
Numbers above
design target · not measured
⊙
// {c.ind}Autonomous Robotics Observability
Kernel-side observability of GPU launches and ioctls in safety-relevant pipelines.
ISO 26262IEC 61508DO-178CUN R155
Imagine an industrial robotics OEM running on-vehicle perception + planning models on Nvidia accelerators. Safety review wants a record of every GPU kernel launch and every driver-bound ioctl, captured from the host kernel rather than from a userspace shim. The Auditor daemon provides that observability surface today: kernel-side recording and metric streams. Inline blocking of actuator-bound ioctl(2) (returning EFAULT from a kprobe with override) is a design we are evaluating; it is not part of the Auditor build today.
Today
observability · alerts · metrics
Inline gating
design study · not shipping
Numbers above
design target · not measured