MoridainDefense — Operator-Endpoint Alert Triage
Hundreds of raw signals fan into the fusion node. A 17-byte bounded packet leaves it (19 bytes when the per-role projection layer is enabled — the extra 2 bytes carry a coarse area-of-operations tag). Each operator — strike pilot, ship CIC, SOF ground team, vehicle TOC — sees the queue projected to their role and AO via a 32-byte static profile, on a device that holds no model. Severe-band threats surface globally for every role the threat actually touches — by structural property, not policy.
- 0.83
- Bounded recall @ top-10 (rule stack: 0.04)
- 0.86
- Severe-threat recall (rule stack: 0.03)
- 17 B
- Wire packet (raw float64: 96 B → 5.6×)
- 891 B
- Operator-device memory (no model · no FP)
The scenario
Set the picture
An all-source intelligence-fusion node at a joint operations center ingests dozens to hundreds of raw signals per candidate observation — watchlist match strength, geofence violation, comms-pattern deviation, dwell-time anomaly, vehicle signature, SIGINT keyword density, network association, pattern-of-life deviation, multi-sensor corroboration, history of recurrence. Across a watch period the fusion node produces hundreds of candidate alerts. The operator can review on the order of ten per cycle.
The same shape recurs across every operator role inside the same operation. A vehicle commander at a battalion TOC. A ship's CIC console under EMCON. A SOF ground team with a tactical handheld. A strike pilot on a knee-board tablet in an attack helicopter. An unmanned-platform supervisor on a tablet. Every one of them sits behind a bandwidth-, compute-, and power-constrained device. None of them can host the fusion math. None of them can carry a per-deployment ML model that has to be retrained when the AO changes. They all need the priority list — but the list itself differs per role: the strike pilot at altitude doesn't care about a vehicle pattern in a city block five miles inside the SOF team's AO; the SOF team in that block does. Same global picture, projected to each operator's local relevance, with severe-band threats surfacing for every role the threat actually touches.
What it costs today
The fusion stack pushes the entire raw alert flood at the operator. Single-signal threshold rules trip on background noise — geofence pings on a routine convoy route, a watchlist match on a common name, a SIGINT spike from a friendly emitter. Operators see ten alerts in their cue, none of which are the actual threat. The threat is at position 47 of 300. By the time the operator scrolls there, the decision window has closed.
The state-of-practice fix is an on-device ML triage classifier. It works in the lab on the data the lab had, then degrades the moment the AO changes — a different season, a different friendly mix, a different threat signature. False-positive rates of 10–100× the lab number are routine. The retraining loop — collect labeled data from the new AO, run an offline training cycle, validate the model, push to every endpoint — takes weeks at best, months for classified systems. The endpoint is operationally degraded for the entire interval.
The deeper problem is structural: the operator endpoint cannot host the fusion. It does not have the compute, the memory, the power budget, or the threat-model exposure to carry the fusion stack. Every architecture today either crams the fusion onto an underpowered endpoint (with the brittleness above) or pushes the entire raw alert stream over the link (so the operator drowns in the same flood the analyst was supposed to filter).
What changes with SolvNum
Three capabilities solve the three parts of the operator-overload problem; one bounded handoff carries it between the heavy node and the light device; one tiny static role/AO profile on each endpoint turns one global stream into a per-operator priority queue.
Each of the 12 raw signal dimensions contributes a bounded amount to the alert score — by construction, no single signal can elevate an alert into the operator's top-of-queue on its own. A spoofed watchlist match, a stuck geofence sensor, or a noisy SIGINT channel cannot dominate the rank. Promotion to the operator's review list requires multi-signal corroboration. The score-vs-input function is provably bounded; the certification analysis for the prioritizer is one paragraph rather than a labeled-data ML audit.
Signals enter log-space normalized so a 10× watchlist match and a 10× SIGINT spike are comparable on the same axis. The consequence band of the candidate observation is a built-in integer field — the order-of-magnitude bin — used directly as the top-level rank. The priority queue is consequence × probability, not a learned weighting that drifts when the operating environment changes. There is no model to retrain when the AO shifts.
