Skip to content

Frequently asked questions

Canonical answers about security verification.

GoSentrix is the independent security verification body for software delivery. These answers are written to stand on their own: what GoSentrix is, how verification works, what AI can and cannot authorize, and where the company stands today.

What GoSentrix is

What is GoSentrix?

GoSentrix is the independent security verification body for software delivery. It determines whether security evidence has earned the authority to support an action — proceed, stop, escalate, suppress, disprove, or accept risk. It operates across code, merge, release, and runtime.

Is GoSentrix an ASPM?

No. ASPM platforms aggregate and prioritize findings. GoSentrix sits one layer above that: it determines whether security evidence has earned the authority to enforce, clear, or stop a release. Prioritization is a ranking function; verification is a judgment function. GoSentrix does the second.

Is GoSentrix a scanner?

No. GoSentrix does not produce findings of its own. Scanners, AI agents, and runtime tools produce signals. GoSentrix treats those signals as unverified claims and determines what they are allowed to enforce.

Is GoSentrix an AI security tool?

GoSentrix uses AI inside the verification process, but it is not an AI-judgment product. AI signals enter the evidence ladder as claims, not as authority. They cannot terminate the ladder on their own. The line we hold: AI can be probabilistic, but security authority cannot be.

What does GoSentrix produce?

GoSentrix produces decisions — readiness assessments, release decisions, fix verifications, override authorizations — each bound to the evidence and policy version active at the time it was made, and each designed to be replayed and defended later.

Who is GoSentrix for?

Fortune 2000 security organizations operating modern software delivery — where AI agents write and review code, scanners produce findings faster than analysts can promote them, and audit requirements demand defensible decisions. Specifically: CISOs, AppSec leads, platform engineering leaders, and audit/GRC teams.

The verification body category

What is a security verification body?

A security verification body is an independent layer between the tools that produce security signals and the systems that act on them. It determines which signals can promote into evidence, whether that evidence can justify enforcement, and whether the resulting decision can be replayed, audited, and defended later.

Why does this category need to exist?

AI agents, scanners, runtime systems, and policy engines now generate more security claims than teams can govern. The problem is no longer detection — it is authority. Teams need to know which evidence has earned the right to enforce, clear, or stop a release. A verification body answers that question and produces a record that can be defended later.

How is a verification body different from a security platform?

A security platform aggregates capabilities — scanning, prioritization, ticketing, reporting. A verification body is a category of judgment, not a category of features. Its job is not to do more security work but to determine whether the security work that has been done is enough to support the action being requested.

How is verification different from prioritization?

Prioritization ranks findings by likelihood or impact. Verification determines whether the evidence behind a finding has earned the authority to enforce. A high-priority finding without sufficient evidence cannot hard-block. A low-priority finding with strong corroborating evidence can. The bar is evidence, not severity.

How is this different from a CI/CD security gate?

A standard CI/CD security gate evaluates findings against a threshold and passes or fails. A verification body evaluates the evidence behind those findings against a policy version, promotes evidence through governed states, downgrades its own authority when proof is missing, and produces a replayable record. The gate is the surface; the verification body is what runs underneath it.

Is this a new category, or are you redefining an existing one?

It is a new category. The verification body sits at a different altitude than ASPM, scanners, or runtime tools. None of those products do what a verification body does: independently determine whether security evidence has earned the authority to act on it. The category exists because the authority problem exists.

How verification works

What does "evidence has earned authority" mean?

Evidence earns authority when it is strong enough, current enough, corroborated enough, and replayable enough to meet the organization's own standard for the action being requested. The bar is not severity, scanner confidence, or AI judgment. It is whether the evidence supports the decision and whether the decision can be defended later.

How does GoSentrix promote findings into evidence?

Findings move through governed evidence states — detected, observed, corroborated, validated — before they can become authoritative. Promotion happens on independent corroboration from multiple sources. Promotion strength is a function of source diversity, not signal count. Two findings from the same scanner do not double the confidence.

What's the difference between suppression and disproval?

Suppression dismisses a finding from view. Disproval refutes it with evidence. GoSentrix makes the distinction structurally: disproval requires either an artifact reference or a reviewer attestation that evidences the finding does not apply in context. A finding cannot be marked disproven without that evidence.

What does "replayable" mean?

A consequential decision is replayable when it can be reproduced against the evidence, artifacts, trust state, freshness state, and policy version active at the time it was made. Replay proves reproducibility, not correctness — but reproducibility is what makes a decision a decision rather than an opinion.

What happens when required proof is missing?

GoSentrix downgrades its own authority. If a decision requests HARD_BLOCK without sufficient evidence to support it, the system automatically narrows the decision to a lower level and records the downgrade reason. The operator cannot reverse the downgrade without supplying the missing evidence.

How does policy binding work?

Every consequential decision is bound to the policy version active at the time it was made. Later policy edits do not retroactively change a past decision's authority. This is the structural difference between "we changed the rules" and "we re-graded what happened under the old rules."

How are overrides governed?

Overrides flow through typed approval chains with dual control. Business-critical overrides require VP approval. Risk-acceptance overrides require CISO approval. Trust-boundary violations require CISO-level break-glass and cannot be approved at a lower tier. AI agents cannot grant overrides.

What if an operator marks a finding fixed but it isn't?

The operator action is recorded as evidence input to the next verification round, not as terminal closure. GoSentrix re-executes the original replay command against the new artifact and compares outcomes. If the replay still produces the original behavior, the fix did not work — regardless of what the ticket says. A closed ticket is not evidence that risk was removed.

Where GoSentrix operates

Where does GoSentrix fit in the software development lifecycle?

