FAQ

Ziru Labs is a U.S. deep-technology company (Martin Ventures Ltd. d.b.a. Ziru Labs) that builds the trust layer for AI. The company holds a patent-pending primitive (15-invention omnibus plus Invention 11 singular filing plus 7 classified inventions) that establishes a hardware-rooted verification substrate at silicon level, the layer where AI behavior becomes verifiable from silicon up. Ziru Labs is structured as an IP-and-platform company: the primitive is the company's identity, and Project Phoenix is its security-domain launch deployment.

The primitive is the trust layer for AI: a hardware-rooted verification substrate at silicon level where any property of AI computation (weights used, inputs processed, constraints enforced, outputs produced, timing observed, environment sensed) becomes cryptographically demonstrable. Where software runs on silicon, the trust layer runs in silicon. The primitive's analytical category is foundational infrastructure primitives such as TCP/IP, public-key cryptography, GPS, and the ARM instruction set architecture. Its applications span the security domain (the Phoenix launch deployment), adjacent trust-layer application domains (verification, provenance, compliance attestation, AI identity), and the transformational domain (AI economic agency, hardware-attested truth infrastructure).

Project Phoenix is the security-domain launch deployment of the trust layer primitive and Ziru Labs' entry into market. Phoenix addresses AI security applications of the primitive: physical extraction defense, hardware-enforced compliance, supply chain provenance, multi-node lateral traversal immunity, and sub-millisecond physical response for autonomous platforms. Phoenix is the first commercial instantiation of the trust layer. Future instantiations will address adjacent trust-layer application domains beyond security.

Because it defines the investment thesis. Ziru Labs as a security-product company produces a low-tens-of-billions commercial-product exit. Ziru Labs as the holder of the trust layer for AI produces a multi-hundred-billion-dollar platform exit. The primitive is what makes Ziru Labs a primitive-holder rather than a security-product company. Project Phoenix demonstrates the primitive's first commercial application; the primitive itself is what underwrites the Ceiling scenarios and the adjacent trust-layer application domains beyond security.

To establish and commercialize the trust layer for AI. Concretely: establish the primitive as the reference implementation in emerging AI governance frameworks; close the physics-layer security gap in commercial AI infrastructure through Project Phoenix as the security-domain launch deployment; extend the primitive into adjacent trust-layer application domains (verification, provenance, compliance attestation, AI identity) as the primitive-holder strategic logic compounds across deployments.

Ziru Labs operates as Martin Ventures Ltd. d.b.a. Ziru Labs. The entity is U.S.-based and ITAR-compliant. The founding team is distributed across relevant defense, technology, and sovereign-engagement geographies.

The primitive ties AI inference computation to live hardware telemetry at the silicon level. It operates below the operating system through a set of hardware-rooted mechanisms: power-plane control, PCIe bus state manipulation, physically unclonable function (PUF) based signing, hardware-enforced finite state machines for compliance, and non-routable memory-fabric clustering. These mechanisms together produce a substrate on which AI compliance can be demonstrated rather than asserted.

Confidential computing protects against a compromised operating system. It does not protect against physical hardware attacks. The primitive operates below the confidential computing layer: cryogenic DRAM extraction, PCIe bus scraping, supply chain hardware compromise, and hardware-level inference manipulation all bypass confidential computing boundaries. The primitive addresses these attack classes structurally. Confidential computing and the primitive are complementary; confidential computing handles the software trust boundary, the primitive handles the physics trust boundary.

AI governance platforms monitor and filter AI behavior at the software layer. They cannot enforce compliance below the operating system. A compromised OS renders them inoperative. The primitive enforces compliance at the hardware layer in a way that survives full OS compromise. AI governance platforms are complementary to the primitive; the primitive provides hardware-rooted enforcement, governance platforms provide the broader monitoring, analytics, and alerting layer.

Because software runs on a substrate that the software itself cannot observe. A software attestation mechanism is part of the substrate being attested; if the substrate is compromised, the attestation mechanism is compromised with it. Physical hardware attacks (cold-boot extraction, bus interposition, supply chain implants) operate at a layer software cannot reach. The trust layer provides observations of the substrate that software itself depends on, grounding verification in silicon.

Project Phoenix implements the primitive through four integrated layers: Layer I Foundational Architecture (hardware root of trust, supply chain provenance, boot integrity); Layer II Active Inference Security (VRAM isolation, PCIe disconnect, encrypted memory, continuous verification); Layer III Network Denial and HA Clustering (structural elimination of internal network, tamper-triggered gradient abort, zero-exfiltration clustering); Layer IV Cognitive Governance and Active Defense (hardware-enforced compliance FSM, physical break-glass override, sensor scalar injection, honeypot deception).

Invention 12 (CPOK, Cognitive-Physical Orchestration Kernel) covers hardware-gated AI inference as a mechanism category, not a specific implementation. Any physically-aware AI inference system operating on von Neumann computing architecture operates inside the claim. A competitor building physics-layer AI security must either license from Ziru Labs or design a non-von Neumann computing architecture. This is the structural claim that anchors the category moat.

Not meaningfully. A direct PCIe Zero-Copy read from pinned memory takes 1 to 4 microseconds. The DMA bridge keeps the state flag continuously mapped into GPU virtual memory, so tensor cores are never paused. Actual overhead is roughly 4 microseconds per token for full sovereign-grade physical security. This is negligible relative to AI inference throughput.

The primitive works with commercial GPU and accelerator hardware from NVIDIA, AMD, Intel, and ARM-based vendors. Invention 17 (Ring-0 HAL) provides cross-silicon security polling that abstracts vendor-specific hardware differences. Phoenix does not require a custom silicon program. Future deployments may involve deeper silicon-level integration under OEM licensing arrangements, but the primitive as-demonstrated operates on commercially available inference hardware.

