HOLLOW PURPLE — Adaptive Cloud Identity Architecture

HOLLOW PURPLE · DEPLOYED MAHORAGHA · ACTIVE KERNEL · RUNNING FRONTEND · COMPLETE READ-ONLY OBSERVATION · ADVISORY ONLY · NO AUTO-REMEDIATION GitHub

Identities Tracked

2,847

across 3 cloud providers

↓ 3.2%

High-Priv Paths

143

reachable admin-equiv paths

↑ 12

Patterns Stored

in copy layer memory

+7 this cycle

Gini Coefficient

0.74

privilege concentration

↑ high risk

LIVE · IAM GRAPH

Identity Interaction Graph — Temporal Model

High-privilege path Lateral movement Identity node Resource node

Detected High-Risk Identity Paths — Graph Traversal Output

Path ChainGradientSpreadConfidence

svc-acct-04→roles/editor→iam.admin

+6.20.910.88

ci-runner-12→AssumeRole→AdministratorAccess

+5.80.740.84

dev-user-77→storage.viewer→storage.admin

+3.10.630.71

batch-proc-02→sts:AssumeRole→ec2:*

+2.90.410.66

webhook-svc→pubsub.publisher→logging.viewer

+0.80.220.52

System Architecture — Three-Phase Model

Hollow PurplePhase 1 · Active

Tactical behavioral intelligence. Observes control-plane activity, models identity-resource interactions as temporal graphs. Detects gradual permission expansion, identity hopping, reach growth. Outputs behavioral patterns, not alerts.

Copy LayerBridge · Complete

Evolutionary memory. Stores reusable behavior and path patterns. Preserves system failures, near-misses, blind spots. Abstracts events into shapes and sequences.

MAHORAGHAPhase 2 · Deployed

Strategic architectural adaptation with Merkle-based integrity verification. Consumes patterns from Hollow Purple, proposes architecture-level mutations. Requires architect approval. Moves the walls — doesn't chase the intruder.

"Attackers explore a maze. Hollow Purple watches the movement. MAHORAGHA moves the walls."

Copy Layer — Pattern Memory Accumulation

Priv. Escalation

78%

Lateral Movement

54%

Token Abuse

61%

Dormant Identity

33%

Rare Access

21%

4-Criteria Gate: Structural Isomorphism · Directional Privilege Gradient · Temporal Persistence (N≥3) · Context Independence

Safety Governance — Hard Rules

✓ Read-only observation only

✓ Advisory output — no auto-apply

✓ N≥3 observations required for pattern

✓ Full auditability at every step

✓ Explicit human authority gate

✓ Zero production mutation risk

✓ Merkle-chained tamper evidence

Active Pattern Feed — Behavioral Intelligence

H2S_privilege_bridge_v2

GCP · 7 observations · 5 identities · control-plane

0.84

confidence

cross_project_role_hop_v1

AWS · 4 observations · 3 identities · multi-region

0.71

confidence

sts_credential_chain_v3

AWS · 9 observations · 6 identities · assumed-roles

0.91

confidence

dormant_reactivation_v1

Azure · 3 observations · 3 identities · service principals

0.58

confidence

viewer_to_owner_drift_v1

GCP · 5 observations · 4 identities · storage buckets

0.76

confidence

Formal Metrics — Validated Measurement Layer

Temporal Spread Score

TS = (ΔPrivilege) / log(ΔTime)
// fast escalation = high score; slow creep = detectable but dampened

Privilege Gradient

PG = Σ[L(nᵢ₊₁) - L(nᵢ)]
// for path P = (n₁, n₂, …, nₖ) with privilege levels L

Reachability Reduction

|reach_before| − |reach_after|

Mean Escalation Steps

MES

avg hops to admin-equiv

Path Multiplicity

distinct paths to admin roles

Gini Coefficient

0.74

privilege concentration ∈ [0,1]

Adaptation Log — Audit Trail

09:14:32OBSIdentity svc-acct-04 assumed roles/editor via workload identity federation. Privilege delta +3.

09:18:07PATPattern H2S_privilege_bridge_v2 threshold reached (N=7). Forwarding to Copy Layer.

