We find what your security tools structurally cannot.

SPR{K3 discovers critical vulnerabilities in production AI infrastructure — in the gap between vendor threat models and your actual deployment. 14 CVEs. 7 vendors. 760+ detection patterns built from confirmed findings, not benchmarks.

Request a Findings Briefing Go to Defend

CVEs published

760+

Detection patterns

Vendors validated

<3%

False positive rate

NVIDIA · META · MICROSOFT · GOOGLE · AMAZON · HUGGINGFACE · INTEL

Proof of work

Published, credited, verifiable

Three consecutive NVIDIA security bulletins. Microsoft, Amazon, and GitPython advisories. Every CVE links to the vendor's own publication.

February 2026

NVIDIA Security Bulletin — NeMo & Megatron-LM

CVE-2025-33241 · CVE-2025-33243 · CVE-2025-33251 · CVE-2025-33252 · CVE-2025-33253

Five CVEs across NeMo Framework and Megatron-LM. Pickle deserialization, checkpoint manipulation, distributed training exploitation.

March 2026

NVIDIA Security Bulletin — NeMo, Guardrails & Apex

CVE-2025-33244 · CVE-2026-24157 · CVE-2026-24159 · CVE-2026-24152 · CVE-2026-24151 · CVE-2026-24150

Six CVEs. Expanded coverage into NeMo-Guardrails and Apex. Supply chain and unsafe deserialization vectors.

April 2026

NVIDIA Security Bulletin — Joint Discovery

CVE-2026-24164 (joint with Thomas Keefer)

Joint disclosure. Three consecutive months on NVIDIA security bulletins.

December 2025 → March 2026

Microsoft Semantic Kernel — RCE, CVSS 10.0

CVE-2026-26030

Remote code execution in InMemoryVectorStore filter parsing. Acknowledged by Microsoft MSRC.

January 2026

Amazon SageMaker Python SDK — RCE

RCE in JumpStart search flow. Fixed in v3.4.0, acknowledged by AWS Security.

April 2026

GitPython — RCE via Newline Injection

CVE-2026-44244 · GHSA-v87r-6q3f-2j67

Found by Ora hours after Wiz published CVE-2026-3854. Fixed and advisory published within 8 hours. CVSS 7.8.

2025–2026

Intel Product Security Acknowledgement

Dan Aridor, SPR{K3 Security Research. Acknowledged by Intel PSIRT.

The thesis

The gap between vendor threat models and your production environment is not a bug. It's a structural boundary.

We operate inside it.

SPR{K3 defines the physics of valid behavior across AI infrastructure — valid trust flow, valid provenance, valid execution ordering, valid capability acquisition, valid economic behavior. When something violates those physics, it isn't suspicious. It's impossible.

This isn't theory. The gaming industry solved this exact problem over twenty years. Anti-cheat systems evolved from signature matching to impossible-state detection because signatures couldn't keep pace with adversarial adaptation. AI infrastructure is entering the same transition — and the convergent answer is the same.

Physics layer

What "valid" means

Trust flow

Data crosses trust boundaries only through verified channels

Provenance

Every artifact has attestable lineage to a known origin

Execution ordering

Operations follow causal sequences consistent with declared intent

Capability acquisition

Components access only resources required by their function

Economic behavior

Resource consumption matches the declared workload profile

What others can't do

Six capabilities no competitor covers

Model cognitive health. BrainGuard detects degradation, poisoning, and capability drift before permanent damage — the AI equivalent of catching brain rot while it's still reversible.

Offense feeds defense. Every vulnerability we discover becomes a detection pattern. 14 CVEs and counting — not threat reports about what could happen, but proof of what we found.

Cross-repository correlation. Coordinated attacks span multiple repos simultaneously. Single-repo scanners see isolated bugs. We see campaigns.

LLM-generated code detection. Attackers use AI to write malicious code. We detect the machine fingerprint — behavioral symmetries no human produces.

Preservation intelligence. Recurring patterns aren't technical debt — they're evolutionary stability. We identify what must be preserved, not just what to eliminate.

Temporal trajectory. Trust isn't a snapshot. We track behavioral drift, mutation velocity, and convergence modeling over time — catching slow-burn attacks that point-in-time scans miss.

Products

Three ways to get protected

Choose the surface that matches your exposure. All powered by the same pattern intelligence.

◈

Verify trust at rest

Scan your ML codebase for supply chain risks, unsafe deserialization, and lineage gaps. Get an audit-ready NIST AI RMF compliance report.

Scan →

◇

Monitor trust in motion

Runtime security for AI agents. Catches orchestration drift, prompt injection, and tool misuse before execution. All detection runs client-side.

Agents →

▣

Observe trust continuously

Full trust observability. Static, runtime, behavioral, and model health — one continuous signal. NIST AI RMF reporting included.

Platform →

BrainGuard™

AI cognitive health — the attack surface nobody monitors

Perimeter tools protect the network. Vulnerability scanners find code flaws. Nobody monitors the cognitive integrity of your LLM applications.

BrainGuard identifies five distinct attack pattern classes across the AI reasoning layer — validated across 177 ML frameworks. Available as a standalone assessment or continuous monitoring through Defend.

Request a BrainGuard assessment →

Context boundary erosion

Agent pipeline taint propagation

Reasoning consistency gap

Self-evaluation drift

Reasoning trace entropy gap

177

Frameworks assessed

Cognitive attack classes

340

Average gaps per framework

Research & publications

Original research, published findings

Written by Dan Aridor, SPR{K3 Security Research.

Amazon SageMaker

The Fake Sandbox Anti-Pattern

RCE in the SageMaker Python SDK JumpStart search flow. Fixed in v3.4.0.

Microsoft Semantic Kernel

AST-Filtered eval() Is Not a Sandbox

CVE-2026-26030. CVSS 10.0. Remote code execution in InMemoryVectorStore.

Supply Chain

The Scanner Was the Weapon

LiteLLM supply chain attack across five package ecosystems. 97M+ monthly downloads poisoned.

GitPython

When the Git Library Writes Your Config

Newline injection → persistent RCE via core.hooksPath. Found by Ora, fixed in 8 hours.

Dan Aridor

Founder, SPR{K3 Security Research

Columbia Business School — MBA

Lt. Colonel (Res.), Israeli Intelligence Corps — co-headed a counter-intelligence research unit

14 CVEs across NVIDIA NeMo, Megatron-LM, NeMo-Guardrails, Apex

NVIDIA, Microsoft MSRC & Amazon Security Acknowledgements (2025–2026)

Chairman, AEBI-Bio — SoAP biotechnology platform

Founder, inga314.ai & Dan Aridor Holdings Ltd

Disclaimers

Beta software

SPR{K3 Defend is beta software provided "as is" without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.

No guaranteed security

Detection patterns reduce risk but do not guarantee the identification of all vulnerabilities. SPR{K3 is not responsible for undetected vulnerabilities or actions taken based on scan results.

Informational only

Findings are provided for informational purposes and do not constitute legal, compliance, or professional security advice. For critical infrastructure, consult a qualified security professional.

Compliance reports

NIST AI RMF compliance reports assist your compliance process. They do not replace a qualified auditor's assessment and should not be relied upon as standalone certification.

Service provider

SPR{K3 is a product of Dan Aridor Holdings Ltd, Israel. For questions, cancellations, or complaints, contact support@sprk3.com.

Governing law

Use of SPR{K3 services is governed by our Terms of Service and Privacy Policy, under the laws of the State of Israel.