The MWP is targeted for H2 2026. The primary demonstration is cold-boot defeat on a live GPU chassis (Inventions 1 and 5): a physically present attacker attempts cryogenic DRAM extraction while the system is operating, and the hardware responds by cutting VDD/VDDQ power planes and asserting PCIe PERST# pin disconnect fast enough that no data can be preserved. The MWP establishes physical proof of the primitive's most distinctive capability.

Ziru Labs sits at Layer 3 of the AI infrastructure stack: the hardware trust substrate. Layer 3 is positioned above silicon architecture (the ARM and x86 ISA layer) and below compute silicon (the NVIDIA, AMD, Intel layer). As of April 2026, Layer 3 is vacant across commercial AI infrastructure. The vacancy produces documented capability gaps at every layer above (NVIDIA's AI Factory for Government cannot deploy at IL6+; Microsoft Azure Federal classified workloads carry the same gap; allied sovereign AI programs sit at the same impasse; EU AI Act Article 40 conformity assessment needs a hardware-rooted substrate that has not been codified). The trust layer exhibits the structural characteristics of single-source layers (mechanism-level patent coverage, one standards reference per framework, structural requirement in regulated applications, compounding network effects, switching costs measured in regulatory recertification) consistent with ARM (mobile ISA), VeriSign (SSL root CA), Qualcomm (CDMA royalties), and Dolby (consumer codecs) at their equivalent positions. The full eleven-layer analysis and single-source layer justification is in The AI Stack and the Trust Layer.

Ziru Labs IP portfolio is growing. It began with 15 patent-pending inventions covered by an omnibus provisional application, eight have been added Q2 2026, plus seven reserved for defense under distinct disclosure protocols. Utility patent prosecution is actively underway for the four core moat inventions.

Because each covers a class of mechanism rather than a specific implementation, producing structural category coverage rather than a design-around problem. Invention 12 covers hardware-gated AI inference; Invention 17 covers cross-silicon security polling abstraction; Invention 1 covers VRAM power-plane isolation as cold-boot defense; Invention 10 covers structural elimination of the internal network in multi-node clusters. Together, these four claims cover the mechanism categories a competitor would need to navigate to build physics-layer AI security on von Neumann architecture. An attorney work product estimates the probability of utility grant for these core four at 83%.

Upon grant, 20-year utility patent protection applies and extends into the 2040s. The core four are in active prosecution now, with first grants expected in the 18 to 24 month window (2027 to 2028). Full portfolio grants expected 2028 to 2029. The provisional-to-utility conversion is the highest-value single de-risking event for the IP moat.

Three primitive-extension vectors: Application-domain extension (applications of the primitive to adjacent domains beyond AI security, including verifiable AI compute attestation for regulated commerce, hardware-rooted provenance for synthetic media, physically-rooted trust for machine-to-machine economic transactions); Category-defense extension (patents deepening the structural claim around the primitive itself as the threat landscape evolves); Capability extension (complementary hardware and cryptographic mechanisms unlocking additional primitive deployments). Additional provisionals are in active preparation.

We expect meaningful challenges in attempts to design around. We don’t find any paths which are commercially practical in the relevant window.

IPR preparation is part of prosecution strategy from day one. Claims are drafted to survive adversarial challenge. The Rambus precedent (memory interface patents that survived prolonged litigation with Samsung, Micron, Hynix) demonstrates that mechanism-level claims, properly drafted, hold up under adversarial pressure. Ziru Labs maintains continuation filings, PCT filings, and derivative IP with overlapping claims to create multi-front defense.

Yes. The seven inventions are defense-specific applications of physics-layer AI security that will be prosecuted under provisional applications with ITAR-compliant coordinated classified prosecution track. They are not included in the omnibus and are not disclosed outside of specific parties and specific protocols. They provide additional defensibility for defense and allied sovereign mission applications and constitute a separate tier of moat not visible to commercial competitors.

ARM holds the instruction set architecture every mobile processor vendor must license. ARM's structural position in mobile computing is the direct analog for Ziru Labs' position in AI security. The key differences: (a) Ziru Labs' addressable TAM is substantially larger than ARM's early mobile TAM; (b) Ziru Labs' royalty rate is higher (3 to 5 percent versus ARM's 1 to 2 percent) due to defense-grade specialization; (c) Ziru Labs operates in a market with regulatory forcing functions (AI governance) that ARM did not have.

Master TAM (observable, aggregated across 19 verticals): \$87.1B central at maturity (roughly 2030 to 2033), with a range of \$44.8B to \$302B. Master SAM (2028 to 2031): \$18.4B central. Master SOM (commercial product framing, 2031 to 2034): \$3.4B annually. These are observable-layer figures; latent and transformational opportunity is sized separately in The Trust Layer for AI: Strategic Thesis.

At maturity (roughly 2033 to 2036): commercial product across 19 verticals \$3.4B at approximately 50% margin; sovereign licensing across approximately 45 nations \$2.9B at approximately 90% margin; OEM chip vendor licensing (NVIDIA, AMD, Intel, ARM) \$870M at approximately 95% margin; hyperscaler licensing \$675M at approximately 90% margin; standards and certification licensing \$25M at approximately 85% margin. Aggregate: \$7.9B revenue, \$5.8B gross profit at approximately 73% blended margin.

