Talon Security Architecture

Post-quantum encryption. Cryptographic proof. Hardware isolation on the roadmap.

SpringOwl Asset Management
Published: February 2026
Classification: Public
Version: 2.1 — Based on production codebase
Architecture current as of February 2026. Deployed features are running in production on Talon v0.3.0.

      This document separates DEPLOYED capabilities from ROADMAP items. Sections 2–7 describe what is built and running in production today. Section 8 describes Phase 4 roadmap features that are designed but not yet deployed. Every deployed claim maps to a file in our private repository.
    

1. The Problem

Founders submitting to a VC firm hand over their most sensitive assets: source code, patent applications, financial models, technical architecture. Traditional firms protect this with NDAs and good intentions.

We protect it with post-quantum cryptography, timing-safe authentication, rate limiting, and cryptographic proof that the system does what we claim.

2. Deployed Encryption LIVE

All founder data is encrypted using NIST-standardized post-quantum algorithms. This protects against both classical attacks today and quantum attacks in the future.

Layer	Algorithm	Standard	Purpose	Status
Key Exchange	ML-KEM-768 + X25519 Hybrid	NIST FIPS 203	Quantum-safe key agreement. Both classical and PQC must be broken to compromise.	LIVE
Data Encryption	AES-256-GCM	NIST SP 800-38D	Authenticated encryption of submissions using PQC-derived key.	LIVE
Report Signing	ML-DSA-65 (Dilithium)	NIST FIPS 204	Tamper-proof diligence reports. Founders verify signature independently.	LIVE

Why hybrid KEM? We combine classical X25519 with post-quantum ML-KEM-768. If either algorithm is broken, the other still protects the data. The shared secret is derived via HKDF-SHA256 from both contributions.

Why post-quantum now? Nation-states run harvest-now-decrypt-later campaigns—capturing encrypted traffic today to decrypt when quantum computers mature. Your source code submitted in 2026 could be decrypted in 2035 with classical encryption. With ML-KEM, it cannot.

3. Deployed Security Controls LIVE

Beyond encryption, Talon enforces multiple layers of defense in production today:

Control	Implementation	Status
Timing-Safe Authentication	`hmac.compare_digest` — prevents timing side-channel attacks on token validation	LIVE
Rate Limiting	slowapi — per-endpoint limits (e.g., 10/min on /submit, 30/min on /keys)	LIVE
CSP Security Headers	Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options	LIVE
TLS Certificate Generation	Automated TLS cert generation for encrypted transport	LIVE
Secure Data Destruction	Multi-pass overwrite + verification via `/destroy/{id}` endpoint	LIVE
SQLite Persistence	Encrypted local database — no cloud database dependencies	LIVE

4. How a Submission Works LIVE

Founder CLI                           Talon Server
    |                                        |
    |--- GET /keys ------------------------->|  Fetch server ML-KEM + ML-DSA public keys
    |<----------------------------------------|
    |                                        |
    |--- ML-KEM encapsulate + X25519 ECDH ---|  Derive shared secret (both PQC + classical)
    |--- AES-256-GCM encrypt submission -----|  Seal code with PQC-derived key
    |                                        |
    |--- POST /submit {encrypted} ---------->|  Ciphertext enters server
    |                                        |
    |   [Decapsulate -> Decrypt -> Analyze]  |  Raw code exists only during analysis
    |   [Sign report with ML-DSA-65]         |  Tamper-proof output
    |   [Destroy raw data]                   |  Cryptographic shredding
    |                                        |
    |<-- 202 {submission_id} ----------------|
    |                                        |
    |--- GET /report/{id} ------------------>|
    |<-- {report, ML-DSA signature} ---------|
    |                                        |
    |--- verify(signature) ------------------|  Founder confirms report integrity

What the founder controls:

Encryption happens client-side. Data leaves the founder's machine already encrypted.
The founder's CLI verifies the ML-DSA signature on the returned report—confirming it was generated by Talon and not modified.
Submissions require an invitation token. No open access.