09:22:45OBSci-runner-12 triggered sts:AssumeRole on AdministratorAccess ARN. Temporal spread 0.91.

09:31:18PATsts_credential_chain_v3 confidence updated 0.87 → 0.91. 9th observation confirmed structural isomorphism.

09:44:02MUTMAHORAGHA proposal MAH-003 generated. Awaiting architect approval. RR delta: −18 high-priv paths.

10:01:55OBSDormant identity az-sp-0091 reactivated after 47-day silence. Rare access pattern triggered.

10:14:39PATviewer_to_owner_drift_v1 context independence confirmed: observed across 3 GCP projects.

MAHORAGHA — Architectural Mutation Proposals (Human-Gated)

MAH-003 · GCP IAM MUTATION · HIGH IMPACT

Remove direct path: workload-identity → iam.admin via roles/editor

Pattern H2S_privilege_bridge_v2 has been observed 7 times across 5 distinct identities in 3 environments. The structural path through roles/editor acts as a privilege bridge to iam.admin. Recommended: insert intermediate binding with explicit iam.securityAdmin condition, removing the unbounded escalation hop.

RR: −18 paths

MES: +2 hops

PM: −11 routes

Confidence: 0.84

MAH-004 · AWS IAM MUTATION · MEDIUM IMPACT

Scope sts:AssumeRole trust policy on ci-runner role to tagged environments only

Pattern sts_credential_chain_v3 shows CI runners assuming AdministratorAccess without environment scoping. 9 observations across 6 identities confirm context independence. Recommended: apply aws:PrincipalTag condition on trust policy, restricting assumption to ci-environment:staging only.

RR: −9 paths

MES: +1 hop

PM: −6 routes

Confidence: 0.91

Industry Capability Comparison

Capability	GuardDuty / SCC	UEBA	SIEM / XDR	Hollow Purple ★
IAM anomaly detection	✔	✔	✔	✔
Graph-based modeling	PARTIAL	PARTIAL	✗	✔
Persistent pattern memory	✗	✗	✗	✔
Architecture mutation feedback	✗	✗	✗	✔
Human-gated evolution	✗	✗	✗	✔
Slow-path credential abuse detection	✗	PARTIAL	✗	✔
Merkle tamper-evident log	✗	✗	✗	✔
Deterministic state replay	✗	✗	✗	✔
Zero production mutation risk	✗	✗	✗	✔

Full System Architecture — 9-Layer Intelligence Pipeline

Event Flow · From Ingestion to Adaptive Defense

User / Analyst

SOC operator, security engineer, architect

→

API Gateway

POST /ingest · GET /graph · GET /replay

→

Event Ingestion

AWS · GCP · Azure collectors + rate limiter

→

Normalizer

Schema unification across cloud providers

→

Event Ledger

Immutable Merkle hash-chained append-only log

→

Graph Engine

Dynamic IAM temporal graph · k-hop subgraph

→

Baseline + Anomaly

Sliding windows · entropy · privilege scoring

→

Replay Engine

Deterministic state reconstruction at any t

→

MAHORAGHA ADE

Adaptive defense · human-gated mutations · Merkle verification

Core Phases — Technical Deep Dive

PHASE 1

Event Ledger Foundation

Immutable Tamper-Evident Log

Every event is hashed and chained to the previous entry using Merkle trees. No event can be altered without breaking the entire chain — providing forensic traceability and deterministic replay capability.

// Event structure
id · timestamp · actor
action · target · metadata
prev_hash → merkle_hash

✔ Tamper evidence

✔ Forensic traceability

✔ Deterministic replay

PHASE 2

Behavioral Baseline Engine

Normal Behavior Modeling

Sliding-window baseline modeling establishes what normal looks like per identity, resource, and time window. Deviations are scored and ranked by severity. Baseline drift detector tracks entropy shifts.

// Metrics collected
path_count
identity_entropy
exposed_identity_%
event_rate · privilege_Δ

✔ Abnormal login detection

✔ Lateral movement scoring

✔ Baseline drift detection

PHASE 3

Graph Intelligence Engine

Dynamic System Graph

The entire infrastructure is modeled as a living graph. Nodes are entities; edges are relationships. Attack paths, blast radius, and privilege chains are computed via traversal. Risk projections generated in real time.