Bottom-up construction from 19 individual strategic assessments: 10 enterprise verticals (Healthcare, Banking, Nuclear Enterprise, Insurance, Energy and Utilities, Pharma and Life Sciences, Legal, Telecom, Aerospace and DIB, Frontier AI Labs) plus 9 defense and sovereign verticals (U.S. Army, Navy and USMC, Air Force and Space Force, Intelligence Community, USSOCOM, Federal Civilian Government, Five Eyes, NATO Allies and Israel, GCC Sovereign Partners). Each vertical assessment is built from specific programs, organizational structures, per-customer value drivers, and realistic penetration assumptions.

Because regulated industries face forcing functions that discretionary commercial buyers do not: regulatory catalysts produce demand less sensitive to economic cycles; hardware attestation easier to position as a compliance requirement than a feature preference; regulated procurement produces more durable customer relationships once established. Regulated financial (Banking, Insurance), regulated health and life sciences (Healthcare, Pharma), critical infrastructure (Energy, Telecom, Nuclear), defense and sovereign, and aerospace/DIB together represent the bulk of the opportunity.

Software AI security is fragmenting. Physics-layer AI security does not exist as a commercial product category today. The primitive defines a distinct architectural layer below all existing AI security products. The competitive question is not who wins the software AI security market; it is whether physics-layer AI security emerges as a separate market category. The standards engagement trajectory is the primary determinant.

Four converging forces. (1) Regulatory codification: FY2026 NDAA Section 1513 framework development at DoD, OMB AI procurement guidance under Executive Order 14179, EU AI Act Article 40, NATO STANAG on AI trust, IEEE P3109, ISO/IEC JTC 1/SC 42 are all drafting initial codifications. Section 1513 carries a hard statutory deadline (status report to Congress 16 June 2026) and is the first statutory recognition of substrate-integrity requirements for AI procurement. (2) Sovereign AI demand: Five Eyes, NATO, GCC sovereign programs allocating hundreds of millions to sovereign AI infrastructure. (3) Frontier AI lab commitments: Responsible Scaling Policies create demand for hardware-enforceable compliance. (4) Documented nation-state hardware interdiction capability: a publicly disclosed cold-boot exfiltration event would produce SolarWinds-level demand shock.

Frontier AI Labs represents approximately \$2.4B of TAM, approximately 3% of Master TAM. Strategically it is disproportionately important because frontier lab adoption cascades: enterprise customers deploying those labs' models inherit Phoenix dependency; regulatory frameworks use frontier-lab implementations as reference; competitive frontier labs are pulled toward Phoenix to avoid competitive disadvantage. A single anchor partnership with a top-five lab produces cascade value across the entire enterprise TAM.

Four channels at maturity: (1) commercial product across 19 verticals (hardware-attested AI security infrastructure); (2) sovereign licensing across approximately 45 nations under domestic manufacturing arrangements; (3) OEM chip vendor licensing to semiconductor incumbents building physics-layer security into their silicon; (4) hyperscaler licensing to Azure, AWS, Google Cloud, Oracle Cloud federal offerings. A fifth, smaller channel is standards and certification licensing. Licensing collectively is approximately 57 percent of revenue at maturity, contributing approximately 70 percent of gross profit.

Ziru Labs is an IP-and-platform company. The hardware product (Project Phoenix chassis) anchors the first revenue channel and validates the primitive. The licensing revenue channels compound at 90%-plus gross margins and are the primary drivers of primitive-framing valuation. ARM is the appropriate analog: ARM manufactures nothing, but ARM-architecture silicon is everywhere.

Tri-modal commercial motion. (1) Enterprise sales and solution delivery into regulated and mission-critical verticals, sequenced by regulatory catalyst strength. (2) Defense and sovereign engagement via prime integrators (Leidos, Booz Allen, SAIC) and direct sovereign wealth fund/defense acquisition authority relationships. (3) Frontier AI lab anchor partnerships as a strategic precedent-setting channel with cascade effects. Each mode requires different organizational design, pricing, and timelines.

First-wave targets: U.S. Department of Defense (via prime integrators), allied sovereign AI programs (UK DSTL, Israeli MoD, Australian ASD, GCC through sovereign wealth funds), critical infrastructure operators (nuclear, power grid AI monitoring), and frontier AI labs (OpenAI, Anthropic, Google DeepMind) as the anchor-partnership channel. Multiple LOIs expected across defense, enterprise, and sovereign segments through H2 2026.

Hardware product: ASP \$150K to \$350K per unit; COGS \$45K to \$100K per unit; gross margin 65 to 72 percent; recurring annual maintenance at 15 to 20 percent of ASP at approximately 90% margin. OEM licensing: 3 to 5 percent royalty on applicable component value plus \$5 to \$15M annual technology access fees per OEM licensee at 88 to 95 percent gross margin. Sovereign licensing: \$150M to \$250M per Tier 1 nation annually at approximately 90% margin. Customer LTV:CAC ratios range from 4x (enterprise) to 50x (OEM licensees).

Tiered by sovereign scale. Tier 1 (UK, France, Germany, Japan, Israel, Saudi Arabia, UAE, Australia, India, South Korea): \$150M to \$250M annually per sovereign. Tier 2 (Canada, Italy, Netherlands, Spain, Poland, Nordics, Turkey, Singapore, GCC tier 2, Switzerland): \$25M to \$70M. Tier 3 (EU second-tier, Baltic states, Central/Eastern Europe, selected Americas and Indo-Pacific): \$10M to \$30M. Ongoing royalty on domestic manufacturing at 3 to 8 percent of local deployment revenue.

Ziru Labs prefers Partner-mode structures with chip vendors, where the vendor licenses the primitive IP and integrates it into their silicon roadmap, paying upfront plus per-unit royalty plus annual technology access fees. ARM and AMD are the priority Partner-mode candidates per the Strategic Risk Analysis. NVIDIA and Intel relationships are maintained through standards engagement. Hyperscaler partnerships operate as a separate channel.

