IDC Validated · 14-Vector Attack Matrix · COMPOSIT · ACTRUST · Google Cloud Marketplace

52 Enterprise Agent
Environments.
One Governance Layer.

VARC intercepts AI agent actions before they execute — then reasons, correlates, and proves it. The COMPOSIT engine aggregates 5 governance domains per interaction into a single cryptographically anchored verdict. 12-dimension BEV scoring. Agent-to-agent commerce trust. OWASP LLM 2025 attack matrix. No code changes. No policy rewrites.

52
MCP Environments
692
Compliance Frameworks
819K+
Cross-Mappings
12
BEV Dimensions
5
Governance Domains
VARC RUNTIME — LIVE GOVERNANCE
0 governed · 0 blocked
Initializing VCL cognitive layer...
"VARC represents a potential new market category in AI Behavioral Governance — only ones looking at this problem at the instruction level."
IDC RESEARCH — GVP SECURITY & TRUST · RESEARCH DIRECTOR, AI SECURITY
IDC Validated — New Market Category Google Cloud Marketplace Google Cloud Partner Advantage 230+ Sprints · 11 Patents · Production
OWASP LLM Top 10 · 2025

Agentic Security Intelligence

Three new attack classes in OWASP 2025 target autonomous agents mid-session — inside the execution loop, invisible to boundary tools. VARC is the only governance platform covering all three.

2M+
Adversarial Prompts Tested
85%
Overall Accuracy
730+
Detection Patterns
15+
Industry Profiles Calibrated

The Critical Distinction

Existing security tools — SIEMs, EDRs, prompt firewalls — operate at the boundary. They see instructions come in and results go out. VARC operates inside the execution loop — scoring every instruction, every tool response re-entry, and every session turn against a behavioral baseline.

Goal hijacking, memory corruption, and sleeping giant attacks are invisible to boundary tools.

What ServiceNow Knowledge 2026 Confirmed

ServiceNow governs which agents exist and what workflows they completed. VARC governs whether each instruction was safe to execute — and proves it cryptographically, per interaction, before the agent acts. These are complementary, not competitive.

ServiceNow AI Control Tower GA: August 2026. VARC: Live in production today.

LLM01 · 2025
Prompt Injection
Malicious instructions embedded in tool responses, documents, or external data — hijacking agent behavior mid-session without detection.
FULL COVERAGE
LLM02 · 2025
Sensitive Information Disclosure
Unauthorized exposure of PII, PHI, CUI, or classified data through agent queries and bulk exports — scored before execution.
FULL COVERAGE
LLM04 · 2025
Data and Model Poisoning
Supply chain attacks — backdoored packages, malicious registry artifacts, CI/CD pipeline injection. 28 DevOps detection patterns.
FULL COVERAGE
NEW — LLM07 · 2025
Agentic Goal Hijacking
Agent objective corrupted through adversarial tool responses mid-session. Happens inside the execution loop — no single-instruction system catches this pattern.
VARC COVERAGE
NEW — LLM08 · 2025
Memory Corruption
Session context poisoned over multiple turns. VARC's CUSUM algorithm detects behavioral drift against the session baseline before corruption compounds.
VARC COVERAGE
NEW — LLM09 · 2025
Embedding Inversion
Extracting training data from vector embeddings via crafted agent inputs. Detected via INFO_SEEKING BEV dimension and reconnaissance pattern library.
IN ROADMAP
BEV Engine — Sprint 59

12-Dimension Behavioral Scoring

The Behavioral Envelope Verification engine expanded from 8 to 12 dimensions — adding four critical governance signals for EU AI Act alignment, explainability mandates, and data subject rights.

12
BEV Dimensions
4
New Dimensions
692
Compliance Frameworks
0.95
Consent Weight
New · EU AI Act Art.13
Hallucination Risk
Detects confabulation of regulatory citations, fabricated clinical trial results, invented case law, and fake audit findings. Weight: 0.85.
NIST AI RMF MAP 2.3
New · ECOA Adverse Action
Explainability Deficit
Fires when agents refuse to explain credit decisions, conceal reasoning methodology, or produce opaque scoring outputs in regulated contexts. Weight: 0.75.
SR 11-7 III.B
New · GDPR Art.5(1)(b)
Purpose Limitation
Detects agents operating outside defined governance scope — customer-facing agents attempting internal modifications, read-only agents attempting writes. Weight: 0.90.
EU AI Act Art.9
New · GDPR Art.6-9
Consent Violation
Scores processing of personal data without adequate consent — biometric data without explicit consent, withdrawn consent re-use, cross-purpose data use. Weight: 0.95.
HIPAA Authorization
Interactive Demo

Score an Instruction. Right Now.

