Anduril's Counter-Drone Stack Needs Disclosure-Cost Admissibility
by Nick Clark | Published April 25, 2026
Anduril's Anvil and Anvil-M counter-drone systems, integrated with the Lattice command-and-control mesh and deployed across CENTCOM operating areas and the Replicator counter-small-UAS initiative, are among the most operationally exercised counter-drone platforms in U.S. service. They detect, track, and physically neutralize hostile small UAS through kinetic interceptors with extensive software-mediated targeting. The architectural element this paper examines is not the kill chain's effectiveness; it is the authorization chain that governs whether a target is engaged. In current deployments that authorization chain lives server-side in Lattice and theater command systems. It is operator-authenticated and audit-logged, but it is not cryptographically bound to the engagement record at the effector. A server compromise, a man-in-the-middle on a degraded link, an insider with credential access, or a misconfigured operating mode can cause an effector to act on an authorization that does not in fact reflect a lawful command authority. Disruption modeling as a primitive describes a different binding: every effector action carries cryptographic evidence of the authority chain that approved it, ratified by the credentialed governance authorities responsible for the rules of engagement at that location and time. This paper examines the structural gap and the composition pathway between Anduril's existing stack and that primitive.
Vendor and product reality
Anduril's counter-UAS portfolio occupies a defined and rapidly growing procurement category. Anvil is a kinetic interceptor designed to physically collide with hostile small UAS; Anvil-M extends the family with a warhead-equipped variant for harder targets. Both operate within Lattice, Anduril's command-and-control software that fuses sensors (Sentry tower radar and EO/IR, third-party radar feeds, RF detection, acoustic), maintains a common operating picture, and coordinates effector dispatch. The integration with Pulsar (RF effects), Roadrunner (reusable interceptor), and broader DOD systems through standardized interfaces gives Anduril vertical coverage from detection through engagement.
Deployment scale is substantial. Anduril systems are fielded across CENTCOM operating areas to defend forward operating bases against the small-UAS threat that has dominated the counter-drone procurement story since 2019. The Replicator initiative, DOD's effort to field large quantities of attritable autonomy in tight timelines, includes counter-sUAS allocations that have brought Anduril's systems into broader force structures. Domestic deployments — base defense, certain border applications, critical-infrastructure protection — extend the operational footprint. Procurement velocity is a real differentiator: Anduril's commercial-style development cycle has produced hardware in the field on timelines the legacy primes have struggled to match.
The targeting and authorization architecture, as publicly described, follows a common pattern. Sensor fusion produces a track. Track-to-target classification proposes engagement candidates. An operator at a Lattice console reviews the proposed engagement and authorizes effector dispatch under the rules of engagement set by theater command. The authorization is logged, the effector is dispatched, the engagement is recorded. This is a defensible and well-understood human-on-the-loop architecture, and Anduril has invested in making the operator experience and the audit trail rigorous.
The architectural gap
The gap is in how the authorization travels from the operator and from the rules-of-engagement authority to the effector itself. In current architectures the authorization is a server-side state: the Lattice instance has been configured with the operator's credentials, the rules of engagement are encoded as policy, and an authorization message is dispatched over a tactical link to the effector. The effector trusts the link and the originating server. There is no requirement that the effector verify a cryptographic chain of evidence proving that the specific engagement it is about to perform corresponds to a specific operator decision under a specific rule-of-engagement state ratified by specific named authorities.
This produces several structural exposures. First, server compromise: an adversary who gains access to a Lattice instance, or to the credential store backing it, can dispatch authorizations that are operationally indistinguishable from legitimate ones, because the effector's trust model is the link plus the server identity, not the cryptographic chain of authority. Second, link manipulation: tactical links are increasingly contested, and an adversary capable of injecting traffic on a degraded or spoofed link can issue effector commands that the effector accepts because the verification model is bilateral rather than chain-rooted. Third, insider risk: an operator with valid credentials can authorize engagements that exceed the rules of engagement, and the audit trail will show that authorization happened, but the engagement record itself does not carry independent evidence that the rules-of-engagement authority ratified the policy under which the operator acted. Fourth, configuration drift and mode confusion: a Lattice instance set to a permissive operating mode for one mission segment and not correctly transitioned for another can produce engagements that no human in the chain would have endorsed had the chain been visible.
These are not theoretical concerns. The counter-UAS mission space sits inside the same trust assumptions that DOD has been re-examining across autonomy and cyber: the assumption that server-side authorization plus operator authentication is sufficient is exactly the assumption that adversary capability and emerging audit doctrine are pressing against. The architectural gap is that Anduril's effectors do not currently produce, and are not currently required to verify, a cryptographic engagement record that binds the action to the chain of authority that produced it.
