Technical Supplement — Access Check

Solicitation 26/PRO-0022-S · BPM 56147 · Morgan State University

This page is a publicly-accessible technical companion to the formal proposal submitted by The Cochran Block, LLC. All substantive proposal content is contained in the documents submitted via eMMA; this page is supplementary.

Technical Supplement · 26/PRO-0022-S · Round 3

AI-Powered External Attack Surface & Cyber Threat Intelligence

Interactive companion to the formal proposal submitted by The Cochran Block, LLC to Morgan State University.
Offeror: The Cochran Block, LLC
CAGE: 1CQ66
UEI: W7X3HAQL9CF9
eMMA: SUP1095449
MD CSB: Approved (SBR)
SDVOSB: Certified 2026-05-12 (SBA VetCert)

The Difference

Every competitor responding to this RFP is offering a subscription. Flashpoint, Recorded Future, CyberInt, Cybersixgill, SOCRadar — all SaaS. Morgan State pays annually, rents the tool, sees what the vendor shows, has no audit trail into the model, and cannot leave without losing everything.

An AI tool you own, not a SaaS subscription you rent.

We deliver a Rust-compiled single-binary EASM+CTI platform, running on Morgan State infrastructure, with AI inference on Morgan State hardware, under the Unlicense. At contract completion, Morgan State owns every line of source code.

Architectural Principles

1. Compiled, not rented. ~15 MB Rust binary, reproducibly built, signed. Runs on Morgan hardware. No hosted dependency.
2. Memory-safe by design. Rust compile-time guarantees eliminate ~70% of critical CVE classes. The platform cannot have the vulnerabilities it is designed to detect.
3. AI-native, not AI-bolted-on. Local LLM inference. Morgan State credentials, asset metadata, threat indicators never traverse third-party inference endpoints.
4. Observable, auditable, exitable. Blake3-signed tamper-evident action log. Source code delivered under Unlicense — fork, extend, or disable any component without consultation.
5. Background/Foreground IP discipline. Background IP (existing crates, tools) remains ours — licensed to Morgan for the contract term. Foreground IP (Morgan-specific customizations) delivered under Unlicense to Morgan at contract completion. Clean separation, no hidden strings.

PWS Tasks — How We Deliver

Task 1

External Attack Surface Mapping

Six concurrent discovery techniques: DNS enumeration, ASN/netblock mapping, 65K-port service fingerprinting, AWS/Azure/GCP asset discovery, SSL/TLS observatory, OT/IoT identification. 6-hour discovery cycle, 60-second new-asset alerts. 98% mapping accuracy SLA.

Task 2

Deep & Dark Web Surveillance

Partner stealer-log feed (~40M infections/year normalized), HaveIBeenPwned Enterprise, SpyCloud, custom TOR collectors targeting ransomware leak sites, education-focused marketplaces, closed Telegram channels. Actionable IoCs delivered as STIX 2.1.

Task 3

Digital Risk & Fraud Protection

Real-time newly-registered-domain monitoring with homoglyph/typosquat/combosquat matching. Visual similarity via perceptual hashing. Social media + mobile app store impersonation sweeps. Three-tier takedown workflow: <2hr SLA for domain, <1 business day for content.

Task 4

AI-Driven Vulnerability Intelligence

Kova-analyst local LLM inference (RTX 4090 / A6000 class GPU server). TTP summarization, remediation prioritization, cross-event correlation, auto-close on verified remediation. Zero outbound AI traffic — inference air-gapped.

Self-Applied Pilot — What We Saw

Before proposing this methodology externally, we applied it to our own production site. Over 14 days, the platform attributed 1,032 distinct visitors to 36 named organizations and produced the same kind of executive report proposed for Morgan State.

15,723
Requests
4,068
Page Views
2,955
Unique Visitors
1,032
Distinct IPs
36
Orgs Attributed
8
Big Tech Seen
48
Threats Blocked
1
Scanner Event

Projected Coverage — Morgan State Scope

Applied to the asset footprint published in the RFP and Addendum No. 1, the platform provides continuous coverage of:

1
Primary Domain
190
Subdomains
445
DNS Records
152
External IPs
299
Web Sites
953
Technologies
100
SSL Certs
1 × /16
Class B Internal
Additional coverage: AWS + Azure + GCP (per Addendum Q3), IPv4 + IPv6 (Q38), full 65,536-port sweep (Q37 preferred), OT/IoT where observable (Q39). Cloud-hosted storage buckets enumerated during first-cycle discovery.

Projected Output at Morgan Scale

MetricPilot ObservedProjected at Morgan
Internet-facing assets under monitoring~40~2,200 est.
Distinct visitor IPs / 14 days1,03250K – 250K est.
Named organizations attributable / 14 days36400 – 1,500 est.
Shadow IT assets surfaced (first 90 days)60 – 180 est.
Leaked credentials surfaced (first 90 days)1,200 – 8,500 est.
Look-alike / typosquat domains tracked40 – 200 est.
High-criticality alerts / month015 – 60 est.

Projections based on peer-sector baselines from US higher-education enterprises with similar digital footprints. Actual values will vary.

Sample Findings (Redacted)

Six finding cards from the self-applied pilot, redacted for external release. Demonstrates deliverable format Morgan State would receive monthly.