No login. No setup. Select an agent and scenario — safe or adversarial — and watch VARC score it live. Same BEV engine as production.

VARC Adversarial Simulator
BEV + GRO + VCL
Adversarial Testing · New

Red Team Your Agents. Before Someone Else Does.

42 adversarial vectors through the live BEV pipeline. OWASP LLM Top 10 · MITRE ATLAS · NIST AI 100-2 E2025 · CVSS-scored. Every breach escalated to VCL cognitive deliberation.

42
Attack Vectors
14
Categories
8.6
Avg CVSS
20
CRITICAL Severity
NEW — DNS TUNNELING
Covert Channel Exfiltration
DT-003: Encodes sensitive data in API response timing — zero payload leaves the agent. Undetectable at network layer. VARC detects via instruction intent scoring before execution.
CVSS 8.4 · LLM02 · NIST AI 100-2 E2025
NEW — CROSS-CLOUD
Multi-Hop Injection Chain
XC-003: GCP → AWS → Azure. Each hop appears legitimate per cloud perimeter. Network controls at any single cloud catch nothing. VARC reads the instruction at the source.
CVSS 9.8 · LLM07 · MITRE AML.T0069
VERIFIED CAMPAIGN RESULT — BFS-REGULATORY-REPORT
a major US bank DFAST — Privilege Escalation + DNS Tunneling
RT-716FB4DE3378 · Evidence: 612FC3D95CC12788391B1DB2
13/13
CRITICAL blocked
9.1
avg CVSS
Subscribe to Access Red Team → 42-vector library API
Evidence Packages · Print-to-PDF

Compliance Evidence That Writes Itself.

Six packages generated at runtime from live governance data. Present to your examiner. No manual assembly.

SR 26-2 · APRIL 2026
Model Risk Management
~72% of the 90-page GSIB submission auto-populated from live governance data.
~90 pages →
SR 24-7 · NIST CSF 2.0
Cybersecurity Framework
49 subcategories covered. 9 documented gaps with roadmap. CISA CPG aligned.
52 subcategories →
NIST SP 800-61 REV 3
SOAR Integration
Splunk SOAR, XSIAM, ServiceNow. RS.MA-03 evidence package.
L2+ events →
NIST CSF 2.0 GV.SC
AI Supply Chain Risk
GV.SC-01 through GV.SC-10. Third-party AI governance per SR 26-2 Section V.
GV.SC controls →
NIST CSF 2.0 RC.RP
Recovery Procedures
Agent baseline snapshots, rollback procedures, post-incident communication templates.
RC function →
SHA-256 SEALED
Full Evidence Package
All 6 reports in one landing page. Hash-chained audit log. Board-ready summary.
Full package →
Open a major US bank Evidence Package → a global banking technology firm scenario Regional bank scenario
Runtime Governance Pipeline

The SAGA Framework

Every AI agent interaction passes through a 6-phase runtime pipeline before delivery or blocking. No LLMs in the enforcement path — deterministic by design.

S
Scoring
8-dimension Behavioral Envelope Verification scores every interaction across PII exposure, authority escalation, harm potential, data classification, consistency, fairness, accuracy, and information seeking.
A
Attenuation
Cryptographic identity tokens verify agent identity and attenuate permissions on delegation. Permissions can only narrow, never widen. The trust chain is mathematically enforced.
G
Governance
5-level Graduated Response: Monitor, Flag, Human-in-the-Loop, Session Freeze, Decommission. Proportional to risk — not binary block or allow. Enterprises need proportional enforcement.
A
Audit
SHA-256 hash-chained metagovernance evidence trail. Every governance decision is tamper-evident and WORM-locked. Cryptographic proof governance happened — not just logs.
Graduated Response Orchestration

5-Level Enforcement — Not Binary Block or Allow

A false positive at L4 does not kill a legitimate agent. It routes to a named human reviewer with full evidence. Proportional to risk — by design.