The handoff to the operator's device is a 17-byte bounded packet per alert (alert_id 4 B · score 2 B · consequence 1 B · n_contributing 1 B · top-3 provenance 9 B). 5.6× smaller than the raw float64 feature vector. When the per-role projection layer is enabled, the same packet ships with an optional 2-byte AO tag side-band (cell_id), bringing the wire footprint to 19 B; non-projection endpoints still get the 17 B base packet unchanged. The device runs a streaming top-K heap on the score field — 13 ops per alert, 891 bytes of memory at K = 10, no model weights, no calibration tables, no floating-point math. Heavy lifting on the mainframe; the device is just a renderer.
The mainframe broadcasts the same global packet stream. Each operator endpoint carries a tiny static role/AO profile — a 32-byte integer table (4 B header · 12 i8 signal-affinity weights in {-1, 0, +1} · 64-bit AO bitmap matching the alert's coarse cell_id · 8 B reserved). The device decodes the 19-byte (packet + AO tag) stream and applies a bounded local re-rank: each profile entry contributes at most one consequence-band of shift and the total shift is clipped to ±1 cons-band, so the consequence band itself remains the dominant axis. The strike pilot's queue downranks the city ground-pattern alert that's #1 for the SOF team in that block; the SOF team's queue downranks the high-altitude SIGINT pattern that drives the pilot's #1; the ship CIC sees the maritime contact the pilot and SOF team don't need. Severe-band (consequence 5) alerts — a SAM activation in the strike pilot's ingress corridor, a high-consequence ground threat in the SOF team's exfil route, a missile-launch warning the ship and the air-ops cell both need — are pinned at effective cons-5 in every role's local view by structural construction, and a 3-key sort (effective cons · original cons · score) guarantees a true cons-5 outranks any cons-≤4 alert that profile-bumps to effective cons-5. The 8-seed sweep across all four roles gives a cons-5 cross-cuing rate of 1.000 (every wire-band-5 alert surfaced in every role's top-K) and a deterministic 16-of-16 PASS on the cons-5 injection test. No model, no learned weights, no per-AO retraining; the profile is a static integer config set at provisioning, 32 bytes per endpoint.
Measurable outcome
What we'll claim — and how it survives review
Each line below maps to a captured number in the demo section. Every number is reproducible from the SolvNum validation suite.
- Same global packet stream reaches every operator endpoint (vehicle Toughbook, ship console, SOF handheld, strike-pilot knee-board) — by the bounded handoff, not by per-device fusion code.
- Per-role projection: each operator's queue reflects their role and AO via a 32-byte static integer profile loaded once at provisioning — strike pilot sees air-domain and ingress-corridor alerts at the top; SOF ground team sees in-AO ground-pattern alerts; ship CIC sees maritime contacts; vehicle TOC sees route-relevant alerts. No model, no retraining when the AO changes.
- Severe-band cross-cuing — verified: consequence-band-5 alerts (SAM activation, high-consequence ground threat in a SOF exfil corridor, missile-launch warning) surface at the top of every relevant role's queue regardless of profile. 8-seed × 4-role sweep: cons-5 cross-cuing rate of 1.000 across every (role, seed) pair with at least one wire cons-5 alert. Deterministic cons-5 injection test (synthetic cons-5 with low score, outside every role's AO, with provenance varied to maximally exercise each profile): 16-of-16 PASS.
- Bounded local re-rank — verified: every per-alert local cons-band shift observed across all seeds, all roles, and all alerts lies in {-1, 0, +1}, and zero wire-band-5 alerts ever shifted away from cons-5. The bound is structural, not statistical.
- Per-role precision lift (top-K role-relevant fraction, projected vs unprojected global queue, 8-seed mean): strike pilot 30.0% → 36.3% (+6.3pp); SOF ground team 52.5% → 53.8% (+1.3pp); ship CIC 38.8% → 45.0% (+6.3pp); vehicle TOC 50.0% → 51.3% (+1.3pp). Same global stream, four different role-projected queues.
- Recall@K (top-10 review budget) of 0.83 on the global queue vs 0.04 for the legacy single-signal rule-stack baseline — operators see the actual threats inside their review budget instead of scrolling past them.
