Project Bastion · Cellular Counter-Surveillance · Concept · TRL 1–2

They're listening.
We tell you when, from where, and what to do about it.

Detect hostile cellular intercept. Protect your people, your sites, your conversations.

In the Pegasus era, any protected person — journalist, executive, diplomat, case officer — walks through hostile cellular surveillance they cannot see. IMSI catchers, rogue base stations, SS7 exploits, silent SMS pings, encryption-downgrade attacks. Bastion is a family of passive cellular monitors that detect, classify, and locate hostile intercept gear operating against a protected asset. It never intercepts anything. It only tells you when something is looking at you.

Concept phase. Bastion is an idea being presented for early partner interest. Nothing is built yet. This page describes the product we would build with funding and partnership. All numbers below — device counts, accuracy percentages, library sizes, detection latencies — are design targets, not measurements.

600MHz–6GHz

Target coverage

2G · 3G · 4G · 5G NSA/SA detection across common operator bands.

<2s

Alert latency (target)

From first detection to silent haptic alert at the protected person.

4-state

Alert ladder

Green · Amber · Red · Critical. User sees only what matters.

Concept

Library status

Operator RF fingerprints + catcher variants — acquisition plan mapped, not yet acquired.

§01 · The Threat Landscape PEGASUS ERA

Cellular is the invisible tradecraft layer nobody defends.

Every protected person carries a cellular device. That device is the single largest untrusted surface in their operational posture. The post-Pegasus disclosures (2021–2024) made one thing clear: the intercept ecosystem is global, industrialized, and targets civilians as routinely as it targets military operations.

Attack Class 01

IMSI / stingray catchers

Rogue base stations impersonate a legitimate operator cell, force nearby phones to attach, extract IMSI/IMEI, downgrade encryption (A5/0 null cipher, 2G fallback), and intercept plaintext voice/SMS. Modern variants attempt LTE→2G and 5G→LTE downgrades.

Attack Class 02

Signaling-protocol exploits

SS7 and Diameter attacks (from operator-side compromise or rogue peer networks) enable location tracking, SMS interception, and call redirection without any airside presence near the target.

Attack Class 03

Silent SMS / Type-0 paging

Class-0 SMS messages that never display on the handset but trigger baseband response — used for stealth location confirmation ahead of a physical operation.

Attack Class 04

Encryption downgrade

Forced fallback from A5/3 to A5/1 (cryptographically broken) on GSM, or from LTE EEA1/EEA2 to EEA0 (null cipher), to enable live cleartext decoding of traffic.

Attack Class 05

Location inference

Commercial location-data brokers, operator-side queries, and forced LAC/TAC updates all leak location at tower-granularity without any intercept of content.

Attack Class 06

Endpoint implants

NSO-class zero-click implants. Out of scope for Bastion (we don't detect compromised-phone malware — that's MVT / Lookout territory), but the cellular layer is the attacker's discovery and delivery channel.

Adversary kit in the wild

The commercial surveillance industry — NSO, Paragon, Candiru, Gamma — and lawful-intercept vendors re-deployed adversarially (Septier, R&S gear in hostile hands) constitute the known adversary landscape. Chinese state-produced catchers (GF/PLA variants), Russian Leer-3 and successors, and open-source rogue deployments (YateBTS, OpenBTS) complete the picture. Bastion's library is designed to detect all of them.

§02 · What Bastion Is MISSION

A passive listener that never intercepts.

Bastion is counter-SIGINT at the cellular layer. It watches the cellular RF environment around a protected asset and flags hostile intercept gear in real time. It is the ground/personal counterpart to Nexus Atlas Blackbird (airborne emitter detection) and Phantom (RF deception). The three together constitute our counter-ISR family.

Axiom 01

Passive only

Bastion never transmits, never attaches to cells, never intercepts content. Zero legal exposure as interception equipment. Clean ECCN 5.A.1 counter-surveillance category.

Axiom 02

Detection-grade fidelity

Rule-based IoC detection plus ML classifier on RF fingerprints plus baseline-anomaly detection. Three pipelines fused by a correlation engine — not a single heuristic.