5. What the Operator Cannot Do Today

      The architecture limits operator access by design. Even without hardware enclaves, multiple cryptographic controls restrict what the operator can do with founder data.
    

Cannot see raw source code. The operator receives the diligence report—structured findings, risk scores, architecture assessment. Never the submission itself.
Cannot modify reports. Reports are signed with ML-DSA-65. Any modification invalidates the signature. Founders verify independently.
Cannot retain data. Raw submissions are cryptographically destroyed after analysis. Multi-pass overwrite with verification that the data is gone.
Cannot bypass token auth. Timing-safe comparison prevents brute-force and timing side-channel attacks against invitation tokens.

Honest limitation: Without AMD SEV-SNP hardware isolation (Phase 4), an operator with root access to the server could theoretically inspect process memory during analysis. Post-quantum encryption protects data in transit and at rest, but data is necessarily decrypted in memory during processing. Phase 4 closes this gap — see Section 8.

6. Analysis Engine LIVE

Talon runs six concurrent analyzers on every submission:

Analyzer	What It Does	Method
Code Audit	Security vulnerabilities, hardcoded secrets, injection risks, unsafe patterns	Semgrep (1000+ rules) + LLM26 deep analysis
CVE Scanner	Known vulnerability detection, exploit probability scoring, dependency risk	OSV.dev + NVD + EPSS (api.first.org)
Patent Analysis	Patentable innovations, infringement risks, prior art indicators	PatentsView API + LLM26 analysis
Technical Benchmark	Architecture patterns, maturity level, complexity metrics, language detection	Code metrics + LLM26 assessment
Supply Chain	Dependency extraction, vulnerability detection, license compliance	Dependency parsing + LLM26 risk assessment
Report Signing	Cryptographic attestation of analysis results, tamper-proof report delivery	ML-DSA-65 (FIPS 204) digital signatures

All models run locally. No founder data is sent to OpenAI, Anthropic, Google, or any third-party API. The LLM26 (Qwen2.5-Coder 7B) runs on local GPU hardware. During analysis, outbound network access is limited to public vulnerability databases (OSV, NVD, EPSS, PatentsView).

7. Deployed Operational Controls

Data Destruction LIVE

After analysis completes, raw submission data is destroyed:

Multi-pass overwrite with cryptographically random bytes
Zero-fill final pass
File unlink (deletion)
Verification that the file no longer exists on the filesystem

Only the signed diligence report persists. The report contains structured findings—never raw source code, never file contents, never verbatim excerpts beyond short snippets cited in findings.

Data Retention

Raw submissions: Destroyed immediately after analysis (typically within minutes)
Diligence reports: Retained 90 days, then deleted
Metadata (submission ID, timestamp, hash): Retained for audit trail
Deletion on request: Founders can request immediate report deletion at any time

Access Control LIVE

Talon uses invitation-based access. Founders cannot submit without a pre-shared token issued by the operator.

Tokens are cryptographically random (256-bit)
Stored as SHA-256 hashes—even a database breach does not expose valid tokens
Each token is bound to a company name and issuance date
Token validation uses hmac.compare_digest to prevent timing attacks
Unauthenticated requests return 401 immediately—no information leakage

Phase 4 Roadmap

The following capabilities are designed but NOT YET DEPLOYED. They require Azure Confidential VM infrastructure.

8. Roadmap: Hardware Isolation & Attestation

STATUS: PLANNED — NOT DEPLOYED. The features in this section describe Phase 4 of the Talon architecture. They require migration to Azure Confidential Computing with AMD SEV-SNP hardware. This phase is blocked on operational hiring. No hardware isolation claims apply to the current production system.

