Endpoint Cognitive Operating Shell — a CLI-powered, zero-install security fabric built on top of the first Large Telemetry Model (LTM).
ecOS (Endpoint Cognitive Operating Shell) is a modular, command-line framework that embeds security at the prompt layer. It unifies local sensing, explainable reasoning, and zero‑trust guardrails so endpoints can defend themselves, assist analysts, and continuously improve without heavy agents or complex deployments.
ecOS operates on top of the first Large Telemetry Model (LTM) — a telemetry intelligence layer that consolidates multi‑source security events, normalizes them into a common representation, and preserves full‑fidelity context for learning. LTM supplies structured knowledge, features, and historical feedback; ecOS provides the local control plane and operator experience.
ecOS and LTM implement Self-Reinforcing Generative Learning (SRGL), a neuroscience-inspired, GAN-like framework that ingests raw activity and curated intelligence to generate improved detections and policies, iteratively optimized via outcome feedback.
SRGL loop
- Observe — The endpoint senses high‑value behaviors (process, file, network, identity, OS artifacts) and emits compact, structured signals to LTM while preserving originals for audit.
- Propose — Generative models synthesize candidate behavior profiles, policies, and enrichment rationales from current signals and prior knowledge.
- Validate — Proposed outputs are tested against recent and historical telemetry, with evidence‑trail generation and confidence calibration.
- Reinforce — Human feedback, model outcomes, and operational impact strengthen or weaken proposed policies via weak supervision, pseudo‑labels, and active learning.
- Deploy & Govern — Validated policies are activated with guardrails; drift and calibration are continuously monitored to maintain trustworthy decisions.
The result is a system that learns faster with every interaction, turning expert judgment and real‑world outcomes into durable capability.
-
SEB — Synthetic Endpoint Brain
A lightweight execution layer that observes behaviors, triggers micro‑investigations, and emits structured telemetry aligned to LTM’s schema. SEB is designed for minimal overhead and precision collection synchronized with investigative needs. -
SynA — Synthetic Analyst
An explainable reasoning engine that consumes SEB signals and LTM knowledge to propose classifications, highlight evidence, and quantify uncertainty. SynA exposes the why behind a decision, the gaps in evidence, and the next best action. -
STRIDE — Local‑First Zero‑Trust AI for AI
A real‑time guardrail that inspects inputs and outputs to and from local language/ML models. STRIDE enforces content policy, detects sensitive data movement, and applies allow/deny decisions before data reaches a model or leaves the endpoint.
Together, SEB + SynA + STRIDE make ecOS an autonomous, inference‑driven shell: sensing, reasoning, and enforcing in a single, portable interface.
-
Sense & Normalize
SEB captures targeted signals and transmits them using an external, versioned mapping. LTM normalizes to a common schema, preserves raw context, and computes stateful identifiers needed for correlation and learning. -
Reason & Correlate
LTM builds unified representations across sources and time windows, providing ecOS with contextual insights, probabilistic associations, and confidence estimates that are explainable and auditable. -
Label & Learn
ecOS surfaces proposed labels and rationales from SynA and prior history. Human feedback, model inferences, and operational signals are fused into a final label with calibrated confidence. LTM stores these labels and updates models using weak supervision, pseudo‑labeling, active learning, and online calibration. -
Generate & Update
When the operator supplies relevant public intelligence or artifacts, ecOS can request generative extraction in LTM to produce structured behaviors and policies for review and activation, closing the loop.
- CLI‑native operations: Query local state, initiate micro‑investigations, stream decisions, and apply policies directly from the shell.
- Explainable autonomy: Every decision includes rationale, contributing evidence, uncertainty estimates, and recommended next steps.
- Evidence‑gap guidance: When confidence is limited, ecOS pinpoints missing signals to collect, accelerating targeted triage.
- Modes of operation:
- Observe — passive sensing and enrichment.
- Protect — STRIDE guardrails and local enforcement.
- Learn — prioritize ambiguous cases for human review and labeling.
- Research — transform curated intelligence into validated, deployable policies.
- Portable and resource‑efficient: Single‑binary, zero‑install delivery suitable for servers, endpoints, lab rigs, and edge devices.
- Speed with assurance — faster triage and response, backed by transparent evidence and calibrated confidence.
- Lower operational friction — an external mapping governs evolution without code changes, reducing coupling and maintenance.
- Continuous improvement — SRGL converts day‑to‑day outcomes into lasting capability, respecting and amplifying analyst judgment.
- Trust and accountability — deterministic policies, auditable learning steps, and precise provenance from collection to decision.
The Community Edition is focused on education, research, and collaborative innovation. It emphasizes open experimentation, clear and auditable behavior, safe defaults, minimal footprint, and portability. Binaries are provided as‑is for non‑commercial use and may include experimental features. Users are responsible for evaluating suitability and risk within their environments.
- Foundations: CLI, SEB sensing, STRIDE guardrails, SynA explanations, external mapping, end‑to‑end SRGL loop.
- Depth: Broader process/file/network coverage, richer identity and OS artifacts, label provenance, confidence calibration, drift detection.
- Generative: Intelligence‑to‑policy synthesis with validation and staged activation.
- Operations: Robust governance, continuous calibration, and telemetry‑driven optimization of collection and inference.
ecOS is the endpoint’s cognitive shell — a precise, CLI‑driven environment that makes security immediate, explainable, and adaptive. Running on top of LOGFORCE Large Telemetry Model (LTM), ecOS unifies sensing, reasoning, and enforcement under Auto Generative Reinforced Learning, so every system can defend itself, learn from experience, and transform expert judgment into enduring capability.