Skip to content
GoSentrix

Public operating doctrine

The Verification Doctrine

This is the operating doctrine of GoSentrix, the independent security verification body for software delivery. These are the rules our product enforces on security findings and the rules we enforce on ourselves. A verification body that cannot be checked against its own standard is not a verification body; it is a vendor with a thesis.

Modern software delivery does not have a detection problem. It has an authority problem.

AI agents, scanners, runtime systems, workflow tools, and policy engines now generate more security claims than teams can govern. The enterprise question is no longer what was found. It is which evidence has earned the right to enforce, clear, or stop a release — and whether the resulting decision can be defended later.

A category that calls itself "verification" needs to be checkable. So we wrote down what we will and will not do, and we apply the rules to ourselves first.

GoSentrix is the independent security verification body for software delivery.

It determines whether security evidence has earned the authority to support an action — proceed, stop, escalate, suppress, disprove, or accept risk.

Across code, merge, release, and runtime, it establishes the evidence state behind every security claim and evaluates whether that evidence clears the bar for the action being requested.

That bar is not severity, scanner confidence, AI judgment, or policy alone. It is whether the evidence is strong enough, current enough, corroborated enough, and replayable enough to meet the organization's own standard.

GoSentrix does not set the organization's risk appetite. It verifies whether the available evidence is strong enough to support the requested action.

What GoSentrix will never do.

These are not preferences. They are enforced in code, surfaced in audit trails, and applied to our own marketing the same way they are applied to a scanner finding. Each one exists because the opposite behavior is how verification claims silently collapse into vendor opinion.

1.

We will never claim authority we cannot evidence.

Every claim about our capability, coverage, or maturity is tied to evidence. If we cannot show it, we do not say it.

2.

We will never produce a consequential decision that cannot be replayed.

Replayability is the line between opinion and decision. A decision that cannot be reproduced against the inputs that produced it is, by definition, not authoritative.

3.

We will never collapse evidence level, proof quality, and confidence into a single score.

These are independent dimensions. Collapsing them produces a number that looks like authority but cannot be defended.

4.

We will never silently downgrade our own authority.

If required proof is missing, we narrow our enforcement authority and we say so. The downgrade is recorded; the operator cannot reverse it without supplying the missing evidence.

5.

We will never accept suppression as disproval.

Dismissing a finding is not the same as proving it does not apply. Disproval requires evidence that the finding is invalid in context. We make the distinction structurally.

6.

We will never enforce on probabilistic evidence alone.

AI judgment, scanner confidence, and severity scores can enter the evidence ladder. They cannot terminate it.

7.

We will never claim field-proven status without a linked customer field event.

"Battle-tested," "production-proven," "deployed at scale" are claims about authority earned in real customer conditions. We use them only when a specific customer field event evidences them. Today, no such event is on record. The site reflects that.

8.

We will never disparage the tools whose signals we adjudicate.

Scanners, AI agents, runtime systems, and workflow tools are the sources we work from. They produce signals. We determine what those signals are allowed to become. The distinction is structural, not adversarial.

Findings are not truth. Evidence is promoted.

Every signal that enters GoSentrix begins as an unverified claim. It does not become authoritative by being severe, by being detected with high confidence, or by being asserted by an AI agent. It becomes authoritative by being promoted through governed evidence states, on the strength of corroboration from independent sources.

DETECTED OBSERVED CORROBORATED VALIDATED { PROVEN · DISPROVEN · ACCEPTED }

States cannot be skipped unless the source is explicitly trusted to support the target evidence level. Promotion strength is a function of source diversity, not signal count.

Suppression is not disproval. Disproval requires evidence that the finding is invalid in context.

Operator actions on findings — dismiss, mark fixed, accept risk — are recorded as evidence inputs to the next verification round. They are not terminal closures.

AI-provenance signals are capped at the DETECTED evidence level unless independently promoted by non-probabilistic evidence.

A decision that cannot be replayed is an opinion.

Every consequential decision GoSentrix produces is designed to be reproducible against the evidence, artifacts, trust state, freshness state, and policy version active at the time the decision was made. Later policy changes do not retroactively change a past decision's authority. Consequential decisions are designed to be cryptographically attested and content-addressed.

The decision is replayable.

Reproducible against the evidence and policy active at the time.

The decision is bound to a policy version.

Later policy edits do not retroactively re-grade history.

The decision is content-addressed.

Designed for DSSE-signed attestation with deterministic bundle IDs.

The same standard, on our own page.

Every claim GoSentrix makes about itself is assigned an evidence status — narrative, architecture-backed, operational, demo-proven, field-proven, or roadmap. A claim cannot appear on a surface that demands more evidence than it has earned. We track promotions and demotions. The same registry that governs what our scanners may enforce now governs what our website may assert.

Where GoSentrix stands today

Verification architecture: implemented.

Field-proven authority: not yet established.

When the first customer field event is recorded with prevented outcome, replay artifact, customer attestation, and legal review, this page will be updated to reflect it. Not before.

AI can be probabilistic. Security authority cannot be.

We do not claim authority we cannot evidence.

See a verification decision →