What the disruption-modeling primitive provides
Disruption modeling as the primitive applied here provides credentialed governance over actions whose disclosure or execution carries strategic cost. For counter-UAS, the actuation is the engagement and the strategic cost includes both the kinetic effect and the disclosure of the effector's capabilities, location, and authorization posture. The primitive treats every contemplated engagement as a credentialed actuation request. The request is evaluated against a credentialed policy issued by named authorities — theater command for the rules of engagement, the on-scene commander for current operating mode, the operator for the specific engagement decision. The policy and the evaluation produce a signed admissibility token. The effector verifies the token chain before acting and emits a signed engagement record that anyone with the verification keys can audit independently of the Lattice server that produced the dispatch.
Several properties follow. The engagement record is cryptographically bound to the authorities, not to the server. Server compromise no longer suffices to produce admissible engagements, because the compromised server cannot mint authority signatures it does not hold. Link manipulation is detectable because injected commands lack the chain. Insider abuse is bounded because an operator's signature is one element in a chain that includes the rules-of-engagement authority's signature, and an operator cannot extend the rules of engagement merely by acting; the action is recorded as out-of-policy at the effector, not after-the-fact in audit. Configuration drift is bounded because the operating-mode authority is itself a signing party, and a mode transition is a signed event, not a server-state change.
The primitive also produces structural ELINT discipline as a side effect. Because every contemplated probe or engagement is a credentialed actuation request evaluated against credentialed policy, disclosure-cost weighting becomes a policy parameter rather than an operator habit. Probes that would reveal capability disproportionate to information value are refused at the effector under signed policy, not declined by operator discretion. The deployment's ELINT signature becomes a property of the policy, auditable and adjustable from the authority side rather than dependent on the discipline of every operator.
Composition pathway
The composition pathway for Anduril is incremental and does not require re-architecting Lattice. The first step is signature carriage on engagement authorizations: the existing operator authorization gains a signature by the operator's credential, the rules-of-engagement state is signed by the issuing authority, and the dispatch message carries the chain. The effector firmware adds a verification step that gates actuation on chain validity. The engagement record emitted by the effector carries the chain plus the effector's own signature, producing an audit artifact that can be independently verified.
The second step is policy-side integration: rules of engagement are encoded as signed policy objects rather than server configuration, with named authorities and explicit validity windows. Theater command issues a policy object that ratifies the rules of engagement for a mission segment. On-scene commanders issue narrower policy objects for operating-mode transitions. Operator decisions are individually signed authorizations that compose with the policy chain. The Lattice server orchestrates the composition but is no longer the trust root for the chain.
The third step extends the same model to detection-side actuation: probes, illuminations, and active interrogations are credentialed actuation requests under disclosure-cost policy, producing the structural ELINT discipline that DOD CDAO autonomy guidance and the broader JADC2 governance framework are converging toward. Sentry's hardware remains Anduril's competitive differentiator; the credentialed governance layer above it becomes the procurement-relevant differentiator that turns operator-discretion architectures into structurally auditable ones.
Commercial and licensing considerations
For Anduril, the commercial frame is procurement defensibility. DOD audit and procurement requirements are moving toward structural rather than procedural assurance for autonomous and semi-autonomous engagement. The CDAO autonomy guidelines, the LAWS-related elements of Joint Publication 3-09.1 and successor doctrine, and the audit expectations attached to Replicator and follow-on programs all point in the same direction: the authority chain behind an engagement must be cryptographically demonstrable, not procedurally asserted. A counter-UAS supplier whose stack already produces signed engagement records under credentialed policy is positioned to satisfy those requirements as they harden, while suppliers relying on server-side authorization face re-architecture under audit pressure. The licensing structure aligns with this. The credentialed-actuation primitive is the licensable element; Anduril's hardware, sensor fusion, Lattice integration, and operator experience remain its commercial differentiators. Licensing the primitive into the engagement and probe-authorization layer adds the structural property the procurement environment is moving to require, without displacing the elements that make Anduril's existing offering competitive.
For DOD and allied counter-UAS buyers, the same primitive is the structural answer to the question of how autonomy-augmented engagements remain demonstrably under lawful authority as tempo, scale, and adversary capability all increase. For software architects designing the next generation of counter-UAS and broader effector-management platforms, the primitive is the design element that turns operator-discretion ELINT discipline into structural governance and turns server-trusted authorization into chain-rooted authorization. The remaining gap between Anduril's current stack and that primitive is closable through composition rather than replacement, and the closure is the commercially meaningful path forward.
