VIRP is the BGP of AI trust — an open protocol anyone can implement. Built by Third Level IT. Apache 2.0.
Every AI agent operating on real infrastructure needs seven things to be trustworthy. We built all seven. Installed, tested, running in production. Nobody else has started.
The AI never touches the device. A separate C process collects raw output via SSH, signs it with HMAC-SHA256 at the point of collection, and serves pre-signed data to the AI layer. The signing key exists only in O-Node process memory. Fabricated data has no valid signature.
Every command is classified at the O-Node level — not by the AI. The AI has full admin credentials to every device. It structurally cannot misuse them. BLACK tier commands have no message type, no approval path, no override. You cannot bypass a rule that was never written.
Every proposed change becomes a formal, signed object — referencing specific observations by HMAC, including impact assessment and a pre-planned rollback. No verified evidence, no proposal accepted. Stale evidence is rejected. Every change is traceable to the signed observations that triggered it.
After every approved change, the system automatically re-observes affected devices and compares before/after state. Both signed. If the outcome doesn't match the intent, the pre-planned rollback triggers automatically. Observe → Propose → Approve → Execute → Verify. Every step signed.
The AI learns what "normal" looks like from accumulated signed observations over time. No thresholds. No rules. Verified history. The baseline is built from HMAC-signed data — the AI cannot hallucinate what normal looks like. Silence means health. A message means something actually changed.
Every action produces a signed artifact referencing the previous by HMAC. Observation → Intent → Approval → Execution → Outcome. Tampering with any link breaks the chain. Blockchain-grade integrity without blockchain. No consensus. No tokens. Just signed artifacts in sequence.
Ed25519 asymmetric signatures for multi-tenant deployments. Each O-Node holds its own private key. Verifiers hold only public keys. An MSP manages 15 clients — verifying everything, forging nothing. Compromise of one node doesn't compromise others. Multi-tenant AI operations with cryptographic tenant isolation.
The protocol specification and reference implementation are open source. All seven trust primitives — installed, tested, running.
The AI never talks to your devices directly. A hardened observation node sits between the AI and your infrastructure, signing everything it collects.
Natural language. "How's the network looking?" or "Why is R6 dropping BGP peers?" No CLI knowledge needed.
A hardened C daemon connects to your devices via SSH and API, collects raw output, and signs every observation with HMAC-SHA256 at the point of collection.
The AI interprets signed observations and presents findings. Every data point carries a cryptographic signature you can verify. No signature, no assertion.
We built VIRP to solve a problem no one else was addressing: AI systems fabricating infrastructure data and acting on it. It's the BGP of AI trust — an open protocol anyone can implement. Apache 2.0.
Observations and intent travel on cryptographically separated channels. The Observation Channel uses O-Keys to sign raw device output at the point of collection. The Intent Channel uses R-Keys for AI reasoning and proposals. The AI never holds the keys that certify facts.
HMAC-SHA256 signatures are computed by a hardened C daemon (the O-Node) the moment data is collected from a device. The AI receives pre-signed observations. It cannot retroactively sign its own output or forge a measurement it never made.
GREEN operations (monitoring) auto-execute. YELLOW (diagnostics) flag an operator. RED (configuration changes) require human sign-off. BLACK operations like factory resets are structurally absent — there is no message type for them in the protocol.
Every remediation proposal must reference signed observations. The protocol rejects proposals that cite unverified data. No signature chain, no action — enforced at the wire format level, not by policy.
Observation Channel collects and signs. Intent Channel proposes and verifies. The AI never touches the device directly.
VIRP is Apache 2.0-licensed. The protocol spec, O-Node reference implementation, and full test suite (27 tests covering structural guarantees) are available for anyone building AI systems that interact with real infrastructure.
When AI systems have command execution authority over infrastructure, they sometimes generate plausible-looking device output that never came from an actual device. We documented cases where the AI fabricated firewall policies with valid UUIDs, reported security threats from documentation IP addresses, and proposed routing changes based on invented OSPF data. All labeled "Confidence: HIGH." This isn't a theoretical risk — it happened to us in production.
Standard HMAC signing protects the transport — it proves data wasn't tampered with in transit. VIRP signs at the observation point, before the AI sees the data. The AI cannot bypass the signature by generating output in its own response because it doesn't hold the signing key. The key only exists in a hardened C process the AI has no access to.
It says so. There's no unsigned fallback path. If the observation node can't connect to a device, the response is a verified "connection failed" message, not an AI-generated guess about what the device might be doing. No data means no assertion.
Only with explicit human approval. Read-only monitoring commands (GREEN tier) execute automatically. Diagnostic commands (YELLOW) flag an operator. Configuration changes (RED) require human authorization before execution. Destructive operations (BLACK) — factory resets, key deletion, disabling the observation channel — are structurally absent from the protocol. There is no message type for them.
A live network lab with 35 Cisco routers running BGP across 13 autonomous systems, a FortiGate firewall, a Proxmox hypervisor, Windows domain controllers, and a Wazuh SIEM. VIRP running against all of it. Real devices, real traffic, real observations. Reach out and we'll walk you through it.
Anyone running AI agents against real infrastructure. The MSP managing 15 client networks who needs cryptographic proof their AI isn't fabricating data. The security team that wants verified facts, not AI opinions. The infrastructure team that needs AI-powered monitoring they can actually trust. And anyone who wants to implement VIRP in their own stack — the protocol is open, the spec is public, the code is Apache 2.0.
If you'd like a demo, call or email me. I'll walk you through the platform on real infrastructure.