8a. AMD SEV-SNP Enclave Isolation

Phase 4 will deploy Talon on Azure Confidential VMs with AMD SEV-SNP (Secure Encrypted Virtualization — Secure Nested Paging). This technology encrypts all VM memory at the hardware level, meaning:

The host operating system cannot read enclave memory
The cloud provider (Azure) cannot inspect the VM contents
Even with root access to the host, data extraction is physically impossible
Memory encryption keys are managed by the AMD CPU, not by software

Layer	Technology	Standard	Purpose	Status
Enclave Isolation	AMD SEV-SNP	AMD SEV-SNP API	Hardware-encrypted VM memory. Host OS cannot read enclave contents.	PLANNED
Hardware Attestation	Azure Confidential Computing	AMD SEV-SNP Attestation	Cryptographic proof of enclave integrity, verifiable by founders.	PLANNED

Why this matters: Today, Talon protects data with post-quantum encryption in transit and at rest, plus immediate destruction after analysis. But during processing, data exists unencrypted in server memory. AMD SEV-SNP will close this final gap by encrypting memory at the hardware level, making data extraction physically impossible even with root access to the server.

8b. Cryptographic Attestation (Planned)

When deployed on Azure Confidential Computing, the /attest endpoint will return a hardware-signed attestation report proving:

What code is running in the enclave
What security configuration is active (debug mode, network access)
That the measurements match published hashes

Founders will not need to trust SpringOwl. They will be able to cryptographically verify the enclave state before submitting.

      Current attestation: Today, the /attest endpoint returns "platform": "dev-docker" indicating that hardware attestation is not yet active. In Phase 4, it will return "platform": "sev-snp" with AMD-signed measurements. The system will refuse to accept founder data if attestation indicates development mode.
    

9. What We Got Wrong

Transparency requires acknowledging gaps:

Gap 1: No Hardware Isolation (Yet)

Talon does not yet run on AMD SEV-SNP or any hardware enclave. During analysis, decrypted data exists in server memory. An attacker with root access to the server could theoretically read this data. Phase 4 closes this gap. In the meantime, we mitigate with: minimal analysis windows (data decrypted for minutes, not hours), immediate cryptographic destruction, restricted server access, and rate limiting.

Gap 2: No HSM for Key Storage (Yet)

PQC keypairs are currently stored as encrypted files, not in a Hardware Security Module. Azure Key Vault does not yet support ML-KEM or ML-DSA. We will migrate to Azure Managed HSM when PQC support is available.

Gap 3: No Formal Bug Bounty (Yet)

We intend to launch a responsible disclosure program. Until then, security concerns can be reported to the contact below.

Gap 4: SOC 2 Certification Pending

We are targeting SOC 2 Type II by 2027. Our position: certifications measure process compliance, not security. Equifax was SOC 2 certified. Our approach is architectural—post-quantum encryption makes harvested data useless, and Phase 4 hardware isolation will make data extraction physically impossible. Today, without hardware enclaves, we rely on encryption, immediate destruction, and access controls.

10. Technical Implementation

For technical reviewers, here is where each deployed security claim maps to code:

Claim	Implementation	Status
ML-KEM-768 key exchange	`src/openclaw/crypto/kem.py`	LIVE
ML-DSA-65 report signing	`src/openclaw/crypto/dsa.py`	LIVE
Hybrid X25519 + ML-KEM	`src/openclaw/crypto/hybrid.py`	LIVE
AES-256-GCM envelope	`src/openclaw/crypto/envelope.py`	LIVE
Encrypted submission endpoint	`src/openclaw/web_api/routes/submit.py`	LIVE
Timing-safe token auth	`src/openclaw/web_api/middleware/auth.py`	LIVE
Rate limiting	`src/openclaw/web_api/main.py`	LIVE
Analysis engine (6 concurrent)	`src/openclaw/analysis/engine.py`	LIVE
Secure data destruction	`src/openclaw/enclave/destruction.py`	LIVE
Submission lifecycle	`src/openclaw/enclave/lifecycle.py`	LIVE
Attestation endpoint	`src/openclaw/enclave/attestation.py`	DEV ONLY
Founder CLI (encrypt + verify)	`src/openclaw/cli/submit.py`	LIVE

The codebase is in a private repository. Access is available to qualified security researchers under NDA.

Contact: Security concerns or responsible disclosure:
Email: security@springowl.com