Built and validated on IBM LinuxONE
Anthropic Cyber Verification Program participant
WGDS / ARCHITECTURE

Three layers. One gate.

Three architectural layers, each structurally invulnerable to the systems it governs. The Watcher confirms Churchill is operating. Churchill verifies what executes. The Protector anchors Churchill in the kernel, below the reach of user-space or root.

Churchill's Protocol runtime architecture A three-layer architecture: The Watcher monitors offsite, Churchill operates as the runtime gate, and The Protector anchors Churchill in the kernel. THE WATCHER Offsite sentinel. Confirms Churchill is operating. REMOTE · STEALTH · WRAPPED IN CHURCHILL SYSTEM 01 Financial protected SYSTEM 02 Infrastructure protected SYSTEM 03 Healthcare protected CHURCHILL Runtime Clearance. Every request passes through first. No lag. APPROVED → Runs at full speed NOT APPROVED → Stops pre-execution CORE Highest Authority Cannot be overridden STOPPED · LOCKED · LOGGED Forensic evidence. Audit-grade. Prosecution-ready. THE PROTECTOR Kernel-anchored. Below the reach of user-space or root. HIDDEN · ANCHORED · FAIL-CLOSED · UNOPENABLE
The Watcher

An offsite sentinel that confirms Churchill is still operating. If Churchill goes silent, The Watcher detects the anomaly and, when criteria is met, triggers the imminent-breach response.

Churchill

The runtime gate. A cryptographically signed snapshot of your application defines what's allowed to run, verified in real time, with no performance cost. Legitimate traffic passes through at full speed. Anything that falls outside it is stopped before it executes and preserved as forensic evidence.

The Protector

Anchors Churchill in the kernel below the reach of user-space, root, or remote access. Hidden, fail-closed, unopenable. Without The Protector, Churchill could be tampered with. With it, Churchill is structurally invulnerable to the systems it governs.

WHAT THIS MEANS FOR YOUR OPERATIONS

Built to fit a CISO's existing model. One binary per host. Tamper events flow into your existing incident response. Evidence is audit-ready. Broad platform fit across Linux, with a Windows edition in development.

Read the full whitepaper
WHAT MAKES CHURCHILL DIFFERENT

Four architectural decisions.

Not part of your build pipeline.

Build pipelines sign whatever the build infrastructure produces. A compromised build means signed corrupt code, deployed with full pipeline trust. Churchill operates separately, verifying what is actually running against what your governance board approved, regardless of how the code was built.

Stops the attack. Not your business.

When Churchill blocks an unauthorized change, the protected application keeps running. Customers, transactions, operations continue uninterrupted. Churchill shuts a system down only when an attacker has compromised Churchill's own recovery layers and is attacking repeatedly.

Attackers perceive success. You get evidence.

Blocked attacks do not disappear. They get captured. The attack plays out against the mirror envelope. The attacker continues executing their playbook, perceiving success. Not one byte on the real system is modified. Every action becomes prosecution-grade forensic evidence with complete chain of custody.

You see them coming. They never see you.

Enforcement at every decision point.

Churchill evaluates every execution request before it runs. 406,433 decisions in 11.3 hours during the Mythos engagement. Every program, script, credential, and AI agent action evaluated against the CAB-signed package. No lag. Legitimate work ran at full speed. Unauthorized work did not run at all.

WHITEPAPER / FOR ENGINEERING TEAMS

Read the engineering whitepaper.

The whitepaper describes Churchill's architecture in trust-domain terms: the integrity sentinel embedded in the application, the privileged sentinel on the host, and the off-host control plane. The named components above (The Watcher, Churchill, The Protector) are how those domains are realized in the runtime. Both framings describe the same system.

Authored by Marc Costa, Co-Founder and CTO. Covers fail-closed runtime integrity, three-domain trust architecture, off-disk runtime, locked baselines, and independent adversarial evaluation results.

Download PDF Read Online

Built and validated on IBM LinuxONE.

Linux kernel 5.7 and higher. Compatible with Linux on x86 and Power, containers, virtual machines, and bare metal. WestGate Data Science is an IBM Technology Partner.

ANTHROPIC Cyber Verification Program

Adversarially tested through Anthropic's Cyber Verification Program.

Mythos engagement: 29 documented sessions, 11.3 cumulative hours, 406,433 enforcement decisions, multiple sessions starting with full root. 100% containment. Zero data exfiltrated.