Better awareness.
Dashboards. Data fusion. Contextualisation.
Faster lawful action.
Signable, auditable, advisory-mode decisions.
Cross-sector telemetry surfaces an anomaly. Shadow-link discovery makes the dependency legible.
The cascade engine forecasts which sectors fail next, in what order, on what timescale.
A pre-formed authorisation packet arrives with evidence, predicted impact, and legal basis.
Named ministries authorise via M-of-N quorum, gated on each signatory's hardware-token Ed25519 key.
Every recommendation, signature, and override hashes into a tamper-evident audit chain.
47 million people lost power when Spain and Portugal's grids collapsed in under 90 seconds. The ENTSO-E Expert Panel's final report (March 2026) attributed the collapse to "institutional rather than technical" failures — "governance fragmentation [that] impeded coordinated crisis response."
Hurricane Helene took North Carolina's public-safety communications network offline within hours of landfall. The state's after-action review cites interoperability failures and unclear cross-agency roles as the primary delay drivers.
FEMA, state, and Red Cross operated in parallel without coordination. Meals took 37 days to reach some areas. The Select Bipartisan Committee found "the single most important failure was coordination."
Reactor venting was delayed seven hours while operators, TEPCO management, and the Prime Minister's office negotiated authorisation across three levels of decision authority. Evacuation was uncoordinated across jurisdictions.
Cross-government coordination took 3-5 hours per decision. The Pitt Review recommended "a single framework for multi-agency response" — partially implemented through Local Resilience Forums, but no national cross-sector authorisation layer exists.
Power substation flooded → water pumps failed → treatment offline → hospitals on emergency supply. Each agency responded independently. Cross-sector cascade was not predicted.
A power substation and a water pump station three kilometres away are causally linked in physics. No database records the dependency. Munin infers it from temporal co-movement and lag — and writes it down.
Once shadow links are surfaced, Munin runs cascade simulations across the implied graph and pairs each predicted failure with a pre-validated playbook and the legal basis for action.
Prevents downstream cascade to treatment plant and hospital. Estimated impact reduction: 4 sectors → 1 sector.
Munin's output is not a dashboard. It is a single signable document — a packet that travels with its evidence, its predicted cascade, the legal basis for the action, and a quorum of named signatories. Every field is deterministic. Every byte is hashed.
Stable cross-agency reference. Cited in audit, post-incident review, and regulator filings.
Plain-language summary derived from the cascade engine. Designed to be readable by a non-technical signatory under time pressure.
Source data references with reproducible provenance, time windows, and confidence scores. Anyone can re-run the inference.
The downstream impact path Munin's engine forecasts if no action is taken, with sector-by-sector timing.
A pre-validated playbook tied to the predicted cascade. Specific operational steps, not vague guidance.
Citation to the specific statute that authorises the action. This is what makes the eventual signature lawful.
Named signatories with biometric Ed25519 signatures and timestamped quorum policy. AI Act Article 14(2) by construction.
Hash-chained audit anchor. The packet is tamper-evident from the moment it is generated.
Running on Environment Agency river-gauge telemetry from the Carlisle catchment. No synthetic data. No simulation. Munin discovered the known hydrological relationship between the River Eden and River Petteril — the 5-minute lag matches physical rainfall travel time.
Runtime read-only guard. CI static analysis scans every engine file for socket / HTTP writes to SCADA ports.
Ingestion is strictly one-way. Any attempt to open an outbound socket from the analysis enclave fails tests.
GSN-style claims → evidence mapping. STPA hazard analysis with 17 unsafe control actions identified and mitigated.
Architecture mapped to OT security standards. Zones, conduits, security levels and foundational requirements traced to code.
Munin's advisory-mode architecture — humans authorise, never systems — is not a posture choice. Under the EU AI Act, human oversight is a legal requirement for high-risk AI systems. Autonomous-execution platforms must retrofit oversight scaffolding or exit the high-risk category. Munin is architecturally compliant from first principles.
Eight-stage pipeline — ingest → graph inference → sensor health → anomaly detection → incident build → cascade prediction → authorisation packets → governance audit. Seven-layer inference stack: physics-informed neural ODE, GNN message passing, ensemble Kalman filter, Rényi differential privacy. Layer 1 validated on live UK Environment Agency data; layers 2-7 on synthetic data pending pilot telemetry.
No named customer yet. First engagement: one sector pair (power + water, or flood + grid), one designated entity, 90-day shadow-mode evaluation. Exit deliverable is a compliance and response evidence pack mapped directly to CER Article 15(3), NIS2 Article 23(4) and AI Act Article 14(4) obligations — not a platform transformation. Open to introductions — jacob@muninsystems.com.
Every claim above is mapped to one of four chips — LIVE / DEMO / ROADMAP / VISION — on the maturity declaration. The line is published so it cannot be blurred.
47 million customers off-supply. ENTSO-E's final expert panel: the cascade "unfolded faster than human operators could respond" due to "governance fragmentation." The panel identified governance fragmentation as a primary contributor — among the technical and procedural drivers of the cascade.
All 27 member states must designate critical entities. ~3,000 entities into scope. Cross-sector risk assessment becomes a legal requirement. Resilience obligations apply 10 months post-designation.
Article 20(1) makes management bodies personally accountable for cybersecurity risk-management measures. Article 23(4) sets the 24-hour early-warning, 72-hour incident-notification and one-month final-report cadence. Fines to €10M or 2% of global turnover. Personal liability is what actually drives procurement timing — not the fines.
Article 14(1)-(2) makes human oversight a legal requirement for high-risk AI systems. Munin's "humans authorise, never systems" architecture is the compliance posture the regulation mandates.
Franco-German sovereignty summit. €180M Commission sovereign cloud tender. ~90% of European digital infrastructure foreign-controlled. European-origin critical-infrastructure software has the strongest procurement tailwind in a decade.
NIST FIPS 204 finalised August 2024. CNSA 2.0 mandates pure PQC by 2035. Munin's signature stack is dual-stack-ready: Ed25519 in production today, ML-DSA on roadmap before any classical-signature deprecation deadline.
Authorisation, not awareness.
Munin makes the decision path fast enough — and lawful enough — to matter.
FOUNDER · MUNIN SYSTEMS · MILAN
Built Munin solo from an empty repo in fourteen weeks — engine, cryptography, safety case, documentation. Every commit public.