Core Engine: Auditability Ledger
Every decision the engine makes. Hash-chained. Signed. Replayable.
Concord by IaxaI threads a tamper-evident evidence chain underneath every translation, every entity match, every drift repair, every dedup. Per-tenant. Append-only. Exportable as exam-ready evidence without taking our word for it.
The Problem
Every security platform logs. Most logs are not evidentiary.
When an FFIEC examiner or a SOC 2 auditor asks “show me what your platform decided and why,” screenshots, Slack history, and CSV exports do not hold up. Operational logs were written for engineers, not for a regulator deciding whether your control actually fired. The evidentiary gap is where findings get written.
The Impact
Compliance becomes a six-week scramble every time someone asks.
Compliance officers stitch evidence together by hand from eight tool dashboards. Engineers get pulled off product to run forensics. Examiners get explanations instead of proofs. And when a vendor schema changed mid-quarter, no one can actually show what the platform was doing on the day in question.
How Concord Helps
Every engine decision is written to one append-only ledger per tenant. SHA-256 chain hash linking each entry to the previous one. Ed25519 signature on every entry using a tenant-scoped key. Tamper a field anywhere in the chain and verification breaks at that line. Replay any range. Export a filtered slice as a verifiable evidence bundle.
The Outcome
Hand a regulator the evidence and the cryptographic proof of order.
Exam prep stops being a scramble and starts being an export. The compliance officer pulls the slice. The examiner verifies the chain themselves with the tenant's public key. Findings drop because the evidence is structured, ordered, and provable.
What It Actually Is
The boring, sturdy plumbing under the loud claims.
Banks have trusted hash-chained, signed ledgers for decades in financial systems. Concord brings the same discipline to security operations. Not a feature. The substrate every other engine output threads through. Every calibrated identity score, every self-healing pipeline repair, every Compliance Auto-Packet handed to a regulator points back to a ledger entry the regulator can replay on their own machine.
Append-only by constraint, not by convention
The application role has INSERT and SELECT grants only. No UPDATE. No DELETE. Vacuum and retention run under a separate privileged role on a schedule. The chain is not append-only because we promise. It is append-only because the database refuses to do anything else.
Hash-chained, Ed25519-signed, per tenant
Each entry contains a SHA-256 hash over the previous entry plus the canonicalized current payload. Each entry is then signed with the tenant's Ed25519 private key. Public key ships with every export so the verifier can confirm both ordering and authenticity without trusting Concord at all.
Per-tenant isolation enforced at the storage layer
Every tenant gets its own chain head and its own signing key. Row-level security on the ledger table prevents cross-tenant reads at the database level, not just in application code. An MSSP running thirty client tenants ships thirty independent, individually verifiable chains out of the same instance.
What Gets Written
Every engine output. No exceptions.
The ledger is not a place engines write to when convenient. It is a hard contract: no Translation result without a receipt, no entity merge without a receipt, no drift repair without a receipt. That contract is what makes “compliance as byproduct” real instead of a slogan.
Translation
Every alignment decision
Input field → OCSF field. Mapping version. Calibrated confidence. Recorded for every event the platform ingests so an examiner can replay how a specific alert was structured on the day it fired.
Entity Resolution
Every merge with its math
Entities joined, Bhattacharyya distance, conformal interval, signing-key fingerprint. The evidence backing every “same person across CrowdStrike and Okta” claim Concord makes.
Drift + Auto-Repair
Detection, proposal, approval, apply, revert
Old mapping, new mapping, MMD test statistic, who approved, what reverted if shadow mode failed. A regulator can replay exactly how the pipeline survived a vendor schema change.
Dedup + Overrides
Which raw alerts collapsed into which narrative
Semantic dedup decisions and analyst overrides land in the ledger alongside the engine output. Every “why did this alert get suppressed” question has an answer in the chain.
What It Produces
Three read paths. Built for three different audiences.
Replay: deterministic recompute of any decision
Pick a ledger range. Get back the entries, the chain hashes, the public key, and a verifier-friendly recompute path. A forensic investigator or a regulator's technical staff can rebuild any engine decision from first principles without trusting Concord's word for it.
Query: by range, by entity, by decision type
Indexed for analyst surfaces. “Show me every entity resolution involving this user in Q2.” “Show me every drift repair for our Splunk source last quarter.” Read-only consumers always get enough chain context to verify the slice they got back.
Export: filtered evidence bundles for examiners
The Compliance Auto-Packets surface consumes ledger exports as its primary input. Filter by framework, by date range, by control. Out the other end: entries, Merkle root over the slice, public key, chain-of-custody manifest. Hand it to FFIEC, SOC 2, HIPAA, or PCI auditors. They verify it themselves.
Retention
Defaults shipped per vertical. Overrides per tenant.
Different regulators want different windows. Concord ships defaults that match the framework an end-client lives under and lets MSSPs override per tenant when reality demands it.
FFIEC
5-year default
HIPAA
6-year default
PCI
3-year default
SOC 2
1-year typical
Cold-storage rotation preserves chain integrity. When a hot entry archives out, a formal “archived to cold storage” event lands in the chain so the verifier never sees a broken link, only a documented hand-off.
Honest Status
Unification, not invention.
Concord by IaxaI already ships the primitives. SHA-256 hash-chained operational audit logging. Ed25519-signed provenance bundles for individual engine decisions. An immutable SQLite audit store for generative-UI events. Forensic chain-of-custody inside incident packets.
What V1 ships is the unified layer. One per-tenant chain that every engine output threads through. One queryable, replayable, exportable substrate the Compliance Auto-Packets surface stands on. The cryptographic primitives are off-the-shelf. The discipline of wiring them in everywhere is the work.
Failure semantics matter here, and we are explicit about ours. If the ledger write fails, the originating engine call fails. We do not return a Translation result without its receipt. We do not commit an entity merge without its receipt. The cost of that contract is real (ledger downtime is engine downtime) and we took it deliberately. It is the only way the “every output has a ledger entry” promise survives contact with a regulator.
Built for regulated buyers from the start
Cryptographic verification
Tamper a field anywhere in the chain and verification breaks at that line. Public key ships with every export so verifiers do not have to trust Concord.
SOC 2 Type I targeted Q3 2026
The ledger is a controls foundation for our own SOC 2 work and for our customers'. Examined the same way.
Air-gapped on-prem deployable
Runs entirely on the Edge Gateway. No external services required for the write path. Tenant private keys never have to leave the customer network.
Every competitor logs. None of them tie every engine decision to one tamper-evident chain.
Splunk logs. Arctic Wolf logs. Stellar Cyber logs. Huntress logs. Logging is table stakes. The differentiator is not that Concord has a ledger. It is that the ledger is threaded through every engine output as a hard contract (no Translation result without a receipt, no entity merge without a receipt, no drift repair without a receipt) and that the customer's regulator can verify it without taking our word for any of it.
Banks already trust this pattern from the financial systems they have run for decades. Applying it to security operations is the boring, sturdy moat. The pieces are off-the-shelf. The discipline of wiring them in everywhere is the work.
That is what makes audit-grade trust real instead of marketing.
Stop reconciling. Start trusting one timeline.
30-minute walkthrough. Your tools. Your tenants. Your audit cycle. We will show you exactly where Concord earns its keep.