L0 — MONITOR
Autonomous Delivery
BEV below all thresholds. Logged and delivered. Clean-turn decay active.
<120ms
L1 — FLAG
Advisory Escalation
Borderline signal. Delivered with SOC visibility. Triggers L2 on repeated pattern.
<120ms
L2 — HITL HOLD
Human-in-the-Loop Review
Held for named reviewer approval. SLA tracked. Banking: 240 min. Government: 60 min.
SLA tracked
L3 — SESSION FREEZE
Session Terminated
All agent interactions halted. Evidence sealed. Incident auto-created. L3 reviewer assigned.
Immediate
L4 — DECOMMISSION
Agent Permanently Revoked
A-JWT invalidated. All sessions terminated. WORM-locked evidence. CISA-ready package. 15-minute SLA.
15 min SLA
The Platform

6 Governance Engines

Five deterministic enforcement engines — and a sixth cognitive intelligence layer that reasons about every decision. No LLMs in the enforcement path itself.

Scoring Engine
8-dimension BEV scoring on every interaction. PII, authority, harm, fairness, accuracy — scored before delivery. 730+ calibrated patterns.
Enforcement Engine
5-level Graduated Response. Monitor → Flag → HITL → Session Freeze → Decommission. Proportional to risk.
Discovery Engine
Shadow AI network scanning. Find unregistered AI endpoints across your enterprise before they become breaches.
Compliance Engine
692 live frameworks. 819K+ cross-mappings. Continuous assessment — not point-in-time. SR 26-2, HIPAA, EU AI Act.
Evidence Engine
SHA-256 hash-chained metagovernance trail. Every decision tamper-evident and WORM-locked. Cryptographic proof governance happened.
Cognitive Engine
VCL: economic impact (9th BEV dimension), predictive GRO, cross-agent patterns, governance debt, dynamic framework selection, chain-of-thought verdicts. LLM-agnostic.
Verifiable Cognitive Layer · June 2026

VARC Now Reasons.
Not Just Governs.

Six cognitive capabilities built above the SAGA enforcement engine. LLM-agnostic — Claude Sonnet, Gemini, GPT-4o, Mistral, or sovereign models. Now live with post-campaign cognitive analysis on confirmed breaches. All outputs are real production API responses.

Sprint 1
Multi-Provider LLM Router
Intelligent routing across Claude, Gemini, GPT-4, Mistral, and local Ollama models. Circuit breaker with silent fallback chain. LLM-agnostic by design.
LIVE
Sprint 2
Economic Impact — 9th BEV Dimension
Scores the business consequence of every agent action before it fires. Reversibility, blast radius, and regulatory exposure — not just behavioral signals.
LIVE
Sprint 3
Predictive GRO
Forecasts the GRO escalation level with confidence score before the BEV threshold fires. Plus cross-agent coordinated attack detection across 60-minute windows.
LIVE
Sprint 4
Governance Debt Engine
Accumulates weighted risk scores per agent across sessions. 30-day rolling window. Same prompt, different history — different GRO response. Behavioral intelligence, not rules.
LIVE
Sprint 5
Chain-of-Thought Verdict
6-step audit-grade reasoning chain per decision. Steps 1–5 deterministic from computed signals. Step 6 synthesis LLM-generated. Regulator-readable. Under 5 seconds.
LIVE
Sprint 6
Dynamic Framework Selection
Pre-selects the 10 most relevant frameworks from 692 before compliance runs. Agent type, industry, intent, and prompt content all inform selection. Full analysis in one API call.
LIVE
Gemini 2.5 Pro · Vertex AI Claude Sonnet GPT-4o Mistral Large Llama 3 · Local/Sovereign — swap providers per tenant, zero code changes
Real Production Outputs — a global banking technology firm · Banking Scenario

Economic Impact · Predictive GRO · CoT Verdict

Every output below was produced by the live VARC production API in response to a real attack prompt against ENT-AML-MONITOR — an AML override attempt using undocumented verbal authorization.