Axiom 03

Library-driven, subscription-refreshed

The moat is the cellular signature library — operator fingerprints + catcher variants — updated continuously from fleet telemetry. The box commoditizes in 24 months. The library does not.

§03 · Product Tiers HARDWARE

Three tiers. One protected person, one vehicle, one site.

A single product architecture scaled across three physical form factors. Shared detection stack, shared library, shared backend. Different antenna arrays, different channel counts, different customer segments.

Tier 01 · Personal

Bastion-S

$2,000 – $5,000

Pocket device, ~150 g. USB-C + BLE pairing to a paired phone or tablet. 2G/3G/4G complete, 5G NSA/SA basics. Passive sniffer + anomaly detector + silent haptic alerting.

AD9361 SDR, 70 MHz – 6 GHz, 56 MHz IBW, 12-bit
NXP i.MX 8M Plus SoC + 2.3 TOPS NPU
5 000 mAh battery · 8 h active, 48 h sleep
ATECC608 secure element, tamper sensors
Dual internal antennas, polarization-diverse
Silent haptic + BLE earpiece + paired app

primary Y1 SKU journalist / EP / case officer

Tier 02 · Vehicle

Bastion-V

$8,000 – $15,000

Trunk or glovebox unit with external multi-band antennas. 24/7 operation, vehicle power. Adds direction-of-arrival estimation for rogue cells. Integration with vehicle comms and EP team radios.

2× AD9361 coherent chain (4 RX channels)
GPSDO for nanosecond time reference across antennas
IP66 vehicle enclosure, 12 V + backup battery
4 external SMA antennas: whip · discone · directional patch
Coarse DF (±10°) for rogue cell bearing
Encrypted mesh link to paired Bastion-S units in-car

diplomatic motorcade · SOF mobile · EP driver

Tier 03 · Fixed Site

Bastion-X

$25,000 – $100,000

Ruggedized fixed-site installation with high-gain directional antenna array. Continuous 6-band monitoring. Active DF to locate rogue BTS. SOC feed + building-security integration.

Xilinx Zynq UltraScale+ RFSoC ZU21DR · 8 coherent chains · 14-bit · 5 GS/s
4–8 element phased array · per-band · DF-capable
NEMA outdoor or 2U rack · 48 V DC / PoE++
Ethernet + fiber backhaul
SS7/Diameter anomaly feed (via operator-side partnership)
Physical security system + SIEM integration

embassy · executive residence · infra

Controller / SOC software

Web + mobile application for the protected person's security team. Real-time alerts, historical timeline, threat-intel feed, fleet health, integration with EP workflows and (in planned later phases) ATAK, Palantir, enterprise SIEMs via syslog/CEF. Target pricing: $1 K/yr per personal device, $5 K/yr per site.

§04 · What Bastion Detects IoC CATALOG

Ten classes of indicator. Correlated, weighted, confidence-scored.

No single indicator is conclusive. A rogue base station typically trips five to eight indicators simultaneously. Bastion's correlation engine fuses weighted rule hits with baseline-anomaly scores and RF-fingerprint confidence to produce one of four states: Green Amber Red Critical

Indicator	Signal	Adversary intent	Weight
Unexpected cell appearance	New cell ID at location not in baseline	Rogue BTS staged near target	Medium
Cell ID conflict	Same PLMN/cell ID observed from two bearings	ID cloning of legitimate tower	High
Absent authentication (AKA)	Observed attach without SIM challenge	Cell can't respond to challenge = not real operator	High
Encryption downgrade	A5/1, A5/0, EEA0 forced; 2G fallback from LTE/5G	Enable live plaintext capture	Critical
Silent paging / Type-0 SMS	Class-0 SMS with no UI surface	Stealth location ping	High
RF fingerprint mismatch	TX imperfection vector outside operator library	Unknown hardware (typical of catcher)	Critical
Neighbor-cell list anomaly	Real BTS: 6–12 neighbors. Catcher: 0–2.	Catcher doesn't know operator topology	High
LAC/TAC churn	Repeated forced location-area updates	Force reattach to compromised cell	Medium
Abnormal reattach rate	UE forced to re-attach unusually often	Signal engineering for compromise	Medium
Signaling-plane anomaly	SS7/Diameter abuse via operator feed (Bastion-X)	Network-side tracking	Critical

Design philosophy

Detection is about correlation, not individual signals. A single "absent authentication" event might be a flaky real tower. Absent authentication + encryption downgrade + RF fingerprint mismatch + cell 50m from you at -40 dBm = catcher, with very high confidence. Bastion's correlation engine is the intelligence, not the sensors.

