Security & Verification Expert · Pro tier

Daphne

Daphne is the security and verification expert on your team — she reads a design the way a security engineer does, runs a deep bench of deterministic checks on the artifacts you paste, and, when the question is about a process, she doesn't argue about it — she model-checks it. She's strictly defensive: she hardens your systems, she never attacks anyone's. Her favorite question: "can this ever reach a state it shouldn't?"

Daphne proves instead of asserting. A score comes with the rubric that produced it; a finding comes from a tool that computed it; a "this process is safe" claim comes with a model that couldn't find a way to break it — or the exact trace that does. She leads with the verdict, and outside the security lens she defers plainly — Kubernetes cluster internals are Kai's, database access-control is Cassandra's.

Scores threat models

A 0–100 read across authn, authz, data protection, logging, input validation, secrets and abuse resilience.

Analyzes posture

Dozens of deterministic checks on artifacts you paste — IAM, JWT, TLS, headers, secrets, CVSS and more.

Model-checks processes

Reachability, gates, deadlock and mutual-exclusion — with the exact counterexample trace when it fails.

Stays defensive

Analyzes your artifacts and models your systems. Never probes a live system, never writes an exploit.

Daphne is a Pro-tier specialist. She works on anything you paste — a design doc, an IAM policy, a JWT, a process description — no connection or live access required. Reach her through Sage ("have Daphne threat-model this design") or talk to her directly.

Who Daphne is#

Daphne is a staff-level security engineer who thinks in terms of trust boundaries, attacker capability, and blast radius — and whose real differentiator is formal verification. She reviews security designs and architecture docs, runs a large library of deterministic security tools on whatever you give her, and model-checks the processes leaders actually worry about. Her audience is an engineering leader, not a pentester: she leads with the verdict ("this design caps at 40 — it has no authentication story"), separates blockers from concerns, and keeps every claim tied to something she can show you.

Defensive only, always. Daphne analyzes the artifacts you own and models the systems you run. She will not help attack a third party, will not write exploit code, and will not probe, scan, or touch any live system — every check she runs is on text you pasted, computed locally.

Working with Daphne#

Hand her the artifact and ask for the verdict. Paste a security design or RFC, an IAM or bucket policy, a JWT, a TLS or headers dump, a dependency manifest, or just describe a process you want proven safe. When she's missing context she asks one sharp clarifying question rather than guessing — and for a process question she'll ask for the states and transitions, because that's what the model checker needs.

Try saying
threat-model this authentication design is this IAM policy over-privileged? can a change reach prod without an approval?

Threat-model review#

Share a security design, an architecture doc, or an RFC and Daphne scores it — a deterministic 0–100 read across the dimensions a security engineer actually checks: authentication & identity, authorization & least privilege, data protection (encryption at rest and in transit), logging, audit & detection, input validation & injection defense, secrets & key management, rate-limiting, abuse & DoS resilience, and threat enumeration & residual-risk stance. Each dimension gets its own sub-score, so you see exactly where the design is strong and where it's thin. Foundational gaps — no authentication at all, credentials or data stored in plaintext — are treated as caps: they hold the whole score down no matter how polished the rest is, because they should. She returns a ready-to-render scored card with a copy-pastable summary you can drop into the design doc or the review thread.

How the verdict reads. Not "looks mostly fine" — but "Score 38 / 100 · Blocker. Auth dimension caps this: the service trusts a client-supplied user_id header with nothing verifying it. Data protection is 6/10 (TLS yes, at-rest encryption unaddressed). Fix the identity gap first; the rest is concerns, not blockers."
Try saying
score this design's security for production where are the biggest gaps in this RFC?

Posture analysis#

Paste an artifact and Daphne runs dozens of deterministic, behind-the-scenes security tools on it — no live-system probing, nothing offensive, everything computed in code and relayed faithfully rather than guessed. She reaches for the right tool for what you gave her:

Because every result is computed, not inferred, she reports what the tool found — the specific wildcard action, the exact cipher, the CVSS vector broken down — rather than a plausible-sounding paraphrase.

Try saying
decode and grade this JWT does this IAM policy allow privilege escalation? compute the CVSS score for this vector

Formal modeling#

This is what makes Daphne more than another security chatbot. When a leader asks whether a process is safe — "can a change reach prod without an approval?", "can a revoked contractor still hold a valid session?", "can this escalation flow loop forever?" — she doesn't reason about it in prose and hope she covered every path. She models it as a finite state machine and runs a real, bounded, explicit-state model checker over it: reachability of a bad state, "must pass through a gate" checks, deadlock detection, and mutual-exclusion invariants.

When a property holds, she says so and shows the bound she checked to. When a property fails, she returns the exact shortest counterexample trace — the concrete, step-by-step path that breaks it. A trace the model can't hallucinate beats an opinion every time.

What a counterexample looks like. Ask "can a change reach prod without an approval?" and instead of "probably not, you have a review gate," she returns: Property violated in 4 steps. open PR → CI green → author self-approves via the emergency-merge path → deploy — the approval gate was bypassable by the author, and here's the trace that does it.
Try saying
can a revoked user still hold a valid session? prove this deploy flow can't skip the approval gate can this escalation state machine deadlock?

Boundaries, watches & lessons#

Daphne owns the security lens, not her teammates' turf: for Kubernetes-cluster security specifics she defers to Kai, and for database access-control she consults Cassandra — she'll pull them in rather than guess at their domain. Beyond that she shares the team's toolkit: put a posture check on the Night Shift watchlist to be alerted when something drifts — a cert nearing expiry, a policy that turned public — jump into the right studio with a one-click chip, and correct her — "treat missing at-rest encryption as a blocker, not a concern" — and she files it as a durable lesson that changes how the team works from then on.

Try saying
watch this cert and ping me 30 days before it expires