GoSentrix manifests operationally as a security decision control plane integrated across code, merge, release, and runtime. At each surface it does the same four things: ingests signals, promotes evidence under doctrine, evaluates evidence against the active policy version, and emits a decision that can be replayed and defended later.

Does GoSentrix work at pull request time?

Yes. At every pull request, GoSentrix takes scanner findings, AI-agent claims, and prior-decision context as unverified inputs, promotes the evidence under doctrine, evaluates it against the active policy version, and produces a merge readiness decision — PASS, WARN, SOFT_BLOCK, or HARD_BLOCK — with a signed proof record.

Does GoSentrix work at release time?

Yes. At release, GoSentrix aggregates per-service decisions into a workspace-scope decision with collective evidence references and a signed bundle. The workspace decision is its own decision, not the worst per-service verdict. License and supply-chain release eligibility runs as a parallel decision axis with its own gate.

Does GoSentrix verify that fixes actually worked?

Yes. When a developer marks a finding fixed, GoSentrix re-executes the original replay command against the new artifact and compares outcomes. Three outcomes only: vulnerability absent, vulnerability present, or indeterminate. Indeterminate is preserved as first-class — it is not auto-promoted to fixed.

Does GoSentrix work at runtime?

Yes, in the sense that runtime telemetry is one of the evidence sources GoSentrix verifies against. Runtime signals enter the evidence ladder as unverified claims and can corroborate findings, contribute to fix verification, and inform downgrades when expected behavior is not observed.

How does GoSentrix handle AI-generated code?

AI-provenance signals are captured at the developer surface via hooks that record AI lineage at session-start and post-edit events. The lineage is persisted as evidence. AI claims about code safety enter the evidence ladder capped at the DETECTED level — they can contribute to corroboration but cannot terminate the ladder without independent non-probabilistic evidence.

AI and security authority

Does GoSentrix replace AI agents?

No. AI agents are upstream sources whose signals GoSentrix verifies. GoSentrix does not compete with AI coding agents, AI review agents, or AI security agents — it determines what their outputs are allowed to enforce.

Can an AI agent's high-confidence assessment authorize a hard-block?

No. AI judgment cannot authorize enforcement alone. AI-provenance signals are capped at the DETECTED evidence level by design. Authority requires corroboration from independent non-probabilistic evidence. The line we hold: AI can be probabilistic, security authority cannot be.

Why cap AI signals at the lowest evidence level?

Because AI judgment is probabilistic and security authority is not. AI signals contribute to corroboration the same way scanner findings do — but they cannot terminate the evidence ladder on their own. A decision that hard-blocks on AI confidence alone cannot be defended later if the AI was wrong.

How does GoSentrix prevent AI hallucination in security decisions?

GoSentrix does not claim to have solved AI hallucination. What it does is move AI judgment from the "authority" column to the "input" column, structurally. An AI claim that a vulnerability is safe enters as a claim, not as truth. Promotion to higher evidence levels requires corroboration from sources that are not subject to hallucination.

What GoSentrix does not do

Does GoSentrix replace my existing scanners?

No. Scanners, AI agents, and runtime tools produce signals. GoSentrix treats those signals as unverified claims and determines what they are allowed to enforce. It does not produce findings of its own, and it does not replace the sources it verifies.

Does GoSentrix set my organization's risk appetite?

No. GoSentrix verifies whether the available evidence is strong enough to support the action being requested. Risk appetite — the standard the evidence is judged against — is the organization's decision, not GoSentrix's.

Does GoSentrix guarantee that no incidents will occur?

No. We do not make incident-prevention guarantees. We make verification claims: that decisions are bound to the evidence and policy active at the time, that they can be replayed, and that the verification body downgrades its own authority when proof is missing.

Does GoSentrix eliminate false positives?

No. False-positive elimination is not a claim our doctrine permits. What GoSentrix does is distinguish disproval (evidence that a finding is invalid in context) from suppression (dismissal without evidence). The two are structurally different terminal states.

Does GoSentrix verify every fix?

GoSentrix verifies fixes within supported evidence paths. It does not guarantee remediation worked in every case. A re-run that does not fail is one piece of evidence; it is not closure. Indeterminate outcomes remain indeterminate until further evidence supports a state transition.

Does GoSentrix replace human security review?

No. Operator actions on findings — dismiss, mark fixed, accept risk — are recorded as evidence inputs to the next verification round. Disproval of complex findings often requires reviewer attestation. The verification body does not eliminate human judgment; it ensures human judgment leaves a record.

Where GoSentrix stands today

Is GoSentrix field-proven?

No, not yet. Verification architecture is implemented. Field-proven authority requires a linked customer field event — a documented case with prevented outcome, replay artifact, customer attestation, and legal review. Until that event is on record, we do not claim field-proven status. When it is, this page will reflect it.

Has GoSentrix prevented incidents in customer environments?

We do not claim incident prevention in customer environments until a customer field event is recorded. Doing so would violate the same evidence doctrine our product enforces. When that evidence exists, we will publish it with the customer reference, the decision record, and the replay artifact.

What's implemented today?

Evidence promotion under governed states. Disproval as structured evidence rather than suppression. Self-downgrade when required proof is missing. Policy-version binding at decision time. Workspace-scope decision aggregation. AI-provenance capture at the developer surface. Pipeline BOM v1.

What's still being established?

Pipeline-wide cryptographic signing rollout. Replay coverage across all consequential decisions; architecture is complete and full coverage is in progress. Field-proven authority. Customer-prevented-incident evidence. CycloneDX export for Pipeline BOM.

Why publish your own limitations on your website?

Because the verification body category requires it. Every claim GoSentrix makes about itself is assigned an evidence status — the same way every finding GoSentrix evaluates is assigned an evidence level. A claim cannot appear on a surface that demands more evidence than the claim has earned. We apply the rules to ourselves first.