SENTISEC control-plane logoSENTISEC
ENFR
A CATEGORY-DEFINING DEFENSE SUBSTRATE FOR THE AGENT ERA

The control plane for agent cognition.

Autonomous agents are the next compute substrate. Every previous compute wave spawned a defense layer worth tens of billions. This one has not. We are building it — from Lausanne, Switzerland.

Request the deckRead the thesis
PRE-SEED · OPENDEEP-TECHSECURITY CATEGORY CREATIONSWISS-BASED
FIG. A · CONTROL PLANEOPAQUE
AGENT INPUTintent · tools · contentCOGNITIVE INTEGRITYCONTROL PLANE94VERDICThalt · proceedTRACEsigned · replayable§ FIG.A · CONTROL PLANE — INVESTOR VIEWInternal topology intentionally abstracted. Technical detail shared under NDA only.
∀ action a : a ∈ scope(intent) ∧ cog(a) ∈ clean
FIG. 01 · CATEGORY ENVELOPE
PRE-SEEDCATEGORY CREATIONDEEP TECHCONTROL PLANE FOR AGENTSOPEN PROTOCOL · COMMERCIAL IMPLEMENTATIONFORENSIC STANDARDTHREAT-INTEL FLYWHEELBASED IN LAUSANNEPRE-SEEDCATEGORY CREATIONDEEP TECHCONTROL PLANE FOR AGENTSOPEN PROTOCOL · COMMERCIAL IMPLEMENTATIONFORENSIC STANDARDTHREAT-INTEL FLYWHEELBASED IN LAUSANNE
§A THESIS

Every compute wave produces a defense substrate. This wave has not — yet.

FIG. C · COMPUTE WAVES × DEFENSE SUBSTRATES
  1. 1
    WEB
    encrypted transport
    TLS + CA
    $10B+
  2. 2
    ENDPOINT
    process integrity
    AV → EDR
    $50B+
  3. 3
    CLOUD
    brokered access
    CASB + IAM
    $30B+
  4. 4
    SaaS
    identity-bound policy
    SSO + zero-trust
    $40B+
  5. 5
    AGENT
    cognitive integrity
    SENTISEC
    open

The agent wave breaks all prior substrates. The attack surface is the computation itself. Text firewalls, framework permissions, endpoint tools — all structurally blind to it. A new substrate is necessary. The only question is who defines it.

§B THE CATEGORY

Cognitive Integrity Monitoring.

A defense class that watches the computation a model performs under autonomous execution — not the text it reads or writes — and gates consequential actions on that reading. Analogous in role to control-flow integrity for compiled binaries.

What we actually do (black box view)BLACK-BOX VIEW
IN  →  user intent, proposed actions, retrieved content
└── [ COGNITIVE INTEGRITY CONTROL PLANE ] ──┐
                                              ▼
OUT →  verdict · intervention · signed trace
Mechanism intentionally omitted here. Technical detail is shared with signed design partners and investors under NDA.
§C MARKET & TIMING

The window opens once. It is opening now.

01
TAM
$10–40B steady-state, modeled on prior defense substrates. Wedge: $300M–$1B near-term in regulated enterprise agent deployments (finance, health, government, critical infra).
02
Wedge
Fortune 500 AI platform leads and CISOs deploying agents in production. Incident-driven — the first public catastrophic breach turns this from pilot to procurement line item.
03
Catalysts
Agent adoption curve → incident frequency curve → regulatory curve. All three compound. First substrate-category vendor to reach 8–12 enterprise lighthouse logos wins the category.
04
Timing
Adjacent vendors exist but are text-layer or framework-bound. The computation-layer is open. Frontier labs will not occupy it themselves — neutrality is structurally required.
§D MOAT

Composition + operation + standard + evidence.

01
Composition
We compose ~20 peer-reviewed primitives across four fields into a single defense pipeline. Each primitive is proven in isolation — the composition and its operationalization is the work.
02
Threat-intel flywheel
Every customer session feeds our adversarial corpus; the computation and policies retrain weekly. CrowdStrike's moat at the cognition layer. Network effects tilt toward the first-at-scale player.
03
Open protocol
The interchange schema is open. The implementation is commercial. Standards-first positioning earns ecosystem allies; operation is where the business is captured.
04
Forensic standard
First vendor to ship a regulator-replayable cognitive trace becomes the default reference for EU AI Act Article 12 and the sector regulators downstream of it.
§E ROADMAP

Falsification-first. Every phase is a go / no-go.

  1. PHASE
    00
    Concept demo (done)
    A visual compress of the thesis. Used to book briefings with CISOs and platform leads.
    Now
  2. PHASE
    01
    Production MVP — closed-model subset
    A deployable SDK + proxy running on Claude / GPT / Gemini. Five ship-ready components. First design partner in production. Catches a meaningful attack class without requiring activation access.
    4 weeks
  3. PHASE
    02
    Deep stack — open-weight full pipeline
    Add the computation-layer signals against open-weight models. Published benchmarks vs AgentDojo / InjecAgent. Competitive separation from text-layer vendors becomes indefensibly clear.
    Month 2–4
  4. PHASE
    03
    Enterprise scale
    2–3 design partners in production. SOC 2 Type I. First paid contracts. Red team operational. First public case study.
    Month 5–9
  5. PHASE
    04
    Category leadership
    Open protocol v1.0. TEE-attested deployment. Multi-agent session graphs. Series A on category dominance.
    Month 10–18
§07 RESEARCH LINEAGE

Every primitive we use is published. No one has composed them for this problem.

Sentisec stands on roughly two decades of research across four fields. Our edge is the composition, the engineering, and the threat-intel operation around it — not a single unproven idea.

01
Mechanistic interpretability
Anthropic, Goodfire, Transluce, academic labs (2020–2026)
02
Information flow control
Myers, Asbestos, HiStar, CaMeL (1999–2024)
03
Capability security
Dennis & Van Horn, Miller, Macaroons (1966–2014)
04
Control-flow integrity
Abadi et al. 2005 and the shadow-stack lineage
05
Side-channel analysis
Kocher, Bernstein, and the hardware-security lineage
06
Behavioral anomaly detection
Denning 1987 onward, modern EDR
07
Adversarial ML
Carlini & Wagner, Metzen, 2017–2026
~20 PEER-REVIEWED PRIMITIVES · ONE NEW PROBLEM
COMPOSITION · OPERATIONALIZATION · THREAT-INTEL
§F TEAM

Founder-led. Research-rooted. Swiss-based.

Founder: deep work in applied ML security and agent systems engineering. Headquartered in Lausanne, Switzerland — neutral ground at the intersection of EPFL research and EU enterprise access. Advisors: interpretability researchers, former CISOs of Fortune 500s, and ex-founders of prior security substrates (disclosed under NDA). Hiring: two research engineers and one red-team lead in the first six months.
§G THE ASK

Pre-seed.

  • 01Round: pre-seed, target close Q2 2027
  • 02Use of funds: founding research engineers + red team + two design-partner deployments + closed-model shadow-mode validation
  • 03Lead and strategic angels welcome. Timing matters more than valuation.
  • 04Meetings in person at our Lausanne office or remote — your call.
Request the full deck + data room