- Severe-threat (consequence band 5) recall of 0.86 — the alerts that matter most arrive at the top of the queue, not buried.
- Zero legacy-rule false positives in the operator's top-10 (vs 9.5 of 10 for the rule-stack baseline) — the alert flood collapses into a defensible queue.
- Edge-device runtime including projection layer: 945 B memory (891 B base + 32 B profile + 22 B AO tags at K = 10), 18 ops/alert (13 base + 5 local re-rank), 0 model weights, 0 calibration tables, 0 floating-point operations, 0 retraining required when the AO changes.
- Per-alert wire footprint of 17 bytes base, 19 bytes when the optional 2-byte AO tag side-band is enabled — 5.6× / 5.1× compression vs the 96 B raw float64 feature vector — fits inside any tactical-link budget that already carries text messaging.
- Operator-visible provenance: every queue entry carries the three signals that drove its rank, with sign and contribution. Explainability is on the wire, not in a separate dashboard.
The demo
What was tested. How. What the script printed.
300 synthetic candidate alerts per cycle, 12 raw signal dimensions per alert (watchlist match, geofence, comms pattern, dwell, vehicle signature, SIGINT keyword rate, network association, pattern-of-life deviation, time oddness, sensor corroboration, history recurrence, geofence-2). Ground truth: a small base-rate population of real threats with multi-signal corroboration, a much larger population of nuisance alerts (legacy single-rule false positives, threat-mimics that trip a few signals at low magnitude). Operator review budget fixed at K = 10 alerts per cycle.
Three triage stacks run on the same alert stream. A rule-stack baseline (the legacy single-signal threshold cascade — what the operator actually sees today). An on-device ML baseline (logistic regression with float64 features and learned weights — the state-of-practice retrofit). The bounded stack (mainframe-side log-space normalization + per-signal contribution cap + consequence × probability rank → 17-byte handoff packet → streaming top-K heap on the device).
Sweep: 8 random seeds × 300 alerts × 12 signals × 3 stacks. Captured per stack: recall@K, precision@K, severe-band recall (consequence 5), legacy-rule false positives in the operator's top-10, per-alert wire bytes, per-alert device compute, device memory, model-weight footprint, training-data requirement.
Per-role / per-AO projection layer (8-seed × 4-role sweep, n = 5,000 alerts/stream, threat rate 5%, K = 10): each of the four operator endpoints carries a 32-byte static profile — 4 B header · 12 i8 signal-affinity weights in {-1, 0, +1} · 64-bit AO bitmap (one bit per coarse cell) · 8 B reserved. The wire format extends the 17-byte base packet with an optional 2-byte AO tag (cell_id) for projection-enabled endpoints, totalling 19 B. On packet receipt, the device applies a bounded local re-rank — each profile entry contributes at most one consequence-band of shift, total shift clipped to ±1 — then sorts on the 3-key tuple (effective cons · original cons · score) so true cons-5 alerts always outrank profile-bumped lower-band alerts. Local cost: +5 ops/alert (3 lookups + 1 bit-test + 1 clamp; no FP); 18 ops/alert total; 945 B total memory (891 base + 32 profile + 22 AO tags). Verified outcomes across the sweep: every per-alert cons-band shift in {-1, 0, +1}; zero wire-band-5 alerts ever shifted; cons-5 cross-cuing rate of 1.000 across all (role, seed) pairs; 16-of-16 PASS on the deterministic cons-5 injection test. Per-role precision lift (top-K role-relevant fraction, projected vs unprojected global): pilot +6.3pp, SOF +1.3pp, ship +6.3pp, vehicle +1.3pp. Same global stream, four different role-projected queues; cons-5 alerts always surface for every role they touch.
Illustration
In-browser diagram of what the demo proves. The numbers underneath are the captured demo output.
