Adaptive Active Defence — Continuous Adversarial Posture Instead of Signature Matching

The Signature Approach Has Run Aground

Signature-based defence — the belief that capturing malware hashes, attacker behaviour patterns, and known exploit code in databases can meaningfully protect critical infrastructure — has become a historical artifact masquerading as contemporary security doctrine, and the cost of that delusion now flows directly to organisations holding the world's data and currency.

The architecture is ancient. When Symantec released its first anti-virus engine in 1989, signature matching was technologically sound: viruses were slow to evolve, analyst teams could study samples, and the lag between discovery and deployment of a detection rule was tactically acceptable. Three and a half decades later, security teams still build their operational posture on variants of that same principle—EDR platforms scanning process memory against YARA rules, SIEMs correlating event logs to Sigma patterns, threat intelligence databases distributing indicators of compromise (IOCs) to be matched against network flows. The industry calls this "detection-and-response" and treats it as a closed loop: detect anomaly, alert analyst, execute response.

It is not a closed loop. It is a recurring process of defeat.

The Recurring Cycle: Scale, Sophistication, Collapse

The industry narrative is consistent and well-documented. In May 2024, researchers at Wiz disclosed a critical architectural flaw in Snowflake's data-plane isolation: customers using single sign-on (SSO) without multifactor authentication had seen their API keys harvested by threat actors, who then pivoted laterally across Snowflake's customer network to exfiltrate terabytes of sensitive data—from retail point-of-sale systems, health records, financial transaction logs. Hundreds of organisations discovered the breach not through their own detection systems, but through public disclosure and vendor notification. The signature-based defences (EDR agents, intrusion detection rules, database activity monitoring logs) were present in many victim environments. None had detected the exfiltration in real time. Post-breach analysis revealed the attacker dwell time was months.

In March 2023, Cisco Secure raised alerts about CVE-2023-29200, a critical zero-day in Progress MOVEit Transfer's file handling logic that exposed SQL injection vulnerabilities directly to unauthenticated network attackers. Within weeks, exploit code appeared in the public domain. Organisations relying on endpoint detection and response (EDR) platforms, next-generation firewalls, and Web Application Firewalls (WAFs) began backporting YARA signatures, Snort intrusion rules, and WAF filter expressions to detect "known" MOVEit exploitation patterns. Yet the vulnerability itself remained unpatched in hundreds of installations for weeks or months after disclosure. Attackers using minor variants of the public payload—changing parameter ordering, encoding schemes, timing patterns—defeated signature-matching systems that had been urgently deployed. The attackers were not sophisticated; they were merely patient, changing form while function remained constant.

The Change Healthcare ransomware event in February 2024 exposed a deeper failure. The attack—attributed to the BlackCat (ALPHV) ransomware-as-a-service operation—compromised Optum's UnitedHealth subsidiary through compromised credentials, lateral movement via VPN access, and eventual deployment of encrypted payloads across healthcare clearing-house infrastructure. Forensic timelines later revealed that security teams had observed unusual account behaviour, suspicious lateral movement, and enumeration of backup systems across several days. EDR platforms had generated alerts. SIEM correlation rules had fired. But because the attack pattern (credential theft → lateral movement → reconnaissance) could be categorised within normal "administrative" activity, alerts were deprioritised or manually suppressed by operations teams. When ransomware executables were deployed, the detection systems eventually triggered—but by then the adversary's objective had been achieved. The detection was not wrong; it was too late.

These are not anomalies. They are symptoms of architectural exhaustion. The signature-based model assumes that:

1. An attacker's actions can be codified into patterns and distributed to defensive systems before that attacker strikes again.
2. An organisation's operational security posture should be reactive—waiting for evidence of breach before executing response.
3. The information advantage belongs to the defender, because defenders have access to global threat intelligence.

None of these assumptions is correct. Modern threat actors—whether state-sponsored operators, organised criminal syndicates, or commoditised ransomware operators—do not execute the same attack twice. They do not wait for signatures to be written. They do not operate in ways that cleanly separate into "normal" and "malicious" activities. And the defenders' information advantage has evaporated: attackers have access to the same tools, the same cloud platforms, the same third-party vendor ecosystems as defenders. They face no meaningful friction until they attempt to move data at scale.

The Remediation Trap: More Sensors, Deeper Blindness

The industry's response to recurring breaches has been to accumulate sensors. Organisations deploy EDR, SIEM, DLP (data loss prevention), IDS/IPS, behavioural analytics, cloud access security brokers (CASBs), network detection and response (NDR), security orchestration and automated response (SOAR) platforms, threat intelligence feeds, and security information management (SIM) systems. The total cost of ownership for these detection stacks now routinely exceeds millions of pounds annually for mid-to-large organisations.

The mathematical outcome is predictable. A modern SOC ingests between 1 and 100 million events per day, depending on infrastructure scale. Of those events, fewer than 0.1 percent are malicious. The remaining 99.9+ percent are legitimate operational noise—routine application calls, infrastructure heartbeats, administrative actions, legitimate traffic anomalies driven by autoscaling, deployments, or scheduled maintenance. No detection rule set, no matter how sophisticated, can distinguish signal from noise at that scale. Organisations respond by tuning rules downward (creating more false positives) or tuning rules upward (creating more false negatives). Many SOCs now operate in a state of perpetual "alert fatigue," where analysts suppress alerts proactively because the alternative is drowning in false positives.

Snowflake's post-breach analysis included disclosures that attackers had exfiltrated data across months without triggering database activity monitoring rules—not because the rules were absent, but because the volume of legitimate database queries was so high that exfiltration patterns (which often mimic legitimate bulk export operations) could not be reliably distinguished from normal activity.