§05 · Adversary Kit — What the Library Targets RED SET

Know who's watching.

The signature library is built backwards from known adversary hardware. Each catcher class has a distinctive RF fingerprint footprint, a characteristic signaling behavior, and a typical deployment pattern. Cataloging adversary variants is the research heart of the product.

Tier 1 · Surveillance vendors (adversarial)

NSO · Paragon · Candiru · Gamma

Endpoint implants (Pegasus / Graphite / DevilsTongue / FinSpy) rely on cellular delivery. Bastion detects the associated cellular infrastructure — delivery cells, paging cells, SMS campaign cells — rather than the implants themselves.

Tier 2 · Lawful-intercept vendors (re-deployed)

Septier · R&S · Verint / Cognyte

Legitimate LI kit sold to customers who use it adversarially. Distinctive hardware fingerprints from these vendors form a primary library category.

Tier 3 · State-produced catchers

Chinese GF/PLA · Russian Leer-3

State-manufactured tactical IMSI catchers. Leer-3 is an RB-341V truck-mounted EW/SIGINT system with cellular-catcher payload. Chinese equivalents widely deployed along sensitive borders and for overseas operations.

Tier 4 · Commercial stingray-class

Harris · L3Harris · Gemalto

Law-enforcement-grade catchers, widely proliferated. Not all uses are hostile, but the same devices show up in adversarial hands. Classic fingerprint targets.

Tier 5 · Open source

YateBTS · OpenBTS · srsRAN-based rogues

Attackers increasingly use open-source cellular stacks on commodity SDR hardware (BladeRF, Pluto, USRP). Cheaper to build, harder to fingerprint — but still detectable via protocol-behavior anomalies even when hardware fingerprint is ambiguous.

Tier 6 · One-off / bespoke

Research / boutique builds

Tailored catchers from national labs or specialty shops. Rare, but the highest-threat class — used for highest-value targets. Detectable via protocol anomalies even when the hardware is unknown to the library.

§06 · System Architecture SIGNAL PATH

Antenna to alert ladder in under two seconds.

Passive RF capture, baseband DSP, per-standard protocol decoding, three-pipeline detection engine, correlation, alert ladder. All on-device for privacy; only alert metadata and flagged IQ snippets leave for backend library updates.

  ┌──────────────────────── BASTION-S · SIGNAL PATH ───────────────────────┐
  │                                                                        │
  │    ANTENNAS                                                            │
  │    ┌─────────┐  ┌──────────┐                                           │
  │    │ WIDEBAND│  │ 5G PATCH │  ← polarization-diverse                   │
  │    │ 0.6–3GHz│  │ 3.3–6GHz │     internal to unibody                   │
  │    └────┬────┘  └─────┬────┘                                           │
  │         │              │                                               │
  │    ┌────▼──────────────▼────┐                                          │
  │    │ LNA + FILTER BANK      │ ← SAW filters, 5 cellular bands          │
  │    │ (band-switched)        │                                          │
  │    └────────┬───────────────┘                                          │
  │             │                                                          │
  │    ┌────────▼─────────┐                                                │
  │    │ SDR · AD9361     │ ← 70 MHz – 6 GHz, 56 MHz IBW, 12-bit           │
  │    │ 2×2 MIMO, 12-bit │                                                │
  │    └────────┬─────────┘                                                │
  │             │  IQ samples (DMA)                                        │
  │    ┌────────▼─────────┐                                                │
  │    │ BASEBAND DSP     │ ← sync, channel est., demod                    │
  │    └───┬────────┬─────┘                                                │
  │        │        │                                                      │
  │   ┌────▼───┐ ┌──▼────────┐ ┌──────────┐                                │
  │   │PROTOCOL│ │RF FINGER- │ │ RAW-IQ   │  ← 24h rolling triage buffer   │
  │   │DECODER │ │PRINT      │ │ BUFFER   │                                │
  │   │GSM·UMTS│ │EXTRACTOR  │ │          │                                │
  │   │LTE·5G  │ │(32-dim)   │ │          │                                │
  │   └────┬───┘ └──┬────────┘ └──────────┘                                │
  │        │        │                                                      │
  │   ┌────▼────────▼────────┐                                             │
  │   │ DETECTION ENGINE     │                                             │
  │   │ rules + ML + baseline│                                             │
  │   │ correlation          │                                             │
  │   └───────────┬──────────┘                                             │
  │               │                                                        │
  │   ┌───────────▼──────────┐                                             │
  │   │ ALERT LADDER         │ Green · Amber · Red · Critical              │
  │   └───┬──────────────┬───┘                                             │
  │       │              │                                                 │
  │       ▼              ▼                                                 │
  │    HAPTIC           BLE → paired app / earpiece                        │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘

