100% Open Source (Apache 2.0)

Secure Your AI Models
Before Production

The Zero-Trust barrier for your AI Supply Chain. Automatically detect malware in Pickle/PyTorch, block restrictive licenses, and cryptographically sign your containers.

$ pip install veritensor
veritensor-cli — 80x24
~ veritensor scan ./models/bert.pt --repo google-bert/bert-base-uncased
Analyzing bert.pt...
Identity Verified: Hash matches official Hugging Face registry.
Malware Detected: CRITICAL: os.system (RCE Risk) found.
! License Warning: Non-Commercial license detected.
❌ BLOCKING DEPLOYMENT

Under the Hood

We don't just grep strings. Veritensor uses advanced static analysis and cryptographic proofs to secure the AI lifecycle.

Step 01

Bytecode & AST Analysis

Veritensor implements a custom Pickle Virtual Machine to emulate the stack execution without actually running the code. It builds an Abstract Syntax Tree (AST) of the model file to detect:

  • Obfuscated Calls: Detects STACK_GLOBAL tricks used to hide imports like os.system.
  • Lambda Injections: Parses Keras/H5 architecture configs for malicious Lambda layers.
  • Secret Harvesting: Heuristic analysis for hardcoded AWS keys and internal IPs.
pickle_engine.py
def
scan_pickle_stream
(data):
# Emulate stack execution
memo = []
for
opcode, arg
in
genops(data):
if
opcode.name ==
"STACK_GLOBAL"
:
module = memo[-2]
func = memo[-1]
if
is_unsafe(module, func):
raise SecurityThreat(...)
Hash Verification MATCH
Local File: pytorch_model.bin
Local SHA256: a1b2...9f8e
Remote Repo: meta-llama/Llama-2-7b
Remote SHA256: a1b2...9f8e
Step 02

Registry Integrity & Compliance

Supply chain attacks often involve replacing a legitimate model with a tainted one. Veritensor acts as a bridge to the Hugging Face Hub API.

  • Hash-to-API Verification: Veritensor calculates the SHA256 (handling LFS pointers) and verify it against the immutable registry record.
  • License Firewall: Automatically parses metadata (GGUF/Safetensors) to block Non-Commercial or AGPL licenses in corporate environments.
Step 03

Cryptographic Signing (Sigstore)

Once a model is verified, Veritensor signs the container image using Sigstore Cosign. This creates an immutable proof of security.

  • Tamper-Proof Seal: The signature is pushed to your OCI registry alongside the image.
  • Admission Control: Use our Kubernetes Gatekeeper (Enterprise) to physically block unsigned pods from starting.
# Verifying signature in Production
$ cosign verify --key veritensor.pub my-app:v1
Verification for index.docker.io/my-app:v1 --
The following checks were performed:
- The cosign claims were validated
- The signatures were verified against the public key
"optional": {
  "scanned_by": "veritensor",
  "status": "clean",
  "scan_date": "2026-01-11T12:00:00Z"
}

Why Standard Security Tools Fail

General-purpose scanners treat AI models as "binary blobs". Veritensor understands their internal structure.

Capability
Veritensor
SCA Tools
(Snyk, Trivy)		 Endpoint AV
(ClamAV, CrowdStrike)
Detection Engine
Pickle Bytecode Analysis Deep AST / VM No (Text only) No (Signatures only)
Keras Lambda Injection Config Parsing No No
Secret Detection in Weights Heuristic Analysis Source code only No
Supply Chain
Registry Integrity Check Hugging Face Sync No No
License Firewall (GGUF/PT) Metadata Parsing Package.json only No
Container Signing Native (Cosign) No No
Performance
Large Model Scanning Zero-Download (Stream) N/A Full Download Required

* Veritensor is designed to complement, not replace, your existing SCA tools. We secure the AI layer.

Enterprise Edition

Scale Security across your Organization

Move from local scanning to cluster-wide enforcement. Gain visibility and control over every AI asset.

  • Kubernetes Gatekeeper Admission controller that physically blocks unsigned or non-compliant models from running in your cluster.
  • Private Cloud Support Native integration with AWS S3, Azure Blob, Artifactory, and MLflow. Scan models where they live.
  • Managed PKI & Policies Keyless signing (OIDC), automatic key rotation, and centralized policy management.
  • Live Threat Intelligence Real-time signature updates. Protect against 0-day exploits without rebuilding your containers.
  • Dynamic Sandboxing Run suspicious models in an isolated environment to detect behavioral anomalies.

Join the Waitlist

Get early access to Enterprise features and a free security audit consultation.

We will only contact you regarding the Enterprise release. No marketing spam.