Project Phoenix is the launch deployment: the first commercial instantiation of the primitive, focused on AI security. Phoenix establishes revenue, validates the primitive in market, demonstrates ITAR and regulatory compliance pathways, and anchors the first wave of customer relationships. Subsequent primitive deployments will address adjacent application domains. The primitive-holder strategic logic compounds across deployments; Phoenix is the first application of a category-defining mechanism.

The physics-layer threat model currently has no commercial product addressing it directly. Five adjacent categories come closest: (1) semiconductor confidential computing (NVIDIA, Intel, AMD, ARM); (2) confidential computing software platforms (Anjuna, Fortanix, Opaque Systems); (3) AI model security and governance (HiddenLayer, CalypsoAI, Robust Intelligence); (4) defense AI software (Palantir, Leidos, Shield AI, Rebellion Defense); (5) edge AI hardware vendors (Hailo, Kneron, Mythic, SambaNova). Phoenix operates a layer below all five categories.

Engineering cost, category-claim constraints, and strategic priority. NVIDIA’s core engineering model is silicon for compute, not silicon for self-destruction (physical power-plane control, PCIe bus disconnect, memory destruction). Invention 12 provides a category claim on hardware-gated AI inference that constrains clean replication. NVIDIA's strategic priority is AI compute performance; physics-layer security is complementary rather than core. The per-acquirer Tier I analysis in the Acquisition Pathway document calculates NVIDIA's build-vs-buy crossover as approximately \$3B to \$6B, favoring acquisition or licensing of Phoenix over internal build for federal and sovereign segments.

Five incumbents (NVIDIA, Microsoft, AMD, ARM, Intel) evaluated against four response modes: Partner (license Phoenix IP, integrate into silicon/cloud roadmap); Compete (build competing capability internally); Hackquisition (non-exclusive IP license plus acqui-hire, the dominant 2025 to 2026 M&A pattern); Coexistence (segmented markets, minimal direct competition). Aggregate outlook: approximately 45 to 55 percent probability of Hackquisition outcome across the five-incumbent field; approximately 45 percent probability of independent primitive-framing outcomes; approximately 5 to 10 percent adverse/below-floor outcomes.

NVIDIA is the highest-probability offerer, driven by the AI Factory for Government partnership with Palantir, Lockheed Martin, CrowdStrike, and ServiceNow, which has a documented physics-layer capability gap. NVIDIA's per-acquirer Tier I composite central offer at the Post-MWP inflection (H2 2026) is approximately \$4.6B. Microsoft is second, driven by Azure Federal IL6+ expansion, with Inflection 2 central approximately \$2B. AMD and ARM are more likely to prefer Partner mode than Hackquisition.

Across the five-incumbent field, the aggregate outlook is mixed rather than uniform: ARM and AMD most likely to partner via licensing; NVIDIA and Microsoft most likely to make Hackquisition offers; Intel most likely to align through Secure Enclave program partnership. Segmented coexistence is the likely default if no partnership or acquisition closes. Each of the five paths produces a materially different outcome for Ziru Labs.

Hackquisition is a non-exclusive IP license plus acqui-hire of leadership, structured to avoid traditional acquisition antitrust review. The pattern emerged through 2024 to 2026 as the dominant incumbent acquisition mode for AI-infrastructure IP: NVIDIA/Groq (\$20B, December 2025), NVIDIA/Enfabrica (\$900M+, September 2025), Microsoft/Inflection (\$650M, 2024), AMD/Silo AI (\$665M, 2024). The target entity survives operationally but with leadership absorbed into the acquirer. For Ziru Labs, Hackquisition is the single most probable exit mode (45 to 55 percent across the five-incumbent field).

Yes in the probabilistic sense: a Hackquisition at an early inflection preempts the primitive from reaching its independent-platform ceiling. But the stage-linked ladder means Hackquisition outcomes are themselves large (\$3.3B composite central at Post-MWP, rising to \$16B composite central at Post-Series B). The integrated expected value across exit modes (approximately \$170 to \$180B probability-weighted) reflects both trajectories; the Acquisition Pathway and Inflection Framework provides the continue-versus-sell decision thresholds at each stage.

Groq makes AI inference fast. Ziru Labs makes AI inference verifiable. NVIDIA paid approximately \$20B for Groq in December 2025. Ziru Labs is the layer above it. The question surfaces frequently because both companies operate in AI infrastructure, both use vocabulary that overlaps at surface level (determinism, hardware-gated, no external bus), and the NVIDIA-Groq transaction creates a natural comparison frame. Structurally the two businesses sit at different layers of the stack, address different problems, operate under different commercial architectures, and hold non-overlapping patent portfolios.

Different layer of the AI infrastructure stack. Groq is a Layer 4 company: compute silicon for AI inference, the Language Processing Unit (LPU) architecture that competed directly with NVIDIA in raw token throughput and latency. Ziru Labs is a Layer 3 company: the hardware trust substrate on which Layer 4 compute silicon runs. Groq and NVIDIA competed in the same layer, which is why NVIDIA acquired Groq and integrated the LPU as a decode co-processor in the Vera Rubin platform (Attention-FFN Disaggregation architecture announced at GTC 2026). Ziru Labs and NVIDIA do not compete at any layer. NVIDIA's AI Factory for Government stack depends on Layer 3 being filled to unlock IL6+ deployment revenue; Ziru Labs is the mechanism holder at that layer.