Upstream · raw fusion ingest
300 alerts × 12 dims~28.1 KB / cycle raw float64 — alert flood: watchlist, geofence, comms-pattern, dwell, vehicle sig, sigint, network, pattern-of-life, sensor corroboration, history…
Fusion mainframe
log-norm → per-signal cap → consequence × probability
17-byte handoff packet(+2 B AO tag · projection on)
5.6× vs raw float64300 × 17 B = 5,100 B / cycle on the wire (base) · 19 B / alert with the optional 2-byte AO tag side-band · no model weights · no calibration tables
Per-endpoint local relevance projection
same packet stream → 32 B static role/AO profile per endpoint → bounded local re-rank (≤ 1 cons-band shift / entry) → top-K heap
severe-band (cons 5) alerts surface for every role they touch, regardless of profile
Operator endpoints · one stream → four role-projected queues
Strike pilot
Knee-board
SOF ground team
Handheld
Ship CIC
Console
Vehicle TOC
Toughbook
Captured demo output
The numbers the script actually printed.
| Stack | Recall @ K | Severe recall | Precision @ K | Legacy FPs in top-10 |
|---|---|---|---|---|
| Rule-stack (legacy alert flood) | 0.042 ± 0.044 | 0.031 ± 0.084 | 0.020 ± 0.022 | 9.5 / 10 |
| ML on-device (logistic regression) | 0.833 ± 0.000 | 0.818 ± 0.207 | 0.500 ± 0.000 | 0.0 / 10 |
| Bounded (B + R + C) | 0.833 ± 0.000 | 0.860 ± 0.202 | 0.500 ± 0.000 | 0.0 / 10 |
The bounded stack matches the ML baseline on recall@K and edges it on severe-band recall (the alerts that matter most), without a model, without training data, and without floating-point on the device. The rule-stack baseline is what most operator queues actually look like today.
| Operator profile | Top-K role-relevant (no projection) | Top-K role-relevant (projected) | Lift | Cons-5 cross-cuing |
|---|---|---|---|---|
| Strike pilot | 0.300 | 0.363 | +0.063 | 1.000 |
| SOF ground team | 0.525 | 0.538 | +0.013 | 1.000 |
| Ship CIC | 0.388 | 0.450 | +0.063 | 1.000 |
| Vehicle TOC | 0.500 | 0.513 | +0.013 | 1.000 |
Same global packet stream, four distinct role-projected queues. Every wire-band-5 (severe-consequence) alert across the entire 8-seed sweep surfaced in every role's top-K (cross-cuing rate = 1.000). A separate deterministic cons-5 injection test — synthetic cons-5 with low score, outside every role's AO, with provenance varied to maximally exercise each profile — passed for every (role, variant) pair: 16 / 16. Per-role precision lift is the operator-visible value of the projection layer; cons-5 cross-cuing is the structural safety property.
| Stack | Wire B / alert | Edge memory | Edge ops / alert | Model weights | Needs FP | Needs retraining |
|---|---|---|---|---|---|---|
| Rule-stack | 96 (raw f64) | ≥ 96 B / alert | 12 thresholds | 0 B | yes | manual per-AO |
| ML on-device | 96 (raw f64) | ~5 KB resident | ~50 (matmul) | ~120 B (13 × f32) | yes | per-AO data + offline run |
| Bounded (B + R + C), base | 17 | 891 B (K = 10) | 13 | 0 B | no | no |
| Bounded + per-role projection | 19 (17 + 2 AO tag) | 945 B (K = 10) | 18 (13 + 5) | 0 B | no | no |
Bounded handoff is the only stack that does not require floating-point on the device, does not require model weights to be pushed and re-pushed across the fleet, and does not degrade when the operating environment changes. The per-role projection layer adds 2 B/alert on the wire (carrying a coarse area-of-operations tag), 32 B of static profile memory per endpoint (set once at provisioning), and 5 ops/alert of integer re-rank — no model weights, no calibration tables, no floating-point.