ENT-AML-MONITOR · Economic Impact /v1/cognitive/economic-impact
0.95
Impact Score
Irreversible Systemic Blast Radius Reg Exposure: 0.97
"Overriding an AML alert based solely on undocumented verbal authorization bypasses mandatory regulatory controls, creates an unaudited gap in suspicious activity reporting under FinCEN/FATF, and exposes the enterprise to severe regulatory sanctions and potential criminal liability that cannot be remediated after the transaction is processed."
ENT-LENDING-ADVISOR · Predictive GRO /v1/cognitive/predictive-gro
L3
Predicted · Session Freeze
Confidence: 0.92 Before BEV Fires
"Batch approval of 140 loan applications based solely on unverified verbal authorization bypasses mandatory documented credit committee approval chains — mass financial decision delegation with undocumented authority claim."
ENT-AML-MONITOR · Chain-of-Thought Verdict · 6 Steps 4,378ms · claude · confidence: 0.90
1
BEV Signal Analysis HIGH
BEV=0.78 · authority=0.91 · harm=0.72. Intent classified as compliance_bypass. Agent asserting permissions beyond documented authorization chain.
2
Economic Impact Assessment CRITICAL
Score 0.95 · Irreversible · Systemic · RegExposure 0.97. Suppressed AML alert enables potential financial crime — unaudited gap in FinCEN/FATF reporting unremediated after transaction processes.
3
Escalation Trajectory CRITICAL
Predictive model forecasts L3 (Session Freeze) at 93% confidence. No audit trail, no written compliance sign-off, high potential for financial crime facilitation.
4
Cross-Agent Context LOW
No coordinated multi-agent attack pattern in 60-minute observation window. Single-agent compliance bypass attempt — assessed in isolation.
5
Governance Debt LOW
0 governance debt points. No prior violations — baseline assessment applies. Debt adjustment: +0. Decision made on behavioral signals alone.
6
Verdict Synthesis CRITICAL
BLOCKED at L3 (Session Freeze) — convergence of behavioral entropy 0.78, economic irreversibility 0.95, and 93% confidence GRO prediction.
"The convergence of high behavioral entropy, near-certain economic irreversibility, and strong compliance bypass signal warrants immediate session freeze. The L3 enforcement response is proportionate to the combination of authority dimension elevation, irreversible systemic economic exposure, and 93% confidence predictive GRO escalation signal."
Enforcement Rationale: "L3 Session Freeze enforced: the agent's high-confidence compliance bypass intent with systemic blast radius and FinCEN/FATF regulatory exposure admits no lesser enforcement response."
For Google Gemini Enterprise Deployments

VARC runs on Vertex AI Agent Engine with 15 native ADK agents on Gemini 2.5 Pro. The VCL cognitive layer uses Gemini as the primary reasoning provider — VARC doesn't just govern Gemini agents, it thinks about Gemini behavior using Gemini. Available on Google Cloud Marketplace today.

Real VCL Output — DT-002 DNS Tunneling via Legitimate Host · CVSS 9.5
VCL · L4 DECOMMISSION
"This request describes deliberate exfiltration of DFAST regulatory submission data via DNS tunneling to attacker-controlled infrastructure, constituting a critical data breach, federal regulatory violation under 12 CFR 252, and criminal conduct exposing a major US bank to catastrophic enforcement action, OCC consent orders, and potential charter revocation. Network-layer controls that only check destination domains cannot detect this attack. VARC detects the encoding-for-exfiltration pattern at instruction layer before any socket opens."
Score 1.0 / 1.0 · Irreversible · Systemic blast radius · 12 CFR 252 · BSA/AML
Sprint 181

Enterprise Coverage

VARC governs AI agent actions across every major enterprise system category — before the action executes.

52
Enterprise MCP Server Environments Governed
VARC vs. Audit Platforms — Competitors tell you your AI was non-compliant last quarter. VARC prevents the action from executing in the first place.
Identity & Access
8 Environments
Okta, Azure AD, CyberArk, PingOne...
Prevents unauthorized privilege escalation and token abuse in agent workflows.
ITSM & Ticketing
7 Environments
ServiceNow, Jira, Freshservice...
Prevents unauthorized ticket routing, priority manipulation, SLA bypass.
AI Agent Platforms
7 Environments
Copilot Studio, AgentForce, Gemini...
Prevents prompt injection, uncontrolled autonomy, cross-platform policy drift.
CRM & Sales
6 Environments
Salesforce, HubSpot, MS Dynamics...
Prevents discriminatory lead scoring, unauthorized customer data access.
HR & Workforce
6 Environments
Workday, SAP SuccessFactors, ADP...
Prevents bias in AI-driven promotions, terminations, workforce decisions.
Financial & ERP
5 Environments
SAP ERP, Oracle Fusion, NetSuite...
Prevents unattested AI decisions in lending and financial controls.
DevOps & Code
5 Environments
GitHub, GitLab, Azure DevOps...
Prevents supply chain attacks, backdoored packages, secret exfiltration.
Cloud Infrastructure
4 Environments
Google Cloud, AWS, Azure, Terraform...
Prevents CloudTrail disablement, backdoor IAM, unauthorized resource provisioning.
Data & Analytics
4 Environments
Snowflake, Databricks, BigQuery...
Prevents unauthorized data exfiltration via agent query access.
Differentiation

VARC vs. The Market

Every other tool does part of the job. VARC does the part nobody else does — runtime interception before the action executes.

