The operator CLI.
For the security engineering team on your payroll.
One of three CyberSecurityOS product surfaces, licensed per authorized operator. Fingerprint any binary. Diff two versions. Find timing leaks in constant-time claims. Stream drift verdicts during a live pentest. Across x86_64, AArch64, RISC-V, WebAssembly, ELF, Mach-O, PE — and across CPU, GPU, ANE, NPU, FPGA. Every primitive reports joules, not opinions.
Brave new world
The CPU is not the whole picture.
A 2026 adversary does not hide in the CPU, where every defender is looking. They hide in the GPU pipeline that loads ONNX weights. In the ANE matmul that the OS reports as opaque. In the NPU kernel that the vendor will not let you disassemble. In the FPGA LUT that no telemetry tool watches. Energy spent on those surfaces is energy that did not show up in your SIEM.
Joule traces carry a pj_by_device field. Drift reports flag any compute surface the ledger did not declare. A utility that suddenly spends 30% of its energy on the ANE — when its static ledger declared only CPU work — is an alert the measurement cannot miss.
Primitives
The red-hat toolkit.
Every primitive is a single shell command. Every output is machine-readable JSON. Every verdict is signed as a JWP ReceiptPayload.
joule-sec ledger
Static joule fingerprint of any ELF / Mach-O / PE.
$ joule-sec ledger /usr/bin/curl
arch : aarch64
instructions : 52783
total energy : 202184 pJ
signature : 4f3b1e7c8a2f9b6d...
per-class: alu 38% call 22% load 18% store 11% branch 8% crypto 2% ...Parses the executable, disassembles every instruction, classifies by energy bucket, emits a BLAKE3 fingerprint of the per-instruction picojoule sequence. Two builds with the same source produce the same fingerprint; one injected byte changes it.
joule-sec fingerprint · diff
Batch-ledger an entire corpus. Diff two binaries or two revisions.
$ joule-sec fingerprint /usr/local/bin > corpus.ndjson
scanned=142 ok=139 failed=3
$ joule-sec diff --a /opt/auth-v1.0 --b /opt/auth-v1.1
≠ DIVERGENT L1=0.087 total Δ=+8.3%
syscall 320 → 680 (+112.5%)
crypto 12 → 420 (NEW ← never before)What it catches: implanted backdoors in patched binaries (new classes appearing where none declared), silently-introduced cryptographic operations, supply-chain swap-outs where the hash passes but the energy signature diverges.
joule-sec leak-scan · leak-scan-bits
Dynamic side-channel scan. Find timing leaks by measurement.
$ joule-sec leak-scan ./auth-check --input-a 00 --input-b ff --iterations 40
✗ LEAKY
A (00): μ = 2.5 ms σ = 0.19 ms
B (ff): μ = 170.3 ms σ = 0.77 ms
Cohen's d = +296.9 (very large effect)
$ joule-sec leak-scan-bits ./auth-check --bits 64 --iterations 80
bits leaked: 7 / 64
∎ bit 0 bit 8 bit 16 bit 24 bit 32 bit 40 bit 48
(leak profile across every bit of the secret)What it catches: authentication oracles that branch on secret bits, not-actually-constant-time crypto, input-dependent cache patterns. Reports Cohen's d between two sample groups; a leak is a statistically separable distribution, not a pattern someone thinks looks suspicious.
joule-sec-tap · watch · tui
Live heterogeneous telemetry → drift stream → terminal dashboard.
$ joule-sec-tap --pid $PID --backend hardware --interval-ms 500 \
| joule-sec watch ./target/release/bin \
| joule-sec-tui
[dashboard: L1 sparkline · verdict tape · CPU/GPU/ANE share · alert log]Three tap backends: sysinfo (portable), perf (Linux PMC), hardware (macOS powermetrics / Linux RAPL). Each emits NDJSON with per-device picojoule breakdown. Pipe into watch for drift verdicts, then -tui for a live dashboard. Any non-CPU compute surface activity fires as an unexpected device alert against a CPU-only ledger — ANE / GPU hiding catches itself.
API
Every primitive has a REST endpoint.
POST /api/v1/joule-sec/ledger { kind, data_b64 } → JouleLedger + JWP receipt
POST /api/v1/joule-sec/verify { kind, data_b64,
observed: JouleTrace } → DriftReport + receipt
GET /api/v1/joule-sec/health → { ok, x86_64_ok, aarch64_ok }CI pipelines integrate via curl. SOC pipelines stream via the Joule Wire Protocol. Every response includes a signable ReceiptPayload — the verdict carries its own proof, so downstream systems can trust without rerunning.
Measurement is not a side. Physics is symmetric.
A multimeter does not ask who is reading it. The energy a program spends is the energy a program spends — whether the observer is a defender watching a fleet or a red team characterising a target. What changes is what you do with the reading.
The consumer side of CyberSecurityOS presents the same instrument as a plain-language alert: "Your browser ran instructions it never declared." The red-hat side presents it as raw truth: "input bit 3 correlates with a 34 µJ spend on the ANE; that's a leak." Both views, same silicon, same joules, same BLAKE3 signature.
Per-seat licensing for your internal security engineering team, tied to a named authorization under your master services agreement. We do not publish zero-day signatures. Leak profiles you discover stay with your engagement — unless you contribute them back to the corpus, in which case every other customer in your tier is protected the moment a red hat finishes a scan.
Pair this surface with the cyber range to validate that your defensive deployment actually catches what your operators can find, and with the defensive substrate to stream the same drift telemetry into your SOC.