                         ▼ (tethered upload)
           ┌──────────────────────────────────────┐
           │  BACKEND — threat-intel + library    │
           │  ├ analyst-reviewed novel anomalies  │
           │  ├ operator fingerprint DB           │
           │  ├ IMSI-catcher variant library      │
           │  └ signed OTA library push to fleet  │
           └──────────────────────────────────────┘

§07 · The Cellular Signature Library THE MOAT

The library would be the product.

Hardware commoditizes in 24 months. The library does not. Two families of signatures form the moat: operator RF fingerprints (what real cells look like at RF, per operator, per region, per vendor) and IMSI-catcher variant library (what known hostile hardware looks like). The former is huge and slow-building; the latter is smaller and evolves weekly as adversary kit is captured, analyzed, or red-teamed.

Source 01

Operator clean captures

Per-operator, per-region captures of real BTS broadcast channels under known-good conditions. Builds the "what real hardware looks like" library. Target: 40+ operators, 200+ regions, multiple BTS vendors per operator. Concept — captures not started.

Source 02

Adversary kit reverse-engineering

Captured adversary catchers, open-source catcher software running on reference SDR hardware (used as controlled red-team targets), and published research papers characterizing specific surveillance vendors' RF signatures.

Source 03

Fleet telemetry (future)

Once Bastion-S is deployed: every anomaly flagged by every device becomes a library input. With 10 K devices pushing telemetry, the library becomes self-improving. This is the disruption economics: incumbents can't match.

Source 04

Partner threat-intel

Access to journalist-protection orgs (Access Now, Citizen Lab, CPJ), academic researchers (SRLabs, Amnesty Security Lab), and allied-government SIGINT feeds (via cleared partnerships). Contributors get priority on derived signatures.

Source 05

Synthetic red-team

Run controlled rogue-BTS deployments in RF-shielded labs; characterize output; feed to library as synthetic adversary variants. Essential for catching novel variants before adversaries deploy them.

Source 06

Continuous refresh

Adversary kit evolves. Library patches pushed on SLA. Target refresh cadence: high-threat regions weekly; stable regions monthly. Subscription-funded operation.

Library status — concept phase

No library entries exist yet. The acquisition strategy is documented and funding-ready; the captures, partnerships, red-team lab, and backend all require Phase 1 funding to begin. Target: 50–150 operator-region pairs by end of Phase 2; 500+ catcher variants by end of Phase 3.

§08 · RF Fingerprinting THE DIFFERENTIATOR

Every real BTS has an imperfection fingerprint.

A real cellular base station is built from production hardware — Huawei BTS3900, Ericsson RBS 6201, Nokia Flexi, ZTE Wireless. Each unit has characteristic RF imperfections that don't show up in the protocol but are measurable in the IQ samples. A rogue base station built from USRP / BladeRF / purpose-built catcher hardware leaves different imperfections. Match vectors against the operator library; mismatches are the single most reliable detection signal.