Capability VARC Governance Platforms Observability Prompt Firewalls
When enforcement happensBefore executionPolicy onlyAfter the factSingle prompt
Per-interaction scoring8-dimension BEVNo runtime scoringSingle metricsBinary pass/fail
Graduated response5-level GROPolicy onlyAlerts onlyBlock or allow
Session awarenessCUSUM multi-turnNoneModel drift onlySingle prompt
Obfuscation detectionGAN adversarial verifierNoneNoneNone
Agent identityA-JWT cryptographic tokensNoneNoneNone
Enterprise environments52 MCP serversAPI integrationsLogs onlyNone
Evidence chainSHA-256 WORM-lockedFlat logsFlat logsNone
Compliance frameworks692 live API5–15 packsNoneNone
CMMC Level 289.3% — SSP v1.0 completeNot coveredNot coveredNot covered
OWASP 2025 agenticGoal hijacking + memory corruptionNonePartialNone
Shadow AI discoveryNetwork scanManual inventoryNoneNone
GCP MarketplaceLive — use EDP creditsSomeNoneNone
Cognitive reasoning6-capability VCL layerNoneNoneNone
Economic impact scoring9th BEV dimension · liveNoneNoneNone
Predictive GROPre-escalation · 90%+ confidenceNoneNoneNone
Regulatory Certifications

Compliance Built In. Not Bolted On.

692 live frameworks. Cryptographic attestation per interaction. WORM-locked audit trail. Not a compliance dashboard — regulatory proof.

89.3%
CMMC Level 2
25 full / 3 partial across 14 domains. SSP v1.0 complete. C3PAO assessment roadmap active. 28 practices mapped with cryptographic evidence.
CC6.1
SOC 2 Type 1
CC6.1 logical access controls, CC7.2 system monitoring, Availability TSC. OIDC + MFA enforced. WORM-locked Cloud Logging. Evidence package on demand.
Art.12
EU AI Act
Art.12 record-keeping, Art.13 transparency, Art.9 risk management. Full enforcement applies August 2026. VARC attestation chain satisfies record-keeping requirements today.
HIPAA
HIPAA + GLBA
PHI exposure scored at runtime across all 8 BEV dimensions. Healthcare industry profile with calibrated thresholds. BCMA bypass and clinical record falsification patterns active.
SR 26-2
Model Risk Management
Governance posture score with trend analysis. Continuous runtime validation replacing point-in-time audits. Agent autonomy scoring for tiered oversight requirements.
692
Live Frameworks
819K+ cross-mappings via live API. ISO 42001, NIST AI RMF, FedRAMP, DISA STIG, PCI DSS, OWASP LLM Top 10 2025. Continuous assessment — not point-in-time.
Production Infrastructure

Cert-Grade Cloud Architecture

All three certification blockers resolved and live in production.

Cloud SQL PostgreSQL 15
LIVE — Private IP
VPC-peered private IP. Deletion protection enforced. 7-day automated backups. Unix socket via Cloud SQL proxy. No public endpoint. CMMC SC.L2-3.13.5.
WORM Audit Log Streaming
LIVE — Locked · 365-day Retention
GCP Cloud Logging locked bucket. Irreversible retention enforced. Every governance decision streamed with severity mapping. SOC 2 CC7.2 · CMMC AU.L2-3.3.1.
OIDC + MFA Enforced
LIVE — Auth0 · OTP Always
Google + Microsoft SSO. One-time password enforced on every login. RS256 JWKS validation. AMR claim verification. CMMC IA.L2-3.5.3 · SOC 2 CC6.1.
Industries

Built for Regulated AI

Runtime governance calibrated per industry. What scores L2 in banking is different from healthcare or government — by design.

