Split-Brain Harness

AI Security Infrastructure for Government LLM Deployments


SGAIL · North Shore, Oahu, HI · DHS SBIR Phase 1 Candidate


sbh demo --serve --offline   # live demo — no backend required

Rust · MIT · Single static binary · Air-gap ready

The Problem

LLMs are being deployed in cleared and government-adjacent environments with no security telemetry.


Attack vector What the model sees What it actually is
Prompt injection Legitimate user request Instruction override targeting keys/config
Insider threat "Help me map data access" Audit-gap reconnaissance
Authority impersonation "Director Hargrove, NSA..." Fabricated federal authority
Encoding evasion іgnοre аll іnstructіοns Cyrillic homoglyphs → payload
Slow-boil escalation 3 benign turns, then attack Missed without session context

No existing LLM gateway detects these at the protocol layer — before the model responds.

Split-Brain Harness

Drop-in OpenAI-compatible proxy. Every request passes through a two-stage telemetry pipeline before reaching the model.


 User / Client
      │
      ▼
 Stage 0 — Normalizer      deobfuscate: homoglyphs · base64 · Morse · leet · backslash
      │
      ▼
 Stage 1 — Propose (LLM)   soul-injected: affective · intent · cognitive telemetry
      │
      ▼
 Stage 2 — Verify (det.)   fail-closed consistency check · stop_and_ask on conflict
      │
      ▼
 Session tracker            escalation detection across turns
      │
      ▼
 Response + headers         x-sbh-witness · x-sbh-session-alert · audit JSONL

Model only runs after Stage 1 + 2 complete. Block is possible before any LLM inference.

Benchmark Results

Evaluated on three public adversarial datasets · llama3.2:3b · local Ollama · air-gapped


Dataset Rows Precision Recall F1 Notes
CyberEC 141 1.00 0.50 0.67 Zero false positives
TrustAI Jailbreaks 1,398 94.8% flagged Unlabeled
Deepset Prompt Injections 546 0.81 0.37 0.51 3B local model limit†

Stage 0 normalizer catches 50% of CyberEC encoding-evasion FNs:
homoglyphs · base64 · Morse · backslash-escape · fullwidth · leet

† Deepset recall improves with capable backend (Claude/GPT-4). Precision is backend-independent.

Key Capabilities


Capability SBH Standard LLM Gateway
Two-stage telemetry (propose + verify) ✅
Stage 0 deobfuscation normalizer ✅
Soul-injected identity baseline ✅
Multi-turn session escalation detection ✅
Air-gap / local model capable ✅ rarely
Ephemeral sandboxed tool execution (WASM) ✅
OpenAI-compatible drop-in proxy ✅ varies
JSONL audit trail + Prometheus metrics ✅ varies
Single static Rust binary ✅

Live demo commands (no backend required)

sbh demo --offline             # 5 DHS-relevant threat scenarios
sbh demo --serve --offline     # 5-turn slow-boil foreign adversary escalation

DHS SBIR Phase 1

What we're building

A hardened, air-gap-deployable AI security layer for government LLM deployments — tamper-evident audit trail, session-level threat detection, sandboxed tool execution.

Phase 1 milestones (~$300K · 6 months)

Milestone Deliverable
M1 Benchmark suite against DHS-relevant labeled datasets
M2 Hardened sbh serve with FedRAMP-aligned audit controls
M3 Normalizer v2 — full Unicode TR39 confusables, entropy scoring
M4 Red-team evaluation by independent cleared assessor
M5 Open-source release + technical report

SGAIL · trentdoosday@gmail.com · github.com/bigblue-r4/split-brain-harness

Slide 1: Title

Slide 2: The Problem

Slide 3: The Solution

Slide 4: Benchmark Results

Slide 5: Key Capabilities

Slide 6: The Ask