Different primitive function. Groq's primitive is performance: compiler-scheduled static execution that eliminates the non-deterministic components (caches, arbiters, dynamic schedulers) that cause tail latency on GPUs. Ziru Labs' primitive is trust: hardware-rooted verification of AI computation at silicon level. Performance primitives and trust primitives are orthogonal functions. A frontier AI lab running Groq silicon for inference is a candidate customer for Ziru Labs' trust layer; the two primitives compose rather than compete.

The overlapping vocabulary resolves at the mechanism level. A skeptical reader searching Groq's public positioning will encounter terms that sound similar to Ziru Labs' positioning. Each term resolves to a different mechanism in a different problem domain:

No infringement risk. Groq's IP covers how to execute linear algebra fast on a custom ASIC: tensor streaming processor architecture, deterministic software-scheduled execution, functionally sliced microarchitecture, plesiosynchronous chip-to-chip protocols, and custom ISA extensions for LLM decode. These claims operate inside the compute silicon layer. Ziru Labs' core inventions cover hardware-gated AI inference as a mechanism category (Invention 12, CPOK), cross-silicon security polling abstraction (Invention 17, Ring-0 HAL), VRAM power-plane isolation for extraction defense (Invention 1), structural elimination of the internal network (Invention 10), and PUF-signed finite state machines for hardware-enforced compliance (Invention 3). These claims operate at the hardware trust substrate layer, one layer below Groq's claim surface. Freedom-to-operate analysis shows zero mechanism overlap. Ziru Labs' inventions run on commercial silicon from any vendor via Invention 17's cross-silicon abstraction; they do not require, modify, or replicate tensor streaming architecture.

The complementarity argument for acquisition economics. The NVIDIA-Groq transaction closed in December 2025 as a non-exclusive license plus acqui-hire at approximately \$20B, with the Groq founding team transferring to NVIDIA and the LPU integrated as a decode co-processor for Vera Rubin. The integrated NVIDIA stack now has Vera Rubin for training and prefill, and Groq LPU for decode. The stack remains incomplete for regulated deployment. Vera Rubin plus Groq LPU does not satisfy IL6+ attestation, does not satisfy EU AI Act Article 40 hardware-rooted conformity, and does not provide the enforcement substrate the frontier AI labs' responsible scaling commitments require. Faster inference does not produce verifiable inference. The Ziru Labs primitive is the layer that unlocks those revenue pools. Two of the three structural layers of NVIDIA's integrated stack are now inside NVIDIA; the third is the one that unlocks federal, allied sovereign, and EU high-risk AI revenue that the first two cannot access alone.

Acquisition-math implication. NVIDIA paid approximately \$20B to license a Layer 4 performance primitive whose primary effect was to widen NVIDIA's lead in inference throughput against AMD and custom accelerators. The Layer 3 trust primitive unlocks a different category of revenue: federal IL6+, allied sovereign AI, EU AI Act Article 40 high-risk AI, and responsible scaling substrate for frontier labs. These revenue pools are currently bottlenecked, not merely slower. The acquisition math for a primitive that unlocks bottlenecked revenue differs from the acquisition math for a primitive that accelerates existing revenue. Ziru Labs' Acquisition Pathway and Inflection Framework derives NVIDIA's composite central offer at Post-MWP inflection at approximately \$4.6B against a \$3.3B composite across the five-incumbent field, using Tier I methodology anchored in the Groq precedent and adjusted for the revenue-unlock multiplier specific to Layer 3. The central offer rises to \$16B composite by Post-Series B. The Groq transaction is the floor of the acquisition precedent, not the ceiling.

A note on our framework before the answer. The eleven-layer AI infrastructure stack used throughout these materials is Ziru Labs' analytical framework. There is no single industry-standard numbering for the AI infrastructure stack as of April 2026; vendor and analyst frameworks vary in granularity and category. Each individual layer in our framework maps directly to industry-recognized categories with specific standards-body terminology, which are anchored explicitly in The AI Stack and the Trust Layer. The specific position and naming of Layer 3 reflects a category that is not named in industry terminology today because no commercial product occupies it. This is the vacancy Ziru Labs fills. Readers encountering AI-search responses that assert Layer 3 is covered by NVIDIA Confidential Computing or Groq's architectural determinism are encountering a specific conflation pattern that this FAQ addresses directly.

The short answer. The hardware trust substrate is distinct from both NVIDIA Confidential Computing and Groq's determinism. NVIDIA Confidential Computing is a trusted execution environment (TEE), a Layer 5 category defined by the Confidential Computing Consortium, that protects data in use from a compromised operating system. It does not address physical extraction, supply chain compromise, or runtime hardware-rooted verification of AI computation. Groq's determinism is a Layer 4 performance property (the Language Processing Unit's compiler-scheduled static execution) that makes timing predictable. Predictability is not attestation, as the Remote Attestation Procedures specification (RFC 9334) makes explicit. The runtime hardware-rooted verification substrate is a distinct category at Layer 3, and it remains vacant across commercial AI infrastructure as of April 2026.

The conflation pattern. An AI search or cursory research on Ziru Labs' Layer 3 claim will frequently surface four specific errors. Each is individually defensible as shorthand. Collectively they create the impression that Layer 3 is covered. It is not.