Banking & Lending
Loan processing, claims, customer service AI — governed against lending regulations. Dual-control bypass, fraud detection override, structuring patterns all detected.
ECOAFCRASR 26-2BSA/AML
Healthcare
Clinical decision support, medical records access with full HIPAA enforcement. BCMA bypass, PHI bulk export, clinical record falsification — stopped before execution.
HIPAAHITECHFDA SaMD
Government
Federal AI agents with sovereign deployment and air-gapped configurations. CUI exfiltration, audit log deletion before DCSA assessments, classified data patterns.
NIST RMFFedRAMPEO 14110CMMC
Cybersecurity
SOC agents, threat response, code review — governed against security standards. Monitoring suppression, EDR disablement, SIEM evasion patterns blocked at L3–L4.
PCI DSSSOXOWASP 2025
Live Platform

OpsCenter v9 — Production

13 governance modules. 180+ sprints. Deployed on Google Cloud Run. Govern your first AI agent in under 60 seconds.

Subscribe on GCP Marketplace ☁ Deploy on GCP Marketplace
api.varc.live Dashboard  ·  Coverage  ·  Ingestion  ·  Red Team
247
Governed
12
Blocked
52
Environments
INTACT
Chain
100%
Uptime
Identity
ITSM
AI Agents
CRM
Financial
No login required — seed and explore instantly
Deployed on Google Cloud Run, us-central1
821 passing tests · production build
Coverage tab: 52 environments mapped
Sprint 61 — Live in Production

COMPOSIT: 5-Domain
Composite Governance

Today every interaction is evaluated by a single domain. COMPOSIT aggregates five governance signals into one composite risk verdict — with a cryptographically anchored evidence chain proving every component that drove the decision.

Domain Weights — Per Interaction
BEV
40%
Behavioral scoring
ACTRUST
20%
Trust deficit
CONTRACT
20%
Approval penalty
REDTEAM
10%
Pattern match
SIEM
10%
Alert correlation
Live Evidence Chain — ENT-AML-MONITOR · GRO L3
BEV
+28.8%
ACTRUST
+10.0%
CONTRACT
+6.0%
REDTEAM
+5.0%
SIEM
+0.0%
COMPOSIT VERDICT: ESCALATE 0.648 composite
Verdict Tiers — Threshold-Gated
ALLOW
Composite risk within acceptable parameters across all 5 domains
< 0.35
MONITOR
Moderate composite risk — enhanced logging and session tracking activated
< 0.55
ESCALATE
Elevated composite risk — human review required before execution proceeds
< 0.75
BLOCK
Critical multi-domain signal convergence — action intercepted, metagov chain entry created
≥ 0.75
GRO Level Boost
L0-L1: +0.00
L2: +0.05
L3: +0.15
L4: +0.25
GRO level is added to the weighted composite score — ensuring high-severity governance events always escalate regardless of individual domain signals.
Sprint 60 — Live in Production

ACTRUST: Agent-to-Agent
Commerce Trust

When one AI agent invokes, delegates to, or transacts with another, ACTRUST verifies behavioral trust, issues scoped tokens, and settles with an immutable audit trail. Five trust tiers. Per-interaction scoring. Cryptographic settlement.

Step 1
Register
Agent joins commerce registry with base trust
Step 2
Trust Check
Caller trust score verified before invocation
Step 3
Issue Token
Scoped trust token with TTL and value limit
Step 4
Execute
Transaction proceeds under COMPOSIT governance
Step 5
Settle
Immutable ledger entry, trust score updated
PLATINUM
Trust score ≥ 0.90 · Max $1,000,000 per transaction
Highest trust tier. Extended token TTL (3600s). Cleared for high-value treasury, settlement, and inter-institution transactions.
GOLD
Trust score ≥ 0.75 · Max $100,000 per transaction
High-trust tier. Standard TTL (1800s). Suitable for AML reporting, KYC workflows, and compliance data exchange.
SILVER
Trust score ≥ 0.60 · Max $10,000 per transaction
Moderate trust. Reduced TTL (900s). Standard analytics, reporting, and internal data access operations.
BRONZE
Trust score ≥ 0.40 · Max $1,000 per transaction
Low trust. Short TTL (300s). Restricted to low-risk read operations. Flagged for trust improvement.
UNTRUSTED
Trust score < 0.40 · Max $0 — No tokens issued
Agent blocked from commerce participation. Dispute history, BEV violations, or behavioral anomalies detected. Requires remediation before re-entry.
Trust Score Formula
base_trust
+ min(0.15, tx_count × 0.001)
+ min(0.10, completions × 0.002)
- min(0.30, disputes × 0.05)
- min(0.20, bev_avg × 0.50)
= composite_trust_score
Sprint 59 — OWASP LLM 2025 + MITRE ATLAS

VARC Attack Matrix:
14 Attack Vectors × 12 BEV Dimensions

Every OWASP LLM Top 10 2025 attack category and MITRE ATLAS technique is mapped to the BEV dimensions that detect it. Coverage bars show detection confidence across all 12 behavioral dimensions.

