Adversary observation infrastructure · 2026
We deploy deception sensors in the wild and extract structured behavioral intelligence from live adversary interactions — before the intrusion happens.
Cognition engine
Every adversary interaction captured by our sensors passes through a two-layer processing pipeline. The first layer applies deterministic rules — port mapping, payload parsing, protocol classification — to produce reproducible base signals with no model dependency.
The second layer applies local AI correction to resolve ambiguity, infer MITRE ATT&CK technique attribution, and assign kill-chain stage. No synthetic data. No borrowed labels. Every output is grounded in observed adversary behavior and reviewable by a human analyst.
The data moat
HeXG data is not aggregated, purchased, or derived from third-party feeds. Every record originates from a live interaction observed by our own sensors — making the dataset a direct function of deployment time and sensor coverage.
Each hour the sensors run, the moat deepens. Past behavioral patterns accumulate retroactively — no commercial provider can replicate what was observed before they deployed. That temporal edge is permanent.
Primary collection
Every event observed directly by HeXG sensors — no intermediary, no normalization loss.
Accumulating daily
Dataset grows every hour sensors run — retroactively irreproducible by any new entrant.
No synthetic data
Every label grounded in real attacker behavior. No hallucinated TTPs, no fabricated campaigns.
3 sensor regions
FR · PL · SG — APAC + NA expansion planned. Cross-region behavioral correlation active.