Error 1: Conflating NVIDIA Confidential Computing (Layer 5 TEE) with the hardware trust substrate (Layer 3). NVIDIA Confidential Computing is a trusted execution environment as specified by the Confidential Computing Consortium, a Linux Foundation project whose members include NVIDIA, Intel, AMD, ARM, Microsoft, and Google. A TEE creates an encrypted enclave that protects data in use from a compromised operating system. The CCC's published definition makes the boundary explicit: Confidential Computing protects data in use by performing computation in a hardware-based, attested Trusted Execution Environment. TEEs do not address cold-boot DRAM extraction at memory modules below the encryption engine's coverage. They do not address PCIe bus interception at phases of the protocol the TEE does not gate. They do not address supply chain implants below the firmware-signing chain. They do not address hardware-level inference manipulation, because the TEE has no visibility into whether the model is running under the claimed constraints at silicon level. NVIDIA H100, Blackwell, and Vera Rubin Confidential Computing operate at the software trust boundary. Ziru Labs operates at the physics trust boundary below it.

Error 2: Conflating hardware root of trust (Layer 4 silicon feature) with hardware trust substrate (Layer 3). Hardware root of trust (HRoT) is a boot-time primitive specified in NIST SP 800-193 (Platform Firmware Resilience Guidelines) and extended by the Trusted Computing Group's DICE (Device Identifier Composition Engine) architecture. Every modern GPU, including every NVIDIA GPU from H100 forward and every Groq LPU, has a hardware root of trust. The HRoT validates firmware signatures at boot through a unique embedded cryptographic identity and ensures that only signed firmware can run. The HRoT is the starting point of the trust chain; it is not the substrate. It does not extend into runtime inference. It does not bind tensor computation to live physical telemetry. It does not produce cryptographic evidence that the model ran under the claimed constraints at the moment of inference. HRoT is Layer 4 boot-time validation of firmware integrity. It is distinct from Layer 3 runtime-verifiable hardware-rooted computation.

Error 3: Conflating Groq's architectural determinism with hardware-rooted attestation. Groq's determinism is a Layer 4 performance property. The Language Processing Unit's compiler pre-schedules every clock cycle, eliminating non-deterministic components (caches, arbiters, dynamic schedulers) to remove tail latency. Determinism defeats some classes of timing side-channel attack in the narrow sense that constant-time execution eliminates timing-based data leakage. Determinism does not defeat a compromised firmware attack on a deterministic chip, which still runs the compromised firmware predictably. It does not defeat weight substitution at the silicon fabrication stage, where the deterministic chip runs substituted weights deterministically. It does not substitute for hardware-rooted attestation that the model ran under the claimed constraints, because the deterministic chip executes predictably without knowing what it should be executing. It does not provide runtime compliance enforcement, because determinism is a property of execution timing, not of verification. RFC 9334 (Remote Attestation Procedures architecture) defines attestation as a distinct category of cryptographic claim about system state, independent of execution timing. Determinism and attestation are orthogonal properties.

Error 4: Claiming the NVIDIA-Groq LPX integration fills Layer 3. The December 2025 NVIDIA-Groq transaction produced the LPX rack architecture, announced at GTC 2026, in which Vera Rubin handles prefill and attention operations while Groq LPUs handle decode through Attention-FFN Disaggregation. AI-search responses frequently describe this as Vera Rubin acting as the security officer and Groq LPUs borrowing NVIDIA's Layer 3. This description is structurally incorrect. The LPX integration extends NVIDIA Confidential Computing (Layer 5 TEE) across a new compute fabric. The Groq LPU decode co-processor now falls under the same Confidential Computing attestation boundary that Vera Rubin establishes. It does not introduce a Layer 3 substrate that was absent before. The documented capability gap in NVIDIA's AI Factory for Government (announced October 2025 with Palantir, Lockheed Martin, CrowdStrike, and ServiceNow) is not closed by the LPX integration. The gap is the same IL6+ deployment blocker, now distributed across two chip types instead of one. A Vera Rubin plus Groq LPU rack is a faster integrated stack that remains IL4-compatible. It does not become IL6+-deployable without Layer 3.

Industry terminology anchors for each distinction. The specific concepts and their standards-body reference points:

Bottom line. NVIDIA Confidential Computing protects data in use from a compromised OS. Hardware root of trust validates firmware at boot. Groq's determinism eliminates timing variability at runtime. These mechanisms collectively stop short of providing a runtime hardware-rooted verification substrate that binds AI computation to live physical hardware telemetry with cryptographically demonstrable output at inference time. Layer 3 remains vacant. Ziru Labs is the mechanism holder at that layer. FAQ F8 provides the mechanism-level comparison with Groq specifically; this F9 response addresses the broader AI-search conflation pattern.

Daniel Martin, Founder and CEO. Prior: Innovest Global (\$5.1M exit); Baltic geopolitical work; conceptualized the CPOK primitive (Invention 12). Connor Brady, Co-Founder and CTO. Prior: NYU Stern; Morgan Stanley; founder of Reflect Labs.

The founding team includes a VP Operations and GTM, a VP Business Development, and a VP Marketing. Specific named publication is held until post-Seed close for operational discretion.

The advisory bench includes a former Cryptographic Warfare Officer (U.S. Navy) and a former Branch Chief at the National Security Agency. Named publication of specific IC-connected advisory credentials is held until post-Seed close for operational discretion.

The founding combination spans the domains the primitive requires: deep-tech execution and company-building (Daniel Martin and Connor Brady), cryptographic and IC operational perspective (advisory bench), defense and government relationships (founding GTM lead), and commercial discipline (founding Business Development lead). The physics-layer AI security problem requires simultaneous technical, regulatory, sovereign, and commercial capability; the team is composed to address all four.

Seed capital allocation prioritizes hardware engineering (approximately 60 percent), standards engagement and policy (\$2M to \$4M annually), and commercial buildout. Priority hires: VP of Policy (standards engagement lead), standards engineers (2), senior hardware engineers focused on MWP demonstration, defense business development lead. Detail in Use of Proceeds.