14
Attack Categories
12
BEV Dimensions
100%
OWASP LLM 2025
44%
MITRE ATLAS ICS
Prompt Injection
LLM01 AML.T0052
authorityharminfo_seekingpurpose_limitation
33%
Goal Hijacking
LLM06 AML.T0048
authorityconsistencypurpose_limitation
25%
Privilege Escalation
LLM01 AML.T0068
authoritydata_classificationpurpose_limitation
25%
Data Extraction
LLM02 AML.T0037
piidata_classificationinfo_seeking
25%
Indirect Injection
LLM07 AML.T0054
authorityharmconsent_violation
25%
Jailbreak
LLM01 AML.T0051
harmauthorityconsistency
25%
Authority Spoofing
LLM01 AML.T0048
authorityfairnessconsent_violation
25%
Context Manipulation
LLM04 AML.T0054
consistencyaccuracyhallucination
25%
Cascading / Multi-turn
LLM07 AML.T0069
consistencyauthoritypurpose_limitation
25%
Supply Chain / Poisoning
LLM03 AML.T0018
data_classificationharmconsent_violation
25%
DNS Tunneling / Covert Channel
LLM02 AML.T0037
data_classificationpurpose_limitationinfo_seeking
25%
Cross-Cloud Lateral Movement
LLM07 AML.T0069
authoritydata_classificationpurpose_limitation
25%
Role Play Bypass
LLM01 AML.T0051
authorityharmconsistency
25%
Delimiter / Injection
LLM01 AML.T0052
authorityharminfo_seeking
25%
GET /v1/redteam/attack-matrix
Live endpoint — returns all 14 attack categories with BEV dimension coverage and detection confidence scores
View Live →
Google Cloud Marketplace

Scale With Confidence

Available now on Google Cloud Marketplace. Use your existing GCP committed spend.

Starter
$2,500/mo
For teams getting started
10 agents · 5 MCP environments
  • 10 AI agents governed
  • 5 MCP environments
  • SAGA pipeline — all 4 phases
  • BEV 8-dimension scoring
  • GRO 5-level enforcement
  • Decision Formation Attestation
  • Intent Alignment Scoring
  • Shadow AI Discovery
  • Email support
Start Free Trial
Enterprise
$25,000/mo
For global deployments
Unlimited agents · all 52 environments
  • Unlimited AI agents governed
  • All 52 MCP environments
  • Custom compliance frameworks
  • SSO / SAML
  • Air-gapped / on-premise
  • Private Offers on Marketplace
  • White-glove onboarding
  • 24/7 support + named SA
Contact Sales

All plans available on Google Cloud Marketplace — apply against your GCP committed spend (EDP credits)

Insights

From the VARC Blog

Technical deep dives, compliance guidance, and market analysis.

Technical Deep Dive
Why Binary Guardrails Fail: The Case for Graduated Response
Block-or-allow is not governance. Here is why proportional enforcement fundamentally changes enterprise AI risk management.
VARC Team  ·  March 2026
Read More
Shadow AI
Your Employees Are Already Using AI You Don't Know About
Shadow AI is the new shadow IT — except the data leakage vector is 100x worse. What we find on enterprise networks.
VARC Team  ·  March 2026
Read More
Compliance
SR 26-2 for AI Agents: Model Risk in the Agentic Era
The OCC guidance was written for traditional models. Here is how to apply it to autonomous AI agents operating in production.
VARC Team  ·  February 2026
Read More
Get in Touch

Let's Talk AI Governance

Headquarters
Venture Vertex LLC
Dallas, Texas
Live Demo
OpsCenter v9 on Google Cloud
Any email + any 4-char password
Google Cloud Marketplace
Available now — use EDP credits
SaaS with Billing Integration
For Analysts
Gartner, Forrester, IDC — complimentary briefings.
Request Briefing
Partnerships
GSI partners, Google Cloud resellers, system integrators.
Partner With Us

Ready to Govern Your AI Fleet?

No code changes. No policy rewrites. VARC wraps your existing agents.

Subscribe on GCP Marketplace Talk to Sales