Feature vector (~32 dimensions)

Carrier Frequency Offset	Crystal stability signature, correlation residual after sync
Sample timing offset	PHY implementation fingerprint from timing recovery
IQ imbalance (gain)	Mixer / DAC signature
IQ imbalance (phase)	Same
Phase noise envelope	LO quality signature; PSD of residual phase
TX transient (on/off)	PA design fingerprint from burst edges
Spectral mask tilt	Filter characteristics; PSD slope across channel
EVM constellation pattern	Calibration fingerprint; error vector distribution
Spurious emissions	Out-of-channel PSD; hardware quirks
Intermodulation products	PA non-linearity signature

Why this works against catchers

A Huawei BTS3900 and a HackRF running OpenBTS have vastly different imperfection profiles — different crystals, different mixers, different PAs, different filters. Even when the catcher correctly impersonates an operator at the protocol layer, the underlying hardware leaves tells at the analog layer.

Research basis: Rajendran et al. (SenSys 2019), Sankhe et al. (INFOCOM 2019), the ORACLE/DIRECTION work, Princeton RFEye papers. Production-grade RF fingerprinting moved from research to viable product only in 2022–2024.

Operational thresholding

Match distance between captured fingerprint and closest library entry. Within threshold: operator-confidence high (>95%). Outside threshold: unknown-hardware flag raised. Thresholds tuned per region based on library maturity.

§09 · Mission Flow — Illustrative T-0 · JOURNALIST IN ISTANBUL

Illustrative. No system built yet. This is the mission we would solve.

A journalist meets a sensitive source in Istanbul. The local intelligence service has an interest. The meeting venue is a café on a busy street — legitimate cells everywhere, any of which could be cloned.

// Illustrative (not real) Bastion-S session · sample mission T-24h Bastion-S paired with journalist's phone. Controller downloads Turkey regional threat-intel (operator fingerprint library for Turkcell / Vodafone TR / Türk Telekom, known-variant catchers observed in Istanbul sector). Baseline-learning engages; records normal cells at apartment, commute route, known-safe locations. T-0 Journalist arrives at meeting café. Passive monitoring (battery ≈ 71% remaining). T+15m ANOMALY DETECTED — · new cell at RSSI -40 dBm (too strong; real towers >100m) · operator claim: Turkcell (PLMN 28601), ARFCN 1800 · RF fingerprint mismatch: observed CFO, phase-noise, IQ-imbalance vector outside Turkcell regional library (distance 8.3σ) · neighbor-cell list: 1 entry (expected 8–11 for urban Istanbul) · authentication absent on observed UE attach · encryption advertised: A5/0 (null cipher) · baseline-learning: unseen cell at this location Correlation weight: 4.6 / 5.0 → RED state Nearest adversary-library match: Septier-family variant · 87% confidence T+15m+1s HAPTIC ALERT (silent vibration to BLE earpiece) "IMSI catcher detected. ~50m bearing 120°. Septier-family variant. Do not transmit sensitive info. Relocate." T+15m+2s Controller auto-actions (configurable): · paired phone → airplane mode · messaging apps → paused · recording app → silent buffer begins (local only) T+post Journalist wraps up small talk, leaves. Raw IQ snippet (pre-alert + 30s post) uploads encrypted to backend. Analyst queue: novel variant flagged for review. Library update: operator library refined for this Istanbul sector; next user in the region gets the improved signature on next sync. // No sensitive information transmitted on the compromised network. // Adversary catcher identified, bearing known, variant catalogued.

What the protected person actually experiences

Silent vibration. A single sentence on an earpiece. A phone that quietly goes to airplane mode. No alarm, no siren, no spectacle. The adversary never knows they were detected.

§10 · Use Cases & Buyers GO-TO-MARKET

Nine segments. All underserved today.

Bastion's buyer base is broad because the threat is broad. What these segments share: high-value individuals or sites, credible cellular-surveillance exposure, and no incumbent vendor serving their price band.

Segment	Buyer	Typical ACV	Sales motion
Journalist protection	CPJ, RSF, major media orgs	$5–50K / yr / reporter bundle	Post-Pegasus urgency; NGO grants
Executive protection	EP firms, corporate CISOs	$50–500K / site	Enterprise sales via EP vendor channel
Diplomatic / embassy	MFAs, embassies, consulates	$100K–2M / site	Government procurement
SOF / case officer	Tier-1 SOF, national intel	Classified	Direct-to-agency; cleared channel
HNW family office	Family offices, private security	$30–100K / family	Referral network; private security integrator
Political campaign	Campaign security (post-Pegasus world)	$20–100K / campaign	Cyclical; election-cycle spikes
Human rights defender	NGOs, donors (OSF, Ford, MacArthur)	Subsidized / at-cost	Mission-driven; grant-funded
Law firm M&A / arbitration	Big-law partners, arbitration firms	$50–200K / war-room	B2B via firm general counsel
Corporate counterintelligence	Fortune 500 CISOs	$50–300K / program	Enterprise; multi-year

§11 · Counter-Counter-Adaptation ADVERSARY EVOLVES

The adversary adapts. So does the library.