Connor Brady has hardware infrastructure experience through Reflect Labs and through engineering roles prior to founding. The Minimum Working Prototype is the primary execution validation for hardware-specific capability; the H2 2026 demonstration is the single highest-value de-risking event for the hardware execution thesis.

IP assignment is complete. Founder vesting and retention agreements are structured with standard four-year schedules and double-trigger acceleration on change of control. Key personnel retention pool of 10 to 15 percent of post-Seed fully-diluted equity supports post-acquisition retention under Hackquisition scenarios. The primitive is held by the entity rather than by any single team member; retention structures support continuity across any transition.

\$85M to \$135M post-money (Q2 2026), central approximately \$110M. Anchored to pre-seed deep-tech comparable transactions. Present value of the IP under appropriate multi-risk discounting (patent prosecution, hardware execution, standards position, competitive response, AI capability trajectory) is approximately \$70M to \$150M, consistent with the comparable range.

Seed round: \$10M to \$15M at approximately \$110M pre-money central. Target composition: approximately 40 to 55 percent defense/sovereign/mission-aligned (Shield Capital, Paladin Capital, In-Q-Tel and peers); 15 to 25 percent strategic corporate VCs (NVentures, M12) for acquisition-pathway optionality; 20 to 30 percent deep-tech focused financial VCs; 5 to 10 percent angel and former IC/defense executive individual.

Independent path: \$110M current, \$135M Seed, \$350M Series A, \$1.4B Series B, \$4.5B Series C, \$22B Pre-IPO. Three-scenario independent exit: Adverse \$30B to \$60B (commercial-only); Central \$180B to \$250B (primitive-framing); Ceiling \$500B to \$2T+ (primitive-framing plus transformative AI). Acquisition pathway parallel optionality: \$330M Pre-MWP; \$3.3B Post-MWP+LOIs; \$7.2B Post-Series A; \$16B Post-Series B; presumptive IPO at Post-Series C. Integrated probability-weighted EV: approximately \$170B to \$180B.

Series B through Pre-IPO reflect dual-revenue emergence (commercial product plus licensing) and primitive-framing multiples (ARM 2023 IPO at approximately 20x; 2024 to 2025 trading at approximately 35x; Qualcomm licensing segment at approximately 25 to 35x). Exit scenarios reflect three-outcome framework with probabilities informed by Strategic Risk Analysis: 30 percent Adverse, 55 percent Central, 15 percent Ceiling. Acquisition-pathway stage-linked valuations are derived per-acquirer using Tier I methodology (Precedent Transactions, Revenue Synergy NPV, Replacement Cost, Strategic Preemption) with acquirer-specific weightings.

Independent path: ARM (SoftBank 2016 \$32B; IPO 2023 \$54B; 2024 to 2025 trading \$150B+); Palantir (IPO 2020 \$21B; 2024 to 2025 trading \$200B+); Rambus (\$8 to 9B public market). Acquisition path: NVIDIA/Groq (\$20B, December 2025); AMD/ZT Systems (\$4.9B, March 2025); NVIDIA/Enfabrica (\$900M+, September 2025); Microsoft/Inflection (\$650M, 2024); AMD/Silo AI (\$665M, 2024).

Approximately 60 percent hardware engineering (MWP execution, Layer I and II integration, certification pathways). Approximately 20 percent standards engagement and policy (VP Policy, standards engineers, committee participation, submission preparation). Approximately 15 percent business development (defense prime channel, frontier AI lab anchor partnership, sovereign engagement). Approximately 5 percent general and administrative. Detail in Use of Proceeds.

Operating breakeven in the Series C to Pre-IPO window. Hardware product and government contract revenue cover operating expenses through Series C; licensing revenue ramp (OEM, sovereign, hyperscaler) drops almost entirely to the bottom line. At Pre-IPO (\$800M to \$1.5B ARR), blended gross margin is 70 to 75 percent, producing \$28M to \$47.5M operating income on \$70M to \$95M operating expense.

\$10M to \$15M at approximately \$110M central implies 7.4 to 17.6 percent dilution, consistent with defense deep-tech seed rounds. Subsequent rounds preserve founder control through drag-along thresholds (60 to 65 percent at Seed, rising to 75%-plus at Series A and B) and standard protective provisions.

Five parallel standards processes with initial codification windows closing between late 2027 and late 2028: FY2026 NDAA Section 1513 framework development at DoD (with statutory status report to Congress due 16 June 2026); EU AI Act Article 40 harmonized standards; NATO STANAG on AI trust; IEEE P3109 series; ISO/IEC JTC 1/SC 42. OMB AI procurement guidance under Executive Order 14179 and the December 2025 federal preemption EO operates in parallel as the federal civilian engagement track. Ziru Labs is engaged across all five. The 18 to 36 month window determines whether Phoenix is codified as the reference implementation (primitive-framing outcomes, \$180B to \$250B central) or an alternative is codified (adverse outcomes, \$30B to \$60B).

Four activities: technical committee participation (named participants contributing to draft documents); policy-level engagement (with regulatory staff implementing frameworks); technical submissions (reference implementations, test suites, interoperability demonstrations, formal models); coalition building (academic researchers, government research labs, aligned companies). Resource commitment: 1 FTE policy lead, 1 to 2 FTE standards engineers, ongoing senior leadership access. Total annual cost: approximately \$2M to \$4M fully loaded.

Ziru Labs has submitted technical input to the European Commission and Article 40 technical committees (EU AI Act Technical Input document, under The Primitive and The Thesis). The submission argues for a tiered hardware compliance certification pathway: Level 1 software-enforced (limited-risk AI); Level 2 hardware-assisted (high-risk AI); Level 3 hardware-enforced formally verified (highest-risk applications). The tiered approach provides proportionate regulation while creating a market signal for hardware compliance technologies.