// Node types
Users · Processes · Files
Services · Machines · Secrets
// Edge types
access · execute · modify
spawn · read_secret · connect

✔ Attack path detection

✔ Blast radius analysis

✔ Risk projection scoring

PHASE 4

Deterministic Replay Engine

Time-Travel Reconstruction

Reconstruct exact system state at any point in time by replaying the event ledger forward. Audit verifier confirms integrity at each step. Enables forensic analysis, timeline reconstruction, and attack simulation.

// Replay call
replay(timestamp=T)
// Output
full system graph at T
all identity states at T

✔ Forensic timeline analysis

✔ Audit verification

✔ Incident reconstruction

Cloud Provider Telemetry · Multi-Cloud Coverage

AWS

Amazon Web Services

1,204identities tracked

IAM Users

71%

Service Accts

55%

Lambda Roles

82%

Sources: CloudTrail · GuardDuty · Config · STS logs

GCP

Google Cloud Platform

987identities tracked

Service Accts

88%

Workload ID

64%

IAM Bindings

91%

Sources: Audit Logs · Cloud SCC · Pub/Sub · Asset Inventory

AZURE

Microsoft Azure

656identities tracked

Service Principals

59%

Managed Identities

43%

RBAC Assignments

77%

Sources: Activity Logs · Entra ID · Defender · Monitor

Threat Model Coverage · MAHORAGHA Adaptive Defense Capabilities

Explicit Threat Model — What This System Targets

Credential Abuse

Legitimate API calls using stolen or over-permissioned credentials. No malware required. System value persists even when attackers avoid overt anomalies.

Lateral Movement

Identity-hopping across trust boundaries, role assumptions, and service account chaining. Detected via graph traversal and path pattern memory.

Slow-Moving Attackers

Gradual privilege expansion over days or weeks. Traditional SIEM burst-detection misses this. Temporal spread scoring catches it.

Insider Threats

Malicious or compromised employees using legitimate access. Detected via behavioral baseline deviation and identity entropy monitoring.

Token Abuse

Stolen short-lived tokens (STS, OIDC, workload identity). Tracked via credential chain pattern memory in the copy layer.

Privilege Escalation

Role assumption chains and permission boundary bypasses. Detected via privilege gradient formula and structural isomorphism gate.

MAHORAGHA ADE — Adaptive Defense Engine Capabilities

"MAHORAGHA turns Hollow Purple into a self-improving security organism."

Adaptive Learning

Learns new attack patterns from observed behavior. Detection rules, anomaly thresholds, and graph heuristics update continuously.

Adversarial Simulation

Simulates attacker strategies against the current graph to pre-identify exploitable paths before real attackers find them.

Merkle Integrity Verification

Signed tree heads, shadow rebuild, and witness node gossip ensure the event log is cryptographically tamper-evident at all times.

Mitigation Actions (Gated)

Can propose: isolate machines · revoke credentials · block IPs · disable tokens. All require architect approval before execution.

API Surface · Production Database Stack · Deployment Architecture

API Layer — Microservice Endpoints

POST/ingestEvent ingestion

GET/eventsLedger query

GET/graphLive IAM graph

GET/replayState reconstruction

GET/baselineBehavioral baseline

GET/anomaliesAnomaly scores

POST/simulateAttack simulation

POST/mitigateGated mitigation

Production Database Stack

PostgreSQL

Event ledger storage. JSONB pattern objects. Full audit trail. Queryable aggregates. Immutable append-only writes.

→ Copy Layer storage backend

Redis

Caching layer and streaming event queues. Real-time ingestion pipeline backpressure. Session state management.

→ Ingestion pipeline buffer

Neo4j / DuckDB

Graph database for attack path analysis. DuckDB for OLAP analytics on immutable graph snapshots. k-hop subgraph extraction.

→ Graph Intelligence Engine

InfluxDB / Prometheus

Time-series metric evolution. Baseline drift tracking. RR, PM, MES, Gini coefficient history over time windows.