Catchers evolve. Adversaries retune hardware, rotate software, update protocols. Library refresh cadence is the product's operational promise. A library six months stale is a library that's being defeated in the field. This is why the subscription model is the actual business — not the hardware.

Adversary pattern 01

Hardware replacement

Vendor ships new SKU; RF fingerprint shifts. Detected at our red-team lab or via fleet telemetry. New library entry within 2–4 weeks.

Adversary pattern 02

Protocol re-tuning

Catcher software adjusts neighbor-cell lists, authentication behavior, encryption advertisement to mimic real operator more closely. Detection rules updated; weights rebalanced.

Adversary pattern 03

Detection evasion

Adversary learns Bastion exists; designs specifically to evade it. Mitigations: multiple detection pipelines (hardware fingerprint + protocol + baseline anomaly), so evading one still trips others.

The disruption economics of the library

With 10K+ deployed devices pushing anomaly telemetry, Bastion's library is continuously current. Enterprise vendors (Delma, R&S) ship annual firmware updates. Average lag: 11 months. Adversary evolution cycle: 1–3 months. This is the structural edge a fleet-telemetry business has over a box-sale business.

§12 · Anti-Capture & Tamper Resistance DEVICE SECURITY

A captured device yields nothing.

Bastion devices are carried by high-threat individuals. Device capture is a realistic scenario. Every design decision assumes the device will eventually be in adversary hands.

Defense 01

Secure-boot chain

ROM → signed SPL → signed U-Boot → signed kernel → dm-verity rootfs. Keys sealed in ATECC608B secure element. No unsigned firmware accepted ever.

Defense 02

Crypto-shred on tamper

Accelerometer threshold + capacitive breach sensor + thermal anomaly → zero out keys, zero out library, scrub volatile memory. <100 ms from trigger to inoperability.

Defense 03

Library segmentation

Each device carries only the signatures relevant to its threat-intel region. Capturing one device exposes a regional subset, not the global library.

Defense 04

Encrypted at rest

LUKS + dm-verity; library in HSM-sealed volume. Physical extraction of storage yields ciphertext without the keys-in-ATECC608 the device destroys on tamper.

Defense 05

No user-extractable secrets

Protected person never holds library keys. No passphrase can unlock forensic mode. Recovery is factory-re-flash, period.

Defense 06

Cover enclosures

Planned variants: magnetic-case-clipped-to-phone, notebook-insert, power-bank lookalike. Reduces visual signature in hostile contexts.

§13 · The Market Gap WHY NOW

A barbell market. Nothing in the middle, where the buyers are.

Cellular counter-surveillance has two existing ends: enterprise ($500K+ Delma, Airbus, R&S) and consumer (free: EFF Crocodile Hunter, SnoopSnitch, Amnesty MVT). Between them — pocket-size professional-grade devices at $2–10K — there is nothing. That's where Bastion lives.

2021+ Pegasus era. Demand for personal cellular counter-surveillance spiked 8× among protected-person segments. Product supply has not caught up.

2020+ Technical viability. Commodity SDR + edge ML + RF fingerprinting became productizable. Before 2020 you couldn't build a pocket device at commodity cost.

2022+ Regulatory clarity. EU PEGA Committee, UN Special Rapporteur, FTC frameworks explicitly legitimize defensive cellular tools for civilians.

structural Innovator's dilemma. Incumbents structured for $500K+ enterprise deals literally cannot profitably sell $3K devices. They can't follow us down.

The barbell — why nothing exists in the middle

Enterprise: R&S, Delma, Airbus — built for multi-month sales cycles, cleared personnel, on-site installation, $500K+ deals. Cannot downmarket without dismantling their cost structure.

