vec0 : ~/ $ cat articles/why-were-building-vec0.md

Why we're building vec0

Security teams today are flooded with signals.

Alerts about suspicious logins.
Alerts about configuration drift.
Alerts about anomalous activity.
Alerts about vulnerabilities.

But breaches do not happen as alerts.

Breaches happen as trajectories.

An attacker starts somewhere in the environment, often with a legitimate identity. From there they move step by step through identities, permissions, and systems until they reach something valuable: sensitive data.

Each step may look normal in isolation. Logging in with valid credentials is normal. Assuming a role is normal. Querying a database is normal.

The problem is not the individual actions.

The problem is the sequence.

Breaches are multi-step systems problems

Look at almost any major breach and the pattern repeats.

An attacker gains an initial foothold.
They discover identities and permissions.
They move laterally across systems.
They escalate privileges.
Eventually they reach sensitive data.

None of those steps necessarily trigger a clear "malicious" signal. Attackers deliberately operate using valid identities and legitimate permissions to blend into normal activity.

Security tooling, however, largely treats events in isolation.

One system detects anomalous activity.
Another monitors configuration risk.
Another tracks identity permissions.

Each tool produces useful information, but none of them answers the question security teams actually care about:

Is someone moving closer to our sensitive data right now?

The missing concept: risk progression

What matters in a real attack is not the number of alerts.

What matters is whether an attacker is progressing through the environment.

If an identity suddenly gains a permission that opens access to a sensitive dataset, risk has changed.

If an attacker pivots from one identity to another that can access production systems, risk has changed.

If a new path to sensitive data becomes reachable, risk has changed again.

Security teams intuitively understand this idea. They talk about attackers "moving laterally" or "getting closer to the crown jewels".

But most security tools are not built to measure that progression.

They surface events, not trajectories.

vec0 models the path to data

vec0 is built around a simple observation:

breaches are paths through identities and permissions toward sensitive data.

Instead of looking at alerts in isolation, vec0 builds a directed attack graph of how identities, permissions, systems, and data connect.

As activity occurs in the environment, the system evaluates how that activity changes the reachable paths to sensitive data.

Some events change nothing.

Some events shorten the path.

Some events create entirely new paths that did not exist before.

vec0 focuses on those changes.

We model the risk delta created by each step and identify when a sequence of actions forms a meaningful trajectory toward sensitive data.

Detecting the attack before the data is touched

Most breach detection happens too late.

By the time traditional alerts fire, attackers may already be interacting with the data that matters.

The goal of vec0 is earlier detection.

If an attacker begins chaining identities together, escalating permissions, or creating new paths toward sensitive data, that trajectory should be visible before the final step occurs.

By modelling how risk evolves across identities and permissions, vec0 aims to surface those attack chains while they are still unfolding.

A data-centric view of security

Security systems often start from infrastructure or alerts.

vec0 starts from data.

Sensitive data is the ultimate objective in most breaches. That is where regulatory risk, reputational damage, and operational impact occur.

By modelling how identities and permissions connect to that data, vec0 focuses attention on the actions that materially increase the likelihood of a breach.

If an event does not move an attacker closer to sensitive data, it should not compete equally for attention with the events that do.