Layer 1 · iForest

Per-flow anomaly scoring

An Isolation Forest — an unsupervised ML algorithm trained offline on representative traffic and applied to every flow. Catches what signatures don't: encrypted threats, novel malware, custom tooling.

Builds many random decision trees; anomalies isolate quickly — short paths = high score
No distribution assumptions — works on encrypted payloads where deep inspection fails
Pre-trained baseline ships with Rockfish; supports retraining against your own corpus
Output: anomaly_score in [0 .. 1] per flow
Surfaces in the report's Anomalies page

Isolation Forest scoring

# How a flow gets scored flow ──► [tree₁ tree₂ ... tree₁₀₀] │ ▼ avg_path_length │ ▼ anomaly_score = 2^(−avg / c(n)) # Practical outputs 0.05 normal traffic 0.50 borderline / unusual 0.85 strong anomaly 0.95+ near-certain anomaly

Layer 2 · HBOS

Per-host drift & reliability

Histogram-Based Outlier Score (Goldstein & Dengel, 2012) running online with Welford streaming per asset. Maintains a per-host baseline of expected feature ranges and flags windows that deviate — the same machinery catches network reliability issues and the early signal of host compromise.

One baseline per asset, updated incrementally — no training data needed
Per-feature histograms make drift interpretable: "TCP retransmits 4.2σ above this host's norm"
Catches dual-use signal: degraded servers and stealthy compromise
Output: drift events, SLA-breach windows, per-feature surprisal in bits
Surfaces in the report's Reliability page; also feeds SIGMA

HBOS per-asset baseline

# Per-feature histogram → outlier score asset_10.0.12.45 (15-min window) ├── tcp_handshake_rtt surprisal 4.2σ ├── dns_failure_ratio surprisal 3.1σ ├── retransmit_ratio surprisal 1.4σ └── ... HBOS_score = Σ −log P(feature_i) # Verdict state = drift (4.2σ > threshold) state = sla_breach (DNS fail > 0.30)

Layer 3 · SIGMA

Behavioral tokenization & ATT&CK mapping

Every 15 minutes, for every asset, SIGMA aggregates window stats and emits tokens — short labels representing observed behavior categories — each with a surprisal score in bits and an ATT&CK tactic. Translates raw drift into a security narrative an analyst can actually read.

Note: Rockfish's SIGMA is a behavioral tokenizer, not the public SIGMA-rules YAML grammar at sigmahq.io. Same name, different thing.

Token vocabulary: encrypted-ratio-high, unusual-port-mix, slow-handshake, …
Each token mapped to one of MITRE ATT&CK's 14 tactics
Surprisal score computed from HBOS — "rare for this asset" is the standard, not "rare for the network"
Patent-pending behavioral signal compression
Surfaces in the report's SIGMA page; consumed by OCCAM

SIGMA tokenizer output

# Token emitted per asset / 15-min window { "asset": "10.0.12.45", "window": "2026-04-29T14:00Z", "token": "encrypted-ratio-high", "tactic": "exfiltration", "surprisal": 8.7, "features": [ "entropy_toserver=7.94", "pcr=0.92", "bytes_sampled=8192" ] }

Layer 4 · OCCAM

Sequence prediction & pre-intrusion alerts

A Hidden Markov Model over the SIGMA token sequence per asset. Named for Occam's razor: when several attack paths could explain the observed sequence, pick the simplest. The Viterbi algorithm scores how strongly the recent sequence resembles a known attack path.

Forecasts attacks while they're still in progress — before exfil completes
Disposition per token: suppressed / investigate / present / elevated
Suppresses isolated anomalies that don't match any known sequence — major false-positive cut
Explainable via Viterbi paths: "this token completed the recon → lateral → exfil path"
Surfaces in the report's Occam page; pre-intrusion alerts route to MQTT/Kafka

OCCAM Viterbi prediction

# Recent SIGMA tokens for asset 10.0.12.45 t-45m recon-scan-light surprisal 5.1 t-30m unusual-port-mix surprisal 6.0 t-15m encrypted-ratio-high surprisal 8.7 t- 0m outbound-volume-spike surprisal 7.8 # Viterbi match (best HMM path) recon → discovery → exfiltration ↑ likelihood: 0.91 ➜ disposition: elevated ➜ PRE-INTRUSION ALERT

The Visualization

All four engines, on one screen.

The Radial Sonar is the operator-facing view of the analytics stack. Every flow plotted by protocol (spoke) and by risk (radius). The radius is the compounded output of the four engines — a single visual where the layered prediction becomes obvious at a glance.

How the layers map to the sonar

Normal — iForest score low & HBOS within baseline. Inner rings.
Internal — benign asset-to-asset traffic, similar inner-ring placement.
Suspect — iForest elevated or HBOS drift fired. Mid-ring placement; SIGMA token attached.
Alert (pulsing) — OCCAM disposition elevated. Outer-ring perimeter, where your eye lands first.

The dashed threshold ring is the operator's risk-cutoff knob — everything outside it deserves attention. Time-window control replays the last 1–60 minutes so you can scrub through an unfolding incident frame by frame.

See a Sonar Demo

Run Silent.
Run Deep.
Track Everything.

Four detection engines. One layered prediction.

Per-flow anomaly scoring

Per-host drift & reliability

Behavioral tokenization & ATT&CK mapping

Sequence prediction & pre-intrusion alerts

All four engines, on one screen.

How the layers map to the sonar

Ready for CMMC compliance?

We built this for Defense Industrial Base contractors.

Run Silent.Run Deep.Track Everything.

Four detection engines. One layered prediction.

Per-flow anomaly scoring

Per-host drift & reliability

Behavioral tokenization & ATT&CK mapping

Sequence prediction & pre-intrusion alerts

All four engines, on one screen.

How the layers map to the sonar

Ready for CMMC compliance?

We built this for Defense Industrial Base contractors.

Run Silent.
Run Deep.
Track Everything.