The remediation trap deepens when vendors respond by adding more sophisticated detection engines: machine learning models trained on historical breach data, behaviourally-anchored scoring systems, entity-behaviour analytics (EBA). But machine learning-based detection systems are themselves signature machines—they match observed patterns of behaviour against training data drawn from known attacks. They are more flexible than YARA patterns or Sigma rules, but they remain fundamentally reactive. They detect what attackers did before, not what attackers are doing now.

Structural Failure: Detection Asks the Wrong Question

The foundational error in signature-based defence is epistemological, not technical. The question that detection systems ask is: Has this known malicious activity occurred? But that question is only meaningful if the attacker's current activity matches known patterns. Modern threat actors—particularly those with operational maturity and resources—deliberately do not match known patterns. They use legitimate tooling (LOLbins, legitimate cloud APIs, administrative utilities). They exploit trust relationships between vendors and customers. They abuse identity systems to authenticate as legitimate users. They move slowly, over weeks or months, through environments that cannot distinguish their behaviour from normal operations.

The architectural consequence is that detection systems have reached their theoretical ceiling. No amount of additional sensor deployment, no improvement in detection algorithms, no refinement of threat intelligence feeds will cross that ceiling, because the fundamental question is wrong.

Architectural Inversion: Zero-Knowledge Substrate and Continuous Adversarial Posture

PULSE's doctrine inverts the problem. Instead of asking Has malicious activity occurred?, the architecture asks What is the minimum privilege and data surface required for legitimate operations? This shift—from detection-centric to zero-knowledge substrate design—creates a fundamentally different security envelope.

A zero-knowledge substrate operates on the principle that you cannot steal what is not there. This means:

Data-plane segmentation and encryption: Data exists in encrypted form at rest and in transit. Decryption keys are never collocated with data-processing engines. Access to decrypted data requires cryptographic proof of authorization, time-bound credentials, and continuous verification against adaptive access policies. Even a fully-compromised end-user device cannot access plaintext data without this proof. If an attacker exfiltrates encrypted material, the encrypted material is cryptographically useless without access to key material—which remains in a separate cryptographic boundary that the attacker never compromised.

Control-plane separation: The systems that define who can access what (identity, authorisation, policy) are architecturally separated from the systems that execute access (data engines, processing pipelines). A compromise in the data plane does not immediately provide access to the control plane. This is not network segmentation (which modern attackers routinely bypass)—it is cryptographic and architectural separation enforced at the substrate layer.

Adaptive posture, not static rules: Rather than deploying a fixed set of detection rules or access policies, the infrastructure continuously adjusts its operational posture in response to observed behaviour. A process that normally runs under a specific user identity, with specific network connections, under specific resource constraints, and with specific pattern of file access can detect deviation from that norm without any external threat intelligence. When deviation is detected, the system does not merely log an event—it immediately constrains the process's operational capability (network access, file access, memory allocation). The attacker faces friction not because their activity matches a known malicious pattern, but because it deviates from the operational baseline of legitimate activity.

Domain-specific automation: Rather than bolting on a SIEM and expecting generic correlation rules to capture domain-specific attacks, the security architecture is built from domain-specific primitives. For a health-data system, the primitive is: No plaintext health record leaves this cryptographic boundary without audit-proof authorisation and encryption to a specific recipient. For a financial clearing house, the primitive is: No transaction instruction modifies state without cryptographic proof of source, and all state modifications are append-only and globally ordered. These are not rules that can be bypassed with slightly-modified malware variants—they are architecture.

From Detection Lag to Post-Breach Resistance

The result is a security model that no longer depends on detection speed. If an attacker compromises a workstation, database server, or cloud instance within your infrastructure, the attacker's objective is to exfiltrate data, modify critical data, or pivot to other systems. A properly-architected zero-knowledge substrate prevents all three, regardless of whether the attack is detected. The attacker may remain undetected for months—but their capability to achieve their objective remains radically constrained.

This is post-breach resistance: the assumption that breach will occur, but the guarantee that breach does not lead to mission-critical harm.

APRA CPS 234 (for Australian financial institutions), DORA (Digital Operational Resilience Act, for EU financial entities), and NIS2 (for critical infrastructure operators across EU member states) all increasingly demand this posture—not merely reactive detection, but architectural resilience. Regulators have observed the same pattern that the industry now cannot deny: detection-and-response is not a sufficient control framework. The financial and legal liability for breaches has become so large that organisations must architect systems that remain secure even after compromise.

The Operational Shift

Moving to an adaptive active defence posture requires a different kind of operational discipline than the signature-matching model. It requires clear modelling of legitimate operational behaviour—what a process should do, what data it should access, what network connections it should make, how often it should run. It requires cryptographic key material to be managed separately from operational infrastructure. It requires acceptance that some level of operational latency (the time required for cryptographic proof verification, for instance) is a necessary tradeoff for post-breach resistance.

The initial investment is higher than bolting on another vendor's EDR platform. But the operational cost is lower—fewer false positives, faster response times to actual deviations, and fundamentally reduced liability exposure when breach occurs.

The organisations that move first—those building new operational infrastructure around zero-knowledge substrate principles, continuous adversarial posture adjustment, and domain-specific security primitives—will define the competitive boundary for the next decade. Those that remain dependent on signature-matching detection will continue to incur the breach costs that their detection systems were nominally designed to prevent.

---

Qualified operators responsible for critical infrastructure security or data-protection architecture are invited to request a technical briefing under executed Mutual NDA.