When you buy a Validiti SKU you don't pick a la carte from a security menu. The seven primitives below are floor — always-on, same key, same code, same proof. Other vendors sell each separately and charge per endpoint, per gigabyte, per certificate. We made them substrate.
Validiti's substrate runs on two distinct cryptographic chains. Knowing the difference matters when a customer auditor asks "who can sign what."
BIN-1..BIN-9 trust anchor — one Ed25519 keypair (pubkey fingerprint 8c51880cd4713f7503a9687bc0370c1c) that signs every binary release across the catalog. The private half lives in a secure enclave and is used only at signing time. The public half is embedded in seal_verify, bot_drift_channel, and the ShiftCAPTCHA widget. Verify-only at runtime. Customers never receive this key.
Per-instance Pacta keypair — auto-generated on first boot of each customer install. Signs the customer's own audit events. A multi-replica deployment can pin a shared keypair so the audit chain stays coherent across pods. Customer-held; never transmitted to Validiti.
The two chains never cross. Validiti can prove a binary came from us (chain 1). The customer can prove an event came from their instance (chain 2). Auditors can verify both independently with publicly-published keys. No Validiti-side state is ever required to verify customer events.
One card per always-included thing. Every Validiti SKU you've already read about (or will) uses some subset; together they form the floor.
In-process tamper detection with a sub-millisecond shutdown path. File-integrity baseline established at boot; per-request rate-limited re-verification. On tamper, os._exit — the orchestrator recycles the container before another request lands.
Same Ed25519 keypair signs every binary across the catalog. The seal-verify chain runs at engine import: SHA-256 of the binary recomputed, signature checked against the embedded pubkey, fingerprint compared to the manifest's claim. Mismatch → the process exits before any request is served.
Canonical-JSON encoding plus Ed25519 signing for every domain event. Sitekey hashes, challenge IDs, verdict codes — whatever shape the SKU needs. Signers can be the BIN trust anchor (Validiti releases) or a per-instance customer keypair (customer audit chains).
Append-only signed JSONL streams tied to a named asset (a brain, a library, a runtime, a bot-signature feed). Receivers verify each signature, drop expired, apply the active set. Customers can subscribe to public Validiti channels or publish their own private ones.
One vocabulary across the catalog. Every claim — every CAPTCHA verify, every Knowledge answer, every Personas response — carries one of VERIFIED, PARTIAL, NO_SOURCE, EXPIRED, REPLAY, VERIFIED_HUMAN, VERIFIED_BOT. Auditors don't have to learn a new schema per SKU.
Subscribes to signed events from every other Validiti SKU on the customer's deployment. Aggregates into a single per-customer JSONL feed (or HTTP endpoint of your choosing). Same Ed25519 verification on ingest, same canonical-JSON encoding on store.
Memory-mapped columnar storage with native segmented columns and CRC integrity. Where any SKU needs an append-only log on disk — verifications, audit events, drift state, provenance history — VSS is what's underneath. Single substrate, multiple SKUs.
Each primitive above is sold separately by another vendor. Stack them up at typical mid-market enterprise pricing and you get this.
| Validiti includes | Industry equivalent | Typical pricing |
|---|---|---|
| Titus runtime integrity | CrowdStrike Falcon · SentinelOne · Wazuh | $5–$20 / endpoint / mo |
| BIN trust anchor + signed binaries | Sigstore · DigiCert code signing | $300–$2,000 / cert / yr |
| Pacta42 signed event substrate | DataDog audit logs · Splunk | $0.10–$2.30 / GB ingested |
| Drift signed-update channel | JFrog Artifactory · Anchore | $30K+ / yr (enterprise) |
| Provenance verdict labels | No direct equivalent — usually built in-house | months of engineering |
| Audit cross-product trail | Splunk SIEM · Sumo Logic | $0.50–$5 / GB |
| VSS append-only columnar log | Loki · VictoriaMetrics + custom | infra + ops cost |
The trust anchor is public. Every binary's signature is public. You don't need our word for it; you need sha256sum.
python3 -c "import json; print(json.load(open('shift_captcha.manifest.json'))['pubkey_fingerprint'])"
# 8c51880cd4713f7503a9687bc0370c1c
curl https://signatures.validiti.com/captcha/.well-known/release_public.pem \ | openssl pkey -pubin -outform DER \ | tail -c 32 | sha256sum | cut -c1-32 # 8c51880cd4713f7503a9687bc0370c1c
python3 -c "
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.hazmat.primitives import serialization
import hashlib
pub = serialization.load_pem_public_key(open('release_public.pem','rb').read())
so = open('shift_captcha.cpython-313-x86_64-linux-gnu.so','rb').read()
sig = open('shift_captcha.cpython-313-x86_64-linux-gnu.so.sig','rb').read()
pub.verify(sig, hashlib.sha256(so).digest().hex().encode())
print('OK')"
instance-keys/pacta_public.pem. Audit consumers verify event signatures against that pubkey — no Validiti-side state required.
The substrate is additive. New primitives slot into the same trust chain, ship in the same release cadence, and become floor for every SKU at once.
Solve a ShiftCAPTCHA once on Site A. Get a batch of unlinkable, signed credentials. Redeem one per visit on any other Validiti-protected surface across the customer's fleet — no re-solve required, no cross-site tracking, signature unlinkability via blind signing.
The substrate already carries every primitive Mark needs: the BIN trust anchor signs the issuance keys, Pacta42 carries the issuance + redemption events, the drift channel ships revocations, the per-instance Pacta keypair sub-signs per-customer-domain credentials, Audit captures the trail. Mark is the protocol layer that ties them together.
Status: design phase. Same fingerprint, same code, same proof — eventually included in every SKU on the same "always-on" terms as the seven primitives above.