Evidence you can verify.
Every runtime emits a signed evidence bundle. Anyone with the bundle and the published key can confirm it came from Tachyonic and has not been altered, without trusting our dashboard.
How it works
Hash, sign, verify.
When a runtime completes, Tachyonic packages the evidence bundle and records the SHA-256 of the artifact bytes in a manifest. The manifest is signed with a Tachyonic-managed Ed25519 key. The public half is published at a well-known URL.
# Published verification key
https://tachyonic.sh/.well-known/signing-pubkey.jsonTo verify, recompute the artifact hash, check it against the manifest, and verify the signature against the published key. The CLI does all three:
$ tachyonic verify ./tachyon-evidence
SHA-256 matches manifest
Signature verified (key_id: tachyonic-signing-2026-05)
OKVerification is offline and does not depend on the Tachyonic platform being reachable. A reviewer can confirm a finding months later from the bundle alone.
The evidence bundle
What gets signed.
Findings
Severity-rated results mapped to OWASP LLM Top 10 and MITRE ATLAS.
Payloads and captures
The attack inputs and the request and response captures they produced.
Lifecycle events
Status transitions and runtime logs captured as artifacts.
Runtime policy
The target, region, budget, and approval policy the runtime ran under.
Report output
The human-readable report generated from the run.
Signed manifest
The SHA-256 manifest and Ed25519 signature that bind it all together.
Why signed evidence
Portable across the people who need it.
Signed, reproducible evidence travels from the engineer who ran the test to security review, remediation, customer assurance, and audit readiness without losing integrity. Evidence packages are designed to support SOC 2, ISO 42001, and EU AI Act readiness. The product does not replace compliance work. It gives teams reproducible security evidence.
Verify your first bundle.
Run a runtime, download the bundle, and verify it yourself.