Quantum-Safe Embedded Systems | Project Hierophant

Our Position

The attack surface of a sovereign network is defined by its smallest device.

Every sovereign communications stack eventually terminates at an edge device — a sensor, a controller, a gateway. If that device runs conventional cryptography on a standard operating system with a commercial update mechanism, it is the weakest point in the sovereign chain. A post-quantum-encrypted state channel is only as quantum-safe as the MCU that generates the session keys. An OS-free secure gateway is only as tamper-resistant as the firmware update process that can silently replace it. Hierophant extends the sovereign protocol layer all the way to the microcontroller: bare-metal MCU runtime with no OS attack surface, native post-quantum key generation, non-IP mesh integration, and anonymous OTA firmware distribution that reveals nothing about which devices exist or what versions they run.

The Threat Model

Five threats at the edge and MCU layer.

These five vulnerabilities define the edge device threat model for sovereign and critical infrastructure IoT — the attack surface that conventional IoT security products do not address at the cryptographic protocol layer.

01

IoT Device Compromise via OS Vulnerability

OS CVE · Remote Code Execution · Firmware Backdoor

Most IoT and embedded devices run lightweight versions of Linux or RTOS variants with publicly documented vulnerability histories. An adversary exploiting an OS-layer CVE on an industrial IoT gateway gains full control of the device, its cryptographic keys, and all communications it handles. An OS-free device running bare-metal protocol firmware has no OS vulnerability class — there is no operating system to exploit, no kernel to privilege-escalate through, and no shell to drop into.

02

Firmware Downgrade Attack

Firmware · Version Rollback · Downgrade

An adversary who can reach the firmware update mechanism of an embedded device can force a rollback to a version with known vulnerabilities — even if the device has been fully patched. Firmware downgrade attacks are documented against industrial PLCs, smart meters, and gateway devices. A cryptographically authenticated update chain with version floor enforcement prevents rollback regardless of adversary network access to the update channel.

03

Fleet Mapping via OTA Monitoring

OTA Traffic · Fleet Enumeration · Reconnaissance

Conventional firmware update systems connect devices to update servers in a way that reveals fleet composition to any observer monitoring the update traffic — device count, model types, geographic distribution, and current version status. Adversaries monitoring OTA update events can enumerate critical infrastructure IoT fleets, identify vulnerable devices by version, and locate them geographically before an attack. The update event is a reconnaissance opportunity.

04

Harvest-Now-Decrypt-Later on Sensor Data

HNDL · Quantum · Sensor Intelligence

Industrial sensor data — power grid load patterns, water treatment parameters, pipeline pressure readings, environmental monitoring — reveals operational patterns with intelligence value over extended time horizons. Adversaries are archiving this sensor telemetry today for retroactive quantum decryption. Post-quantum protection on sensor data is not a future consideration — the archive is being built now, and the sensitivity window for infrastructure operational patterns extends decades.

05

Supply Chain Implants in MCU Silicon

Foreign Silicon · Hardware Implant · Trust Chain

Microcontrollers and embedded processors sourced from foreign supply chains may contain silicon-level implants that operate below the firmware layer — beyond the reach of any software security audit or firmware verification mechanism. An implanted MCU can extract cryptographic keys, suppress tamper detection, or provide a covert channel regardless of what software runs on top of it. Sovereign supply chain hardware is the only answer at the silicon level.

The Capability Stack

Eight layers. Every device.

Hierophant quantum-safe embedded is the MCU SDK and reference hardware that extends the sovereign protocol stack to the smallest device in the network — from gateway to sensor to actuator.

01

MCU-Native ZK Protocol

The Hierophant ZK protocol runs natively on microcontrollers with as little as 64KB of RAM. No operating system required. No protocol stack abstraction layer. The ZK proof generation, key agreement, and message authentication run directly on the MCU in a minimal firmware footprint designed for resource-constrained embedded environments.

MCU SDK · 64KB RAM · No OS Required

02

Post-Quantum MCU Encryption

NIST post-quantum cryptography optimized for constrained MCU environments — hardware-accelerated where available, software-only fallback where not. Full post-quantum protection runs on the same class of microcontroller used in industrial IoT and smart grid devices today, without requiring a hardware upgrade.

NIST PQC · MCU-Optimized

03

OS-Free Bare-Metal Runtime

The Hierophant embedded runtime has no operating system. No Linux kernel. No RTOS. No shell. No process manager. The protocol firmware is the entire software stack — below it is the hardware, above it is the application interface. The OS vulnerability class does not exist on a device that runs no OS.

No OS · No Kernel · No Shell · Bare-Metal

04

Sovereign IoT Network Integration

MCU devices join the sovereign non-IP mesh without IP address assignment or DNS registration. Sensors and controllers communicate with each other and with gateway nodes through the ZK mesh protocol. The IoT device appears in no IP-layer network record, no router log, and no internet address space registry.

Non-IP Mesh · No IP Address · Invisible

05

Non-IP Private Networks

The IoT mesh operates without internet protocols throughout — including at the MCU layer. Sensors and controllers connected to a non-IP mesh are immune to the entire class of IP-layer attacks: port scanning, exploit delivery via TCP/IP, botnet recruitment, and internet-routed command injection. Non-IP is not just privacy — it removes the attack surface entirely.

