Our Approach
BlackHart scores are adversarial, continuous, quantified, and evidence-backed. This is not checklist auditing — it's active offensive research that produces measurable risk data.
What Makes This Different
Adversarial, not checklist
Every score is produced by actively trying to exploit the protocol. We don't check boxes - we attempt to break things, and the score reflects how hard that was.
Continuous, not point-in-time
Scores update every 6 hours and within 30 minutes of any code commit. A passing audit 6 months ago means nothing if the codebase has changed.
Quantified, not qualitative
Every dimension produces a number (0-100) from reproducible analysis. No 'the code looks clean' opinions - only measurable properties.
On-chain, not behind a paywall
The composite score is free and will be verifiable on-chain once the oracle deploys to Base. Subscriptions buy continuous adversarial coverage, prioritized reassessment, and workflow support.
Evidence-backed
Every score has an IPFS-pinned evidence hash linking to the full analysis that produced it. Scores are auditable, not trust-me assertions.
Multiplicative, not additive
A single catastrophic dimension cannot be masked by high scores elsewhere. The product formula ensures that one zero-dimension tanks the entire score.
Adversarial Resilience
proprietary methodologyAdversarial Resilience (D7) measures how well a protocol withstands independent, offensive security research. Unlike the other 11 dimensions — which analyze observable properties using published formulas — this dimension reflects the outcomes of actually attempting to exploit the protocol using real attack methodologies against the live system.
Why this methodology is not published: The same principle that governs responsible vulnerability disclosure applies at the tooling level. Security researchers don't publish working exploits — they disclose the impact and work with the affected team to remediate. We apply the same logic to the engine that finds those exploits. Publishing our adversarial assessment stack would arm the attackers we exist to protect against.
What is verifiable: D7 scores are backed by the same on-chain evidence hash as every other dimension. The score, its weight (10%), and the evidence commitment are all published. What stays private is how we arrive at the assessment — not the assessment itself. Protocols that subscribe to monitoring receive full breakdowns of their D7 score, including specific findings and remediation paths.
Score interpretation: A high Adversarial Resilience score means the protocol has been extensively tested and no significant concerns were found. A low score means areas of concern were identified during adversarial testing — but specifics are not publicly disclosed. Affected protocols always receive enough detail to validate and remediate.
Cross-dimension impact: Findings from adversarial testing propagate to related dimensions. An access control concern discovered during adversarial research affects both the Adversarial Resilience score and the Access Control dimension score, ensuring the composite BRI reflects the full impact of every finding.
Z-Factor (Maturity Credibility)
The Z-Factor is a credibility coefficient ranging from 0.0 to 1.0 that scales the confidence in a BRI score, not the score itself. A protocol can have excellent dimension scores, but if it deployed yesterday, the Z-Factor signals that those scores carry less actuarial weight than the same scores from a protocol with years of production history.
Z = T_deploy / (T_deploy + 180)
T_deploy = days since mainnet deployment
Half-life = 180 days (reaches 0.5 at 6 months)
A protocol live for 30 days has Z = 0.14 — its scores are real but carry low confidence. At 6 months (Z = 0.50), confidence reaches the halfway mark. At 2 years (Z = 0.80), the score has substantial actuarial backing. The curve never reaches 1.0 — even a 10-year protocol has Z = 0.95, reflecting the principle that absolute certainty is never achieved.
Why it matters: Without a maturity coefficient, a newly deployed protocol with clean code would score identically to a battle-tested protocol that has survived multiple market cycles. The Z-Factor prevents this false equivalence by encoding the actuarial reality that time-without-exploit is evidence of safety.
Interpreting a BRI Score
Protocol Teams
Use dimension-level scores to identify which attack surfaces need hardening. Each dimension pinpoints a specific category of risk, so remediation effort is focused where it matters most.
DeFi Integrators
Use the composite BRI combined with the Forge Scale tier as a programmatic gate before integrating with or routing through a protocol. Set minimum thresholds that match your risk appetite.
Insurance Protocols
Combine the BRI with the Z-Factor maturity coefficient to price cover more accurately. Higher BRI and higher Z-Factor together indicate lower actuarial risk.
Institutional Investors
Use trend data and on-chain score history to track how a protocol's risk profile evolves over time. A rising BRI signals improving security posture; a falling one signals emerging risk.
Address the risks driving your score
BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.