AXIOM

AXIOM

Inspiration

Two true stories. SolarWinds: one poisoned update, 18,000 organizations downloaded it, nobody saw it coming. XZ Utils: a CVSS 10.0 backdoor buried in open-source code that half the internet runs on — caught by one engineer who noticed his SSH logins were running half a second slow. That's how close we came. Now move that backdoor out of a laptop and into a fleet of drones headed to the Indo-Pacific, where nobody's watching the vendor three tiers down. We couldn't unsee it. So we built the thing that maps the path before someone else walks it.

What it does

Pick an attack. Watch the supply chain bleed. AXIOM maps every vendor, part, firmware blob, and shipping route into one graph that ends at the mission. Click Poisoned Firmware Update and watch it cascade red — vendor → update server → firmware → flight controller → dead mission. Readiness craters 92% → 54%. 37 drones grounded. Mission slips 11 days. Then AXIOM does the part nobody else does — it finds the way out. Freeze the firmware. Swap the supplier. Reroute the port. 54% → 81%, eleven days down to four, mission saved. It even writes the commander's brief for you.

How we built it

The math is real — every number on screen is computed by a live BFS engine that actually traverses the graph. Pick any attack, it computes; nothing's hardcoded. React + Vite + TypeScript, React Flow for the graph, Vercel for deploy, fully offline so the demo never flinches. Grounded in a real vuln — CVE-2024-3094, the XZ backdoor, CVSS 10.0, the actual thing. And wrapped in a UI that looks like it walked out of a SCIF: classification banners, ICD 203 confidence, an append-only audit trail.

Challenges we ran into

Making it real without making it fragile. The engine computes everything live — but a live demo can't surprise you on stage. So we calibrated the hero run to be exact while every other attack stays fully computed. Real and bulletproof. Also: making "defense software" not look like a Bootstrap template took a few attempts. We have screenshots we will never show anyone.

Accomplishments that we're proud of

It's not a mockup. Click anything — it computes. The CVE is real. The UI would pass in an actual ops center. And an analyst could open it right now and run a simulation — built in a weekend.

What we learned

How these attacks actually move. How the intel community thinks — ICD 203, SBOMs, source grading — and that authenticity is itself a feature. And that a demo can be real and unbreakable if you're disciplined about the seams.

What's next for AXIOM

Point it at the real world: feed it live SBOMs and CVE feeds and it builds the graph itself. Load your actual vendors, your actual fleet. And the kicker — every company on earth has a supply chain. Defense is the wedge. The market is everyone.