→ Baseline store + telemetry

GCP Deployment Architecture

Cloud Run / GKEMicroservice containers · auto-scaling

Cloud SQLManaged PostgreSQL · event ledger

MemorystoreManaged Redis · streaming queues

Pub/SubStreaming ingestion pipeline

Compute EngineNeo4j graph database nodes

Cloud StorageParquet snapshots · backups · archives

Cloud SCCSecurity Command Center integration

Performance target: 100K–1M events/sec ingestion · millions of graph nodes · real-time anomaly detection

Module Directory — Complete Build Status (from Repository)

Hollow Purple Core Modules — Python 93.6% · JS 3.7% · HTML 2.7%

core/models.py · event_log.py · config.py · identity.py · resource.py · constants.pyDONE

ingestion/pull.py · aws_collector.py · gcp_collector.py · azure_collector.py · normalizer.py · rate_limiter.pyDONE

graph/builder.py · temporal.py · closure.py · scoring.py · pathfinder.py · exposure.py · graph_state.pyDONE

baseline/Behavioral baseline engine · sliding-window modeling · identity entropy trackingDONE

patterns/scorer.py · privilege_escalation.py · lateral_movement.py · token_abuse.py · dormant_identity.py · rare_access.pyDONE

kernel/Platform kernel · system orchestration · core runtime loopDONE

state/state_machine.py · reducers.py · projections.py · snapshot_manager.pyDONE

storage/event_store.py · snapshot_store.py · graph_store.py · baseline_store.py · integrity_store.pyDONE

engine/baseline.py · pipeline.py · orchestrator.py · scheduler.py · execution_context.pyDONE

projections/risk_projection.py · exposure_projection.py · identity_projection.py · graph_projection.pyDONE

bootstrap/System startup controller · environment bootstrap · dependency initDONE

api/server.py · routes.py · auth.py · schemas.pyDONE

frontend/index.html · dashboard.js · graph_view.js · alerts_view.jsDONE

root/main.py · requirements.txt · main.env.example · configs/ · scripts/ · tests/DONE

MAHORAGHA ADE Modules — Integrity Verification System

MAHORAGHA/adversarial_simulator.py · alert_router.py · audit_log.py · governance.py · health.py · invariants.py · retention.py · utils.py · telemetry.pyDONE

merkle/merkle_log.py · signed_tree_head.py · shadow_rebuild.py · snapshot.py · drift_envelope.py · backpressure.py · adversarial.py · formal_invariants.pyDONE

replay/deterministic_replay.py · replay_validator.py · state_reconstructor.py · pipeline.py · audit_verifier.pyDONE

consensus/consensus.py · witness_node.py · log_gossip.py · verification_cluster.pyDONE

drift/baseline_drift_detector.py · identity_entropy_monitor.py · risk_calibrator.pyDONE

scripts/bootstrap_env.py · run_pipeline.py · simulate_attack.pyDONE

configs/default.yaml · aws_weights.yaml · gcp_weights.yaml · azure_weights.yamlDONE

tests/test_phase1.py · test_phase2.py · test_phase3.py · test_phase4.py · test_phase5.pyDONE

System Security Properties

Integrity — Merkle-chained event ledger

Auditability — Full system replay

Explainability — Graph-based reasoning

Adaptability — MAHORAGHA learning engine

Consensus — Witness node verification

Resilience — Backpressure + drift envelopes

Real-World Use Cases · What Makes This Powerful

SOC Automation

Security operations centers get graph-based threat intelligence instead of raw log search. Analyst workload reduction via pre-ranked attack paths.

Cloud Attack Detection

Detect AWS/GCP/Azure attacks in real time across all three providers simultaneously with cross-cloud identity correlation built in.

Insider Threat

Detect malicious employees using legitimate access. Behavioral baseline deviation and identity entropy monitoring catch subtle abuse.

Digital Forensics

Post-incident reconstruction via deterministic replay. Reconstruct full system state at any point in time from the immutable Merkle event ledger.

Enterprise Monitoring

Full internal infrastructure visibility. Crown jewel reachability, blast radius estimation, and privilege chain modeling across the enterprise.

Most SIEM systems only do:

// Traditional approach
log search

Hollow Purple + MAHORAGHA does:

event ledger (Merkle-chained)
+ graph intelligence
+ deterministic replay
+ adaptive defense
+ consensus verification
// This combination is extremely rare.