Consumer: EFF, SRLabs, Amnesty — academic or volunteer engineering; no commercial-grade reliability, support, backend, or distribution. Cannot upmarket without becoming commercial companies, which most explicitly don't want.

The middle — the actual buyers, at $2–10K / year per device, paying for reliability and subscription intelligence — is empty.

§14 · Competition Landscape WHO'S IN THE SPACE

Nobody does what Bastion would do.

System	Form	Price	Library refresh	RF-fingerprint	5G SA
Delma (IL)	Enterprise rack	$500K+	annual	limited	partial
Airbus SLC	Enterprise platform	$1M+	annual	no	partial
Rohde & Schwarz	Mil-grade / briefcase	$200K+	manual	limited	partial
Septier	Enterprise	$500K+	annual	limited	partial
GSMK CryptoPhone	Secure-phone (prevention)	$3K / phone	n/a	no	no
Cellebrite	Forensics	$$$	n/a	no	no
SnoopSnitch	Android app	free	rare	no	no
EFF Crocodile Hunter	Researcher tool	free	volunteer	no	no
SRLabs Darshak	Researcher tool	free	volunteer	no	no
Amnesty MVT	Forensics only	free	n/a	no	no
BASTION (concept)	Pocket · Vehicle · Site	$2–100K	continuous (subscription)	yes · primary	yes (target)

Market positioning

There is no competitor in the pocket-size, pro-grade, subscription-refreshed, RF-fingerprint-primary quadrant. The category is wide open. Incumbents can't profitably downmarket; researcher tools can't practically upmarket. This is a classic disruption-from-below opening.

§15 · Disruption Strategy GO-TO-MARKET SEQUENCING

Don't attack the top. Disrupt from below.

Competing head-on with Delma, Airbus, or R&S in the enterprise market would fail. Their incumbency is 10+ years deep; their certifications are a 3–5 year moat; their export channels are pre-cleared; their procurement relationships are entrenched. A Bulgarian concept-stage startup cannot displace that on day one. The strategy is sequential.

Phase 1 · Y1–Y3

Underserved segment

NGOs · journalists · EP firms · HNW family offices · individual C-suite executives · HRDs · small diplomatic missions. Incumbents literally won't sell here — deal sizes are too small for their cost structure. We own them by default.

Phase 2 · Y3–Y5

Mid-market expansion

Accumulated references, case studies, library maturity, first certifications. Move up to mid-size EP firms, corporate CISOs, regional government agencies, small embassies. R&S is too expensive for them; SnoopSnitch is not serious enough. Bastion fits.

Phase 3 · Y5+

Enterprise disruption

Armed with 10K+ deployed devices and 5 years of real-world threat-intel, show up in enterprise RFPs against R&S. Value prop: "Our library is continuously updated from 10,000 active sensors. Yours ships annually. Here's what we caught this month that your firmware missed."

The precedent

Salesforce beat Siebel. Dropbox beat enterprise file servers. Zoom beat WebEx. Tesla beat BMW. In every case, the disruptor entered at the bottom where the incumbents were structurally unable to follow, and built up to attack enterprise from beneath.

§16 · The Symphony BLACKBIRD + PHANTOM + BASTION

Three products. One counter-ISR doctrine.

Bastion completes the Nexus Atlas counter-ISR family. Each product addresses a different layer of the adversary's intelligence cycle; together they form a closed loop with a shared signature-library moat.

Airborne detection

Blackbird

Small autonomous drone. Flies out, finds adversary RF emitters (drones, radars, datalinks) in contested airspace, returns a target list. "Hunt the hunters."

RF deception

Phantom

Distributed ground emitter swarm. Emits library replicas of high-value targets. Adversary SIGINT cycles waste themselves on empty positions. "Let them shoot where you are not."

Cellular counter-surveillance

Bastion

Personal / vehicle / fixed-site cellular monitor. Detects adversary intercept gear targeting you or your asset. "They're listening. We tell you when, from where, and what to do about it."

