The Difference
Every competitor responding to this RFP is offering a subscription. Flashpoint, Recorded Future, CyberInt, Cybersixgill, SOCRadar — all SaaS. Morgan State pays annually, rents the tool, sees what the vendor shows, has no audit trail into the model, and cannot leave without losing everything.
An AI tool you own, not a SaaS subscription you rent.
We deliver a Rust-compiled single-binary EASM+CTI platform, running on Morgan State infrastructure, with AI inference on Morgan State hardware, under the Unlicense. At contract completion, Morgan State owns every line of source code.
Architectural Principles
1. Compiled, not rented. ~15 MB Rust binary, reproducibly built, signed. Runs on Morgan hardware. No hosted dependency.
2. Memory-safe by design. Rust compile-time guarantees eliminate ~70% of critical CVE classes. The platform cannot have the vulnerabilities it is designed to detect.
3. AI-native, not AI-bolted-on. Local LLM inference. Morgan State credentials, asset metadata, threat indicators never traverse third-party inference endpoints.
4. Observable, auditable, exitable. Blake3-signed tamper-evident action log. Source code delivered under Unlicense — fork, extend, or disable any component without consultation.
5. Background/Foreground IP discipline. Background IP (existing crates, tools) remains ours — licensed to Morgan for the contract term. Foreground IP (Morgan-specific customizations) delivered under Unlicense to Morgan at contract completion. Clean separation, no hidden strings.
PWS Tasks — How We Deliver
Task 1
External Attack Surface Mapping
Six concurrent discovery techniques: DNS enumeration, ASN/netblock mapping, 65K-port service fingerprinting, AWS/Azure/GCP asset discovery, SSL/TLS observatory, OT/IoT identification. 6-hour discovery cycle, 60-second new-asset alerts. 98% mapping accuracy SLA.
Task 2
Deep & Dark Web Surveillance
Partner stealer-log feed (~40M infections/year normalized), HaveIBeenPwned Enterprise, SpyCloud, custom TOR collectors targeting ransomware leak sites, education-focused marketplaces, closed Telegram channels. Actionable IoCs delivered as STIX 2.1.
Task 3
Digital Risk & Fraud Protection
Real-time newly-registered-domain monitoring with homoglyph/typosquat/combosquat matching. Visual similarity via perceptual hashing. Social media + mobile app store impersonation sweeps. Three-tier takedown workflow: <2hr SLA for domain, <1 business day for content.
Task 4
AI-Driven Vulnerability Intelligence
Kova-analyst local LLM inference (RTX 4090 / A6000 class GPU server). TTP summarization, remediation prioritization, cross-event correlation, auto-close on verified remediation. Zero outbound AI traffic — inference air-gapped.
Self-Applied Pilot — What We Saw
Before proposing this methodology externally, we applied it to our own production site. Over 14 days, the platform attributed 1,032 distinct visitors to 36 named organizations and produced the same kind of executive report proposed for Morgan State.
Projected Coverage — Morgan State Scope
Applied to the asset footprint published in the RFP and Addendum No. 1, the platform provides continuous coverage of:
Additional coverage: AWS + Azure + GCP (per Addendum Q3), IPv4 + IPv6 (Q38), full 65,536-port sweep (Q37 preferred), OT/IoT where observable (Q39). Cloud-hosted storage buckets enumerated during first-cycle discovery.
Projected Output at Morgan Scale
| Metric | Pilot Observed | Projected at Morgan |
| Internet-facing assets under monitoring | ~40 | ~2,200 est. |
| Distinct visitor IPs / 14 days | 1,032 | 50K – 250K est. |
| Named organizations attributable / 14 days | 36 | 400 – 1,500 est. |
| Shadow IT assets surfaced (first 90 days) | — | 60 – 180 est. |
| Leaked credentials surfaced (first 90 days) | — | 1,200 – 8,500 est. |
| Look-alike / typosquat domains tracked | — | 40 – 200 est. |
| High-criticality alerts / month | 0 | 15 – 60 est. |
Projections based on peer-sector baselines from US higher-education enterprises with similar digital footprints. Actual values will vary.
Sample Findings (Redacted)
Six finding cards from the self-applied pilot, redacted for external release. Demonstrates deliverable format Morgan State would receive monthly.
Finding 1 — Hiring-Signal Pattern · High Confidence
A Fortune 50 technology company initiated an observable corporate-IP review across XX distinct IP addresses, X geographically separated datacenters, over a 5-day window. Peak activity: 3-hour coordinated burst with signature of a distributed committee review (multiple IPs, disjoint DCs, overlapping pages, 77-minute midpoint gap). Final verification visit from the company's corporate-HQ network range 36 hours later.
Finding 2 — Targeted Recurring Visit · Medium Confidence
Single corporate IP registered to Fortune 50 Tech Co. B visited exactly one page — an internal velocity/commit tracker — 10 separate times during the window, no other pages accessed. Behavioral signature consistent with a human monitoring publicly-posted engineering activity on a recurring basis.
