Proof-grade security for systems that cannot fail silently.
Wick is a formal verification platform covering the full kill chain — before deployment, during operation, after breach. Every finding is a mathematical proof. Not a heuristic. Not a confidence score. A theorem.
17 surfaces. 3 kill chain phases. One verdict per system.
HARDEN INTERCEPT RECOVER
────────────────── ────────────────── ──────────────────
Prove before deploy Detect during operation Respond after breach
Cobalt SRF-01 Cassandre SRF-03 Trace SRF-07
Forge SRF-02 Verdict SRF-05 Vantum SRF-11
IRIS SRF-13
Augur SRF-04 Sentinel SRF-06
The Answer SRF-12 Phantom SRF-10
Wraith SRF-08
Skyveil SRF-09
Vein SRF-14
Cobalt PQC SRF-15
Bedrock SRF-16
Lattice SRF-17
| Surface | ID | Target | Key Stat |
|---|---|---|---|
| Cobalt | SRF-01 | C / C++ / firmware / crypto libraries | 25+ confirmed CVEs |
| Cobalt PQC | SRF-15 | Kyber / Dilithium / Falcon — NIST FIPS 203/204/205 | Mandatory migration by 2027 |
| Bedrock | SRF-16 | Firmware / bootloaders / UEFI / embedded MCU | Below OS visibility |
| Forge | SRF-02 | Solidity / EVM smart contracts | 8 SWC classes, <30s scan |
| Skyveil | SRF-09 | Multi-domain military OSINT — ADS-B aircraft, AIS maritime, GDELT, NOTAM, Claude Intel Briefs | NATO INTSUM format, live threat scoring |
| Vein | SRF-14 | SBOM supply chain — CycloneDX / SPDX | Every dep. Every CVE. Proved. |
| Wraith | SRF-08 | Adversarial reachability — red team proof | Know the path before the attacker |
| Augur | SRF-04 | Multi-agent swarm behavior | Byzantine fault formal bounds |
| The Answer | SRF-12 | AI model fairness — EU AI Act / AIDA | Causal bias proved or disproved |
| Lattice | SRF-17 | Proof chain composer — all surfaces | One SHA-256 verdict for CISO / regulator |
| Surface | ID | Target | Key Stat |
|---|---|---|---|
| Cassandre | SRF-03 | Live DeFi protocols — invariant monitoring | Would have fired 4 blocks before $197M Euler exploit |
| Phantom | SRF-10 | Honeypot probe intelligence | Attacker found Phantom first |
| Sentinel | SRF-06 | AI agent pre-execution constraint enforcement | <100ms, 100% audit trail |
| Verdict | SRF-05 | AI agent behavioral drift detection | Session-level envelope proofs |
| Surface | ID | Target | Key Stat |
|---|---|---|---|
| Trace | SRF-07 | Cross-chain fund tracing — 6+ chains | 13 CEX contacts, 24/7 |
| Vantum | SRF-11 | Maritime intelligence — AIS sovereign | 0 foreign hops, CLOUD Act isolated |
| IRIS | SRF-13 | On-device facial recognition — sovereign biometric watchlist | 99.7%+ confidence, 0 cloud, PIPEDA/Law 25 |
| Target | Surface | Finding | Status |
|---|---|---|---|
| wolfSSL | Cobalt | Integer overflow — DH key parsing | PR merged upstream |
| NASA cFS | Cobalt | Stack overflow — embedded filesystem | ACK Amazon |
| Mosquitto | Cobalt | Buffer overflow | 2× CVE filed |
| libupnp | Cobalt | Stack overflow | CVE-2026-41682 |
| lwIP | Cobalt | Integer overflow | CVE filed |
| Mongoose | Cobalt | Buffer overflow | CVE filed |
| llama.cpp | Cobalt | Heap overflow | CVE filed |
| Mozilla NSS | Cobalt | Timing side-channel | Fixed |
| Balancer V3 | Forge | Reentrancy | Fixed |
| Euler V2 | Forge | Flash loan oracle | ACK |
| Morpho Blue | Forge | Access control | Fixed |
| COMPAS (Northpointe) | The Answer | Causal racial bias — Z3 certified | Certified |
| Custom Kyber768 | Cobalt PQC | KYBER_Q off-by-one vs FIPS 203 | Z3 certified |
| Dilithium3 impl | Cobalt PQC | Timing side-channel | Detected |
"Broken by Default: Formal Verification of AI-Generated Code" arXiv 2604.05292 — May 2026 3,500 artifacts · 55.8% vulnerability rate · 7 LLMs evaluated
Every Wick surface outputs a wick-artifact/v1 JSON proof artifact:
{
"schema": "wick-artifact/v1",
"surface": "cobalt",
"surface_id": "SRF-01",
"target": "wolfSSL 5.6.x",
"verdict": "SAT",
"finding": {
"class": "integer-overflow",
"cwe": "CWE-190",
"condition": "key_len = 0xFFFFFFF4 → alloc_size wraps to 4 bytes",
"witness": { "key_len": "0xFFFFFFF4" },
"summary": "Heap write-out-of-bounds. PR merged upstream."
},
"proof": "z3-smtlib2-artifact"
}Lattice (SRF-17) composes all artifacts into a single tamper-evident proof chain with one SHA-256 verdict — the single document a CISO or regulator signs.
All Wick infrastructure runs on Canadian nodes. No U.S. cloud dependency. No foreign API calls. Designed for organizations operating under CCCS/ITSG-33, handling PROTECTED B data, or subject to GC procurement sovereignty requirements.
- PBMM-aligned
- ITSG-33 mapped
- FSC in progress
- Zero CLOUD Act exposure
- Frontend: Next.js 16 / TypeScript strict / TailwindCSS
- Verification: Z3 SMT solver (Python bindings) — SRF-01, 03, 05, 06, 09, 12, 14, 15, 16, 17
- Pipelines:
pipelines/cobalt_pqc.py,bedrock.py,vein.py,lattice.py - Deploy: Vercel (frontend) — sovereign node target OVH Canada
Dominik Blain — Founder, Wick Security dominik@qreativelab.io | wick-security.ca
For responsible disclosure, security research partnerships, or government pilot engagements.