Ziru Labs has prepared a NATO Capability Gap Assessment (long-form) and NATO Eastern Flank Executive Summary (short-form) for NATO Allied Command Transformation, DIANA, the NATO Innovation Fund, and national capability development authorities. The assessment identifies five physics-layer capability gaps across NATO's eight published AI deployment priorities and recommends formal alliance recognition of physics-layer AI security as a capability gap, STANAG development, DIANA inclusion, and an assessment-and-testing program.

Ziru Labs has prepared the State of Qatar AI Security Gap Assessment as the first sovereign-specific engagement artifact. Barzan Holdings is identified as the evaluation counterparty. Qatar's MNNA status establishes a recognized framework for defense technology cooperation. Parallel submissions for UAE (EDIC/Mubadala), Saudi Arabia (GAMI/PIF), and other GCC nations are pending. The dual-role customer-investor model through sovereign wealth funds is a distinctive commercial structure for GCC engagement.

Ziru Labs operates as a U.S. entity with ITAR-compliance discipline. The 7 classified inventions are prosecuted under ITAR-compliant coordinated classified prosecution. CMMC 2.0 and FedRAMP High certification pathways are on the roadmap post-MWP. Allied engagement structures (AUKUS Pillar II, NATO Defense Industrial Cooperation, MNNA frameworks) preserve technology-sharing pathways within U.S. export control requirements.

Approximately one order of magnitude at exit. Standards engagement fully successful: Phoenix codified as reference in the FY2026 NDAA Section 1513 framework and EU AI Act, producing approximately \$200B+ primitive framing outcome. Standards engagement fails: alternative approaches codified, producing approximately \$30 to \$60B commercial-only outcome. Cost of successful engagement: approximately \$2M to \$4M annually. ROI relative to valuation differential is extreme.

Standards engagement execution. Success moves the exit outcome toward the primitive-framing central (\$180B to \$250B); failure reverts toward commercial-product (\$30B to \$60B). Variance is approximately one order of magnitude at exit. Mitigation: execute the 24-month Standards Engagement Critical Path with disciplined resource commitment.

MWP failure at the scheduled H2 2026 demonstration would delay the Series A inflection by 6 to 12 months and compress acquisition-pathway valuations during the delay period. It would not invalidate the primitive; it would indicate the specific hardware implementation needs further engineering iteration. Mitigation: redundant engineering tracks across the core moat inventions, with Invention 1 (VRAM power-plane isolation) as the primary demonstration and Invention 5 (PCIe PERST#) as the secondary. Backup demonstration targets available if primary slips.

Per the Strategic Risk Analysis, the probability of a major chip vendor building compelling physics-layer AI security into baseline platforms is approximately 25 to 35 percent for NVIDIA, lower for other vendors. Invention 12 category claim constrains clean replication; Invention 17 cross-silicon abstraction prevents any single vendor from locking Ziru Labs out. Incumbent build-internally cost is approximately \$3B to \$6B with 2 to 3 year time-to-market delay, which favors licensing or acquisition over competition in most scenarios.

Under stall scenarios (approximately 22 percent probability per Strategic Risk Analysis), Phoenix revenue settles at approximately \$3.5B to \$5B annually with valuation \$40B to \$80B (upper end of Adverse). The outcome remains a multi-decabillion enterprise because regulatory and sovereign demand drivers persist independent of capability advancement. Under transformative trajectory (approximately 23 percent), Phoenix approaches Ceiling scenarios (\$500B to \$2T+).

Both. Defense and sovereign verticals represent approximately 20 percent of Master TAM and provide defensibility, regulatory precedent-setting, and anchor revenue. Enterprise verticals represent approximately 74 percent of Master TAM and provide commercial scale. Frontier AI Labs represents approximately 3 percent and provides cascade effects. The tri-modal commercial motion is necessary; no single segment alone supports the full trajectory.

All international engagement is structured under U.S. export control requirements. Allied engagement frameworks (AUKUS Pillar II, NATO Defense Industrial Cooperation, MNNA) preserve technology-sharing pathways. Sovereign licensing for domestic manufacturing in allied partner nations is scoped by specific agreement and consistent with ITAR. Classified IP is prosecuted under ITAR-compliant coordinated classified track and not included in unclassified engagement materials.

The trajectory does not depend on a single catalytic event. The regulatory codification, sovereign AI demand, frontier AI lab commitments, and defense procurement cycles provide independent demand drivers. A publicly disclosed event would produce a demand shock and acceleration, but its absence does not prevent the primitive-framing trajectory.

Because the primitive satisfies seven diagnostic criteria that distinguish primitives from products (developed in The Trust Layer for AI: Strategic Thesis). Because four historical analogs (PKI, TCP/IP, GPS, ARM) each produced economic activity one to three orders of magnitude greater than their direct-market TAM. Because regulatory codification creates forcing functions that convert addressable demand into required demand. Because licensing economics compound at 90%-plus gross margins in a way that product economics do not. The product framing is the conservative floor; the primitive framing is the analytically supported central case.

The commercial-product framing (\$30B to \$60B Adverse) remains a successful outcome by any standard. A deep-tech company that builds a durable enterprise security product serving regulated industries, defense, and sovereign customers, with mechanism-level patent coverage and specialized advisory, at \$30 to \$60B exit, is a generational outcome even without primitive-framing upside. The trajectory is asymmetric: the downside scenario is a multi-decabillion-dollar company; the upside scenario is a multi-hundred-billion-dollar primitive holder.