Finding 3 — Coordinated B2B Interest · Medium Confidence
Professional social network corporate range produced two IP addresses on the same subnet opening the URL at the identical sub-second timestamp. 66 total visits from 7 corporate IPs over 14 days on capability/business-credentials pages. Inferred: vendor/partnership evaluation, not user traffic.
Finding 4 — International Crawl + Document Retrieval
Major international cloud provider datacenters produced 130 distinct IP addresses systematically crawling the site across 14 days, originating from multiple Asian-Pacific countries . Retrieved content included a public resume PDF. Classification: systematic OSINT collection likely feeding an AI training pipeline or competitive intelligence aggregation.
Finding 5 — Security Event (Blocked) · Low Severity
One attacker IP, Western Europe , registered to known bulletproof-hosting AS, probed 13 common Next.js framework paths in under one second. All blocked by WAF managed rules before origin. Not targeted — mass-sweep scanner.
Finding 6 — Credential-Hunt Probe (Blocked)
Subsequent scanner, separate IP, probed 47 common secret-file paths (.env, .aws/credentials, .cursor/mcp.json, .anthropic/config.json, .openai/config.json, serviceAccountKey.json). All 404. Structural note: the compiled single-binary architecture has no filesystem locations for those files to exist — "secure by construction."
Platform Architecture
Single Rust binary on one application server. AI inference on one GPU server. Zero external cloud. No data leaves Morgan State perimeter without explicit integration to Splunk, Google SOAR, or the ticketing system.
┌────────────────────────────────────────────────────────────────────┐
│ MORGAN STATE PERIMETER │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────┐ │
│ │ CochranBlock CTI Node │ │ Kova Inference (GPU) │ │
│ │ (Rust, ~15 MB) │───▶ │ Local LLM, TTP │ │
│ │ │ │ summarization │ │
│ │ • Discovery engine │ │ Air-gapped │ │
│ │ • Attribution │ └─────────────────────────┘ │
│ │ • Dark-web collector │ │
│ │ • Fraud protection │ │ │
│ │ • Action logger │ ▼ │
│ └───┬──────────────┬──────┘ ┌────────────────────┐ │
│ │ │ │ Signed action log │ │
│ │ │ │ (blake3 + nanosign)│ │
│ │ │ └────────────────────┘ │
│ ▼ ▼ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────┐ ┌──────┐ │
│ │ Splunk │ │ Google │ │ Ticketing │ │ Dash │ │
│ │ SIEM │ │ SOAR │ │ (ServiceNow) │ │ board│ │
│ │ (HEC) │ │ │ │ │ │ │ │
│ └──────────┘ └──────────┘ └──────────────┘ └──────┘ │
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Identity: Microsoft Entra ID + Cisco Duo │ │
│ └─────────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────┐ ┌───────────────────────────────────┐
│ Public internet │ │ Subcontracted data feeds │
│ discovery │ │ (Hudson Rock / Constella) │
│ (outbound only) │ │ Flow-through, scoped, disclosed │
└──────────────────┘ └───────────────────────────────────┘
IP Posture — Background vs. Foreground
Background IP
Remains CochranBlock Property
Pre-existing crates and tools: kova-engine, exopack, any-gpu, header-writer, approuter, whobelooking, aptnomo, pixel-forge, tmuxisfree. Publicly auditable at github.com/cochranblock. Licensed to Morgan State for use during the contract term + exercised options. We retain ownership and commercialization rights.
Foreground IP
Delivered to Morgan State
Customer-specific work product created during the contract: Morgan State pattern-library entries, the MSU Splunk Technology Addon, institution-specific dashboards, Morgan-tuned AI fine-tunes, and Morgan-specific configurations. Delivered under the Unlicense at contract completion. Morgan State owns it outright — fork, extend, disable, redistribute, all permitted.
Why this matters: most vendors conflate the two, retaining everything. We deliberately separate them so Morgan State walks away from the contract with tangible ownership of customizations, while CochranBlock retains freedom to serve other customers without IP overhang.
Exceeds Minimum Requirements
1 Memory-safe compiled architecture. Rust compiler eliminates ~70% of critical CVE classes. CISA Secure-by-Design alignment built in at construction, not bolted on.
2 On-device AI inference. Morgan State data never traverses third-party AI endpoints. Deterministic compliance posture.
3 Source code delivered under Unlicense. Zero vendor lock-in, permanently. Morgan retains self-maintenance capability post-contract.
4 Live, independently-auditable reference. cochranblock.org operates today as the same architecture proposed. Evaluators inspect before award.
5 Full IPv4 + IPv6 + 65K-port coverage. IPv6 required (Q38), full-port preferred (Q37). Included as baseline, not upsell.