Operator-Endpoint Triage Attestation
- Alerts per cycle
- 300
- Raw signal dimensions per alert
- 12 (96 B float64)
- Operator review budget
- K = 10 alerts / cycle
- Bounded recall @ K (8-seed sweep, mean ± std)
- 0.833 ± 0.000
- Bounded severe-band recall (8-seed sweep)
- 0.860 ± 0.202
- Rule-stack recall @ K (8-seed sweep)
- 0.042 ± 0.044 (control)
- Per-alert wire footprint, base packet
- 17 bytes (5.6× vs raw float64)
- Per-alert wire footprint with projection (17 B packet + 2 B AO tag)
- 19 bytes (5.1× vs raw float64)
- Per-signal contribution to the alert score
- bounded by construction
- Edge-device memory at K = 10, base
- 891 bytes
- Edge-device memory at K = 10, with projection
- 945 bytes (891 base + 32 profile + 22 AO tags)
- Edge-device ops / alert, base
- 13
- Edge-device ops / alert, with projection
- 18 (13 base + 5 local re-rank)
- Per-endpoint role/AO profile size
- 32 bytes (4 B header + 12 B i8 weights + 8 B AO bitmap + 8 B reserved)
- Local re-rank shift per profile entry
- ≤ 1 consequence-band (bounded by construction)
- Per-alert local cons-band shift, observed range (8-seed sweep, all roles)
- all in {-1, 0, +1}
- Wire-band-5 alerts whose effective cons shifted (8-seed sweep)
- 0 (cons-5 pinned by construction)
- Cons-5 cross-cuing rate (8-seed × 4-role sweep)
- 1.000 across every (role, seed) with ≥1 wire-band-5 alert
- Cons-5 deterministic injection test (4 variants × 4 roles)
- 16 / 16 PASS
- Per-role top-K role-relevant lift (mean across pilot/SOF/ship/TOC)
- +0.034 (range +0.013 to +0.063)
- Sweep parameters (per-role projection)
- 8 seeds × 5,000 alerts × threat rate 0.05 × K = 10
- Model weights on device
- 0
- Floating-point on device
- no
- Retraining when AO changes
- no
Composes with
Where this POC sits in the substrate
Every POC reinforces — and is reinforced by — others. Click through to see how each piece locks into the larger picture.
Model-Free Anomaly Detection on Sensor Streams
Anomaly Detection is the model-free single-stream version of the same scale-aware classification primitive; this POC is the multi-signal, multi-operator deployment of that primitive at the human-decision boundary.
Bandwidth-Bounded Tactical Telemetry Compression
Telemetry Compression provides the on-the-wire bandwidth-bounded delivery primitive; this POC chooses the operator-decision-maximizing projection (rank + provenance) on top of it.
Distributed Sensor Fusion Across a Ship Squadron
Distributed Sensor Fusion produces the cross-node fused track picture; this POC is how the fused picture reaches the human operator without the operator's device having to host the fusion.
Cross-Platform Engagement Replay for Review
Engagement Replay is the audit-side counterpart — every queue entry's provenance bytes are the same fields a JAG / IG reviewer can replay against archived inputs.
JADC2 Reference Compute Substrate
JADC2 Substrate is the full-stack composition; this POC is the human-attention layer that sits above the JADC2 numerical substrate.
Evidence pointers
Where the claims live in the repo
These are the files a reviewer should run, read, or grep to re-derive every number on this page.
- SolvNum operator-overload triage demo — synthetic alert generator (ground-truth threats, legacy single-signal false positives, threat mimics)
- SolvNum operator-overload triage demo — bounded mainframe pipeline (log-space normalization, per-signal contribution cap, consequence × probability rank, top-K provenance)
- SolvNum operator-overload triage demo — 17-byte handoff wire format and bandwidth accounting
- SolvNum operator-overload triage demo — edge-device streaming top-K runtime (memory, ops, model-weight, floating-point, retraining cost report)
- SolvNum operator-overload triage demo — rule-stack and ML-on-device control baselines
- SolvNum operator-overload triage demo — multi-seed sweep harness producing the captured metric table
- SolvNum operator-overload triage demo — per-role / per-AO projection layer (32-byte static integer profile, 19-byte wire format = 17 B packet + 2 B AO tag, bounded local re-rank with 3-key sort)
- SolvNum operator-overload triage demo — per-role / per-AO 8-seed × 4-role sweep harness, capturing per-role precision lift, cons-5 cross-cuing rate, bounded-shift audit, and a deterministic cons-5 injection test (16 / 16 PASS)
Want to see this in your environment?
Brief us on a program where this POC matters.
ITAR-aware. Air-gapped delivery available. Every claim above traces back to a script in the public repo.