No TCP/IP · No Port Scan Surface · Non-IP IoT

06

Anonymous OTA for MCUs

Firmware updates delivered over the sovereign mesh without the update server learning which devices connect, their current firmware versions, or their locations. Each device receives the update through an anonymous channel. No OTA traffic analysis can enumerate the fleet, identify vulnerable version cohorts, or geolocate devices. The update completes; the fleet remains invisible.

Anonymous OTA · No Fleet Enumeration · Blind Server

07

Tamper-Evident IoT Hardware

Reference hardware with physical tamper detection that wipes key material on intrusion attempt. Austrian-manufactured MCU boards with EU-sourced components and full supply chain audit trail. Hardware attestation certifies that the device has not been physically modified since manufacturing. Tamper-evident seals provide visual inspection path for field security audits.

Tamper-Detect · Key Wipe · EU Supply Chain

08

Regulatory Compliance Layer (IEC 62443)

Hierophant embedded generates the cryptographic audit evidence required for IEC 62443 industrial cybersecurity certification and EU Cyber Resilience Act device compliance. Post-quantum encryption, authenticated firmware updates, and tamper-evident hardware together satisfy the technical security baseline for KRITIS-relevant IoT devices, with compliance artifacts generated automatically during operation.

IEC 62443 · CRA · KRITIS IoT · Compliance

In Deployment

When the device is the weakest link.

Three scenarios where edge device vulnerabilities compromised larger sovereign communications architectures and Hierophant embedded removed the attack surface at the MCU layer.

Sovereign Industrial IoT Network

A national energy operator deploys a post-quantum secure sensor grid across 400 substations.

Each substation MCU runs Hierophant bare-metal firmware. No IP addresses are assigned. Sensor telemetry traverses the non-IP sovereign mesh. An adversary scanning the energy operator's network finds no IoT devices at IP addresses — the sensors are not in the IP address space. Adversary intelligence on substation sensor deployment, firmware versions, and communication patterns: nil.

Energy GridNon-IP IoTInvisible Fleet

Anonymous Firmware Fleet Update

A critical infrastructure operator needs to update 1,200 field MCUs with a security-critical firmware patch without disclosing fleet composition to adversary intelligence.

Updates distribute through the anonymous OTA channel. The update server processes requests without logging device identities or versions. Adversary traffic analysis of the OTA event sees anonymous encrypted traffic with no identifiers mapping to specific devices, models, or locations. 1,200 devices receive the patch; adversary intelligence sees nothing that maps to a fleet update event.

Anonymous OTAFleet InvisibleZero Disclosure

Post-Quantum Sensor Grid

A national environmental monitoring network generates sensor data with 20-year operational sensitivity.

Each sensor MCU encrypts telemetry with NIST post-quantum cryptography before transmission. The non-IP mesh carries the encrypted data to the sovereign gateway. Adversary bulk collection of sensor network traffic yields encrypted data with no PQ-breakable content today and no classical-era encryption that can be broken when quantum hardware arrives. The sensor archive is protected for the full operational sensitivity window of the data.

PQ Sensor Data20yr ProtectionNon-IP Mesh

By the Numbers

Device baseline.

Four properties of the Hierophant embedded stack that hold at the MCU level — the device floor for sovereign IoT deployment.

Zero

OS Attack Surface

No OS · No Kernel · Bare-Metal

Zero

Fleet Metadata in OTA

Anonymous · Blind Server · Non-IP

64KB

Minimum MCU RAM

Constrained Devices · No GPU Required

PQ

All Sensor Data Encrypted

NIST FIPS 203/204

Continue

Adjacent capabilities.

Quantum-safe embedded MCUs are the hardware foundation for these three sovereign communications and control surfaces.

National Security

Critical Infrastructure ↗

ZK SCADA command verification and NIS2-compliant OT security built on the same MCU-native protocol foundation — the embedded layer of industrial sovereign control.

Emerging Threats

AI Agent Security ↗

Hardware attestation for AI agent execution environments — sovereign MCU hardware as the trust root for autonomous agent systems.

Mission Capability

Autonomous Systems & Drone Mesh ↗

MCU-native PQC is the onboard cryptography for autonomous drone platforms — the embedded security layer for every node in the sovereign drone mesh.

Recognition

Trusted by those who cannot afford to be wrong.

Independent validation from the defence and security community — not awards for growth metrics, but recognition for solving a hard problem correctly.

Austrian Armed Forces · 2026

ADIC 2026 — Austrian Defence Innovation Conference

Project Hierophant presented at the Austrian Defence Innovation Conference 2026, the primary forum for defence technology assessment by the Austrian Armed Forces (Bundesheer) and allied ministries.

Austrian Armed Forces · bundesheer.at ↗

Press · Defence Media

Militär Aktuell — GetTrusted Cybersecurity Coverage

Militär Aktuell, Austria's leading defence and security publication, covered Project Hierophant's post-quantum sovereign communications approach and its relevance to national security architecture.

Read Coverage · militaeraktuell.at ↗

Hardware · hierophant.at

Austrian-Manufactured Secure Hardware

Purpose-built OS-free hardware manufactured in Austria under EU supply chain oversight. No operating system means no operating system vulnerability class. Hardened enclosures with physical access protection. National supply chain audit trail.

Hardware Catalog · hierophant.at ↗

Post-quantum on the MCU. Below the OS line.