  ┌──────────────── NEXUS ATLAS COUNTER-ISR FAMILY · CLOSED LOOP ────────┐
  │                                                                      │
  │       BLACKBIRD                 PHANTOM                BASTION       │
  │    (airborne detect)         (RF deception)       (cellular detect)  │
  │           │                       │                        │           │
  │           ▼                       ▼                        ▼           │
  │     adversary drones          adversary SIGINT          hostile cellular │
  │     + radar emitters          cycle corrupted          intercept gear   │
  │           │                       │                        │           │
  │           └──────── shared library moat ───────────────────┘           │
  │                  operator + adversary                                │
  │                  RF fingerprint database                             │
  │                                                                      │
  │       ┌── Bastion detects hostile catcher ──────────┐                 │
  │       │  → target emitter added to Blackbird list   │                 │
  │       │  → Phantom can fake cellular if desired     │                 │
  │       └──────────────────────────────────────────────┘                 │
  │                                                                      │
  └──────────────────────────────────────────────────────────────────────┘

§17 · Regulatory Posture CLEAN CATEGORY

Counter-surveillance, not interception.

The single most important strategic point about Bastion: it sells as counter-surveillance equipment, not interception equipment. This is a clean ECCN 5.A.1 counter-surveillance category — not on the EU Dual-Use 2021/821 Annex I 5.A.1.f interception list.

Regulatory category

ECCN 5.A.1 counter-surveillance

Routinely licensed for EU / NATO / allied customers. Not on interception / lawful-intercept lists. Wassenaar cat 5.A.1 counter-surveillance goods — standard export.

Post-Pegasus framework

EU + UN legitimization

EU PEGA Committee (2023) explicitly endorsed defensive cellular-security tools for civilians. UN Special Rapporteur on Freedom of Expression (2023) called for such tools. FTC / state AG frameworks put defensive tools on clean footing.

Brand positioning

Counter-SIGINT, not surveillance

Zero NSO-class contamination risk. Acquirable by legitimate acquirers (Cognyte, Palantir, Anduril, L3Harris, major primes). Investable by defense-specialist funds. Sellable to NGOs and governments alike.

What we don't sell

Never interception

Bastion cannot be configured to intercept cellular content. No active mode. No silent-attach. No rogue-BTS emulation. The product physically lacks the capability — by design, for regulatory and reputational cleanliness.

§18 · Roadmap & Maturity CONCEPT · TRL 1–2

Concept phase. Pre-prototype. Idea presented for partner interest.

Bastion is currently a concept being presented for early partner interest. Nothing is built or deployed. The roadmap below is what we would execute, given funding and partnership.

Phase 1 · planned

Bench prototype

~6 months from kickoff

HackRF / BladeRF + Raspberry Pi bench build
srsRAN + Osmocom detection stack
~200 operator-region fingerprint captures in Sofia
Rule-based detector validated on known-good + red-team catcher targets
First conversations: CPJ / Access Now / journalist org partners

Phase 2 · planned

Reference hardware

~6–12 months after Phase 1

AD9361 + i.MX 8M Plus custom carrier board
Port detection stack to embedded Linux
RF fingerprinting pipeline (research → production)
Library to 500–1,000 operator-region pairs
First red-team assessment (external)

Phase 3 · planned

Bastion-S pre-prototype

~6–12 months after Phase 2

First custom industrial design + enclosure
Integration testing against YateBTS/OpenBTS targets
ATECC608 + tamper chain
First 50 pre-production units · closed partner deployment
Controller/SOC v1.0

Phase 4 · planned

First production batch

~12–18 months after Phase 3

First production run (volumes driven by partner demand)
Library refresh subscription live
Bastion-V variant enters design
FIPS 140-3 submission
NGO / EP firm / journalist-org pilots at scale

Technology readiness

TRL 1–2 Bastion today: concept phase. Basic principles observed, technology concept formulated. Nothing built.

TRL 4–5 Target after Phase 1–2: component validation in lab and relevant environment.

TRL 6–7 Target after Phase 3–4: system prototype demonstrated in relevant and operational environments.

What this page is

This page describes a concept. Nothing here is built, shipped, deployed, or for sale. We're presenting the idea for partner interest — funding partners, EP / NGO / media pilot partners, cellular-security research collaborators, manufacturing partners.

If the concept resonates, reach out via Nexus Atlas channels. We'll treat your interest with the same tradecraft discipline we built into the product.