Finding 1 — Hiring-Signal Pattern · High Confidence
A Fortune 50 technology company initiated an observable corporate-IP review across  XX  distinct IP addresses,  X  geographically separated datacenters, over a 5-day window. Peak activity: 3-hour coordinated burst with signature of a distributed committee review (multiple IPs, disjoint DCs, overlapping pages, 77-minute midpoint gap). Final verification visit from the company's  corporate-HQ  network range 36 hours later.
Finding 2 — Targeted Recurring Visit · Medium Confidence
Single corporate IP registered to  Fortune 50 Tech Co. B  visited exactly one page — an internal velocity/commit tracker — 10 separate times during the window, no other pages accessed. Behavioral signature consistent with a human monitoring publicly-posted engineering activity on a recurring basis.
Finding 3 — Coordinated B2B Interest · Medium Confidence
Professional social network corporate range produced two IP addresses on the same subnet opening the URL at the identical sub-second timestamp. 66 total visits from 7 corporate IPs over 14 days on capability/business-credentials pages. Inferred: vendor/partnership evaluation, not user traffic.
Finding 4 — International Crawl + Document Retrieval
Major international cloud provider datacenters produced 130 distinct IP addresses systematically crawling the site across 14 days, originating from  multiple Asian-Pacific countries . Retrieved content included a public resume PDF. Classification: systematic OSINT collection likely feeding an AI training pipeline or competitive intelligence aggregation.
Finding 5 — Security Event (Blocked) · Low Severity
One attacker IP,  Western Europe , registered to known bulletproof-hosting AS, probed 13 common Next.js framework paths in under one second. All blocked by WAF managed rules before origin. Not targeted — mass-sweep scanner.
Finding 6 — Credential-Hunt Probe (Blocked)
Subsequent scanner, separate IP, probed 47 common secret-file paths (.env, .aws/credentials, .cursor/mcp.json, .anthropic/config.json, .openai/config.json, serviceAccountKey.json). All 404. Structural note: the compiled single-binary architecture has no filesystem locations for those files to exist — "secure by construction."

Platform Architecture

Single Rust binary on one application server. AI inference on one GPU server. Zero external cloud. No data leaves Morgan State perimeter without explicit integration to Splunk, Google SOAR, or the ticketing system.

┌────────────────────────────────────────────────────────────────────┐ │ MORGAN STATE PERIMETER │ │ │ │ ┌─────────────────────────┐ ┌─────────────────────────┐ │ │ │ CochranBlock CTI Node │ │ Kova Inference (GPU) │ │ │ │ (Rust, ~15 MB) │───▶ │ Local LLM, TTP │ │ │ │ │ │ summarization │ │ │ │ • Discovery engine │ │ Air-gapped │ │ │ │ • Attribution │ └─────────────────────────┘ │ │ │ • Dark-web collector │ │ │ │ • Fraud protection │ │ │ │ │ • Action logger │ ▼ │ │ └───┬──────────────┬──────┘ ┌────────────────────┐ │ │ │ │ │ Signed action log │ │ │ │ │ │ (blake3 + nanosign)│ │ │ │ │ └────────────────────┘ │ │ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────────┐ ┌──────┐ │ │ │ Splunk │ │ Google │ │ Ticketing │ │ Dash │ │ │ │ SIEM │ │ SOAR │ │ (ServiceNow) │ │ board│ │ │ │ (HEC) │ │ │ │ │ │ │ │ │ └──────────┘ └──────────┘ └──────────────┘ └──────┘ │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ Identity: Microsoft Entra ID + Cisco Duo │ │ │ └─────────────────────────────────────────────────────┘ │ └────────────────────────────────────────────────────────────────────┘ │ ▼ ┌──────────────────┐ ┌───────────────────────────────────┐ │ Public internet │ │ Subcontracted data feeds │ │ discovery │ │ (Hudson Rock / Constella) │ │ (outbound only) │ │ Flow-through, scoped, disclosed │ └──────────────────┘ └───────────────────────────────────┘

IP Posture — Background vs. Foreground

Background IP

Remains CochranBlock Property

Pre-existing crates and tools: kova-engine, exopack, any-gpu, header-writer, approuter, whobelooking, aptnomo, pixel-forge, tmuxisfree. Publicly auditable at github.com/cochranblock. Licensed to Morgan State for use during the contract term + exercised options. We retain ownership and commercialization rights.

Foreground IP

Delivered to Morgan State

Customer-specific work product created during the contract: Morgan State pattern-library entries, the MSU Splunk Technology Addon, institution-specific dashboards, Morgan-tuned AI fine-tunes, and Morgan-specific configurations. Delivered under the Unlicense at contract completion. Morgan State owns it outright — fork, extend, disable, redistribute, all permitted.

Why this matters: most vendors conflate the two, retaining everything. We deliberately separate them so Morgan State walks away from the contract with tangible ownership of customizations, while CochranBlock retains freedom to serve other customers without IP overhang.

Exceeds Minimum Requirements

1 Memory-safe compiled architecture. Rust compiler eliminates ~70% of critical CVE classes. CISA Secure-by-Design alignment built in at construction, not bolted on.
2 On-device AI inference. Morgan State data never traverses third-party AI endpoints. Deterministic compliance posture.
3 Source code delivered under Unlicense. Zero vendor lock-in, permanently. Morgan retains self-maintenance capability post-contract.
4 Live, independently-auditable reference. cochranblock.org operates today as the same architecture proposed. Evaluators inspect before award.
5 Full IPv4 + IPv6 + 65K-port coverage. IPv6 required (Q38), full-port preferred (Q37). Included as baseline, not upsell.

Formal Proposal Docs Are Submitted Via eMMA

This page is supplementary. All substantive content — Technical Proposal, Financial Proposal, all required Attachments — has been submitted through eMaryland Marketplace Advantage per the RFP's official submission channel.