Cause: The installer requires administrator privileges to write to %ProgramData%, register Windows Firewall rules, and (on shield installs) register a Windows service.

Resolution: Right-click 1 - Install Server.exe → "Run as administrator". When the UAC dialog appears, click Yes. If UAC is disabled on the machine, enable it temporarily via the Control Panel → User Accounts, or run PowerShell as Administrator and execute Deploy-HyveRaptor.ps1 directly.

Cause: Group Policy or local hardening has set the execution policy to Restricted or AllSigned. The bundled launchers set execution policy Bypass inline, but some domain-managed machines override this.

Resolution: Open an elevated PowerShell session and run:

This sets the policy only for the current process, bypasses the launcher, and produces identical behavior.

Cause: The distribution ZIP was not fully extracted before running the installer, or the bin/ folder was moved/renamed.

Resolution: Re-extract hyve-raptor-package-v1.0.0.zip to a fresh folder. Do not run the launchers from inside a ZIP preview — Windows does not extract bundled folders in that mode. Confirm the folder structure matches:

Cause: The bundled EXEs are not signed with an extended-validation code-signing certificate (common for unsigned or freshly-signed software until sufficient reputation builds).

Resolution: On the SmartScreen dialog, click More info → Run anyway. If your organization has disabled this option via Group Policy, your IT team must whitelist the installer EXEs. Confirm integrity before whitelisting by verifying the SHA-256 hashes of the binaries against the hashes documented in your delivery email.

Cause: Heuristic scanners often flag binaries that open raw network sockets, modify firewall rules, or terminate processes — all of which the shield and defense modules legitimately do. Raptor's defense commands use documented Windows APIs (netsh, TerminateProcess, sc stop).

Resolution: Whitelist the Raptor installation directory in your AV. For enterprise AV (CrowdStrike, SentinelOne, Defender for Endpoint), add exclusions for:

• %ProgramFiles%\HyveRaptor\ (shield install location)
• %APPDATA%\HyveRaptor\ (server runtime data)
• %ProgramData%\HyveRaptor\ (shield vault + forensic)

Add the binaries by name to the process-allowlist: raptor-shield.exe, raptor-command.exe, hyve-backend.exe.

Cause: PowerShell ISE execution, or the processes exited before the post-start probe fires.

Resolution: Run 4 - Check Status.exe. If both processes show as running, the installation succeeded and the dialog was suppressed. If either shows as Stopped, open %APPDATA%\HyveRaptor\logs\raptor-command-err.log for the exit reason.

Cause: Another process is already bound to port 8443, 8080, or 9443.

Resolution: Identify the conflicting process:

The last column is the PID. Look up the process name:

Stop it (taskkill /PID <PID> /F) or change the Raptor listen ports via environment variables: RAPTOR_LISTEN, RAPTOR_API_LISTEN, and the hyve-backend flag --listen :<new-port>.

Cause: SQLite database file is corrupted, or two raptor-command processes are trying to open the same DB file simultaneously, or Windows antivirus is holding the file open during scanning.

Resolution:

1. Run 5 - Stop Server.exe and wait 10 seconds.
2. Check for orphaned processes: tasklist | findstr raptor-command. Kill any that remain: taskkill /IM raptor-command.exe /F.
3. If the database file is corrupted (rare), rename it: %APPDATA%\HyveRaptor\raptor-command.db → .db.corrupted. The next server start creates a fresh DB. Historical events will be lost but license keys and shield identities are preserved (they live in separate files).
4. Restart: 3 - Restart Server.exe.

Cause: High-volume threat event ingestion with a large number of connected shields can cause the in-memory event buffer to grow faster than disk writes flush it. Normal for a server with >50 shields producing continuous events.

Resolution: Restart the server nightly via a Windows Scheduled Task invoking 3 - Restart Server.exe. For Sentinel and Command deployments, consider increasing server RAM to 32 GB+ or adding the RAPTOR_EVENT_BUFFER_SIZE environment variable (default 10000, reduce to 2000 for tighter memory pressure).

Cause: A shield is presenting a mismatched session key. This happens when a shield's vault is corrupted, or when a clone of a shield identity is attempting to connect (two machines using the same keypair).

Resolution: Identify the offending shield ID in the log. On that client machine, stop the RaptorShield service, delete %ProgramData%\HyveRaptor\vault\, and restart the service — this forces fresh key generation. If the issue persists, re-run 6 - Install Shield (Client).exe on that machine to reset its identity completely.

Resolution: Open services.msc, locate RaptorShield. If it is listed but not running, double-click → Start. If it refuses to start, check the service error in Event Viewer → Windows Logs → Application.

Common service-start errors:

• Error 1067 ("process terminated unexpectedly") — check %ProgramData%\HyveRaptor\raptor-shield.log for the underlying exception.
• Error 5 ("access denied") — the LocalSystem account lacks access to %ProgramData%\HyveRaptor\. Reset folder permissions with icacls "%ProgramData%\HyveRaptor" /reset /T /C.
• Error 1053 ("did not respond to start or control request in a timely fashion") — the shield binary has an initialization bug or is blocked by AV. Check the log; whitelist in AV if applicable.

Cause: The shield's cryptographic identity vault was encrypted on a different Windows machine (e.g., cloned VM image). DPAPI machine-scope encryption is deliberately tied to the specific machine.

Resolution: Delete %ProgramData%\HyveRaptor\vault\ and restart the RaptorShield service. The shield will generate a fresh keypair and re-register with the command server on its next heartbeat.

Resolution: Three likely causes:

1. License key revoked. The shield authenticates on every heartbeat. If the key was removed from %APPDATA%\HyveRaptor\license-keys.txt on the server, the shield is disconnected on next heartbeat. Verify the key is present and the server has been restarted.
2. Network firewall timeout. Stateful firewalls sometimes drop idle long-poll connections. Configure the firewall to allow connections idle up to 90 seconds. Or, add RAPTOR_POLL_TIMEOUT=30 to the client environment to force shorter polls.
3. Shield service crashed. Check %ProgramData%\HyveRaptor\raptor-shield.log on the client for panic traces. Restart via 7 - Restart Shield Service.exe.

Cause: The license key entered during shield install does not match any key on the server's license-keys.txt, or the server was not restarted after the key was added.

Resolution: On the server, open %APPDATA%\HyveRaptor\license-keys.txt and confirm the key is present exactly as delivered (format HYVE-XXXX-XXXX-XXXX, no trailing whitespace). Run 3 - Restart Server.exe. Run 7 - Restart Shield Service.exe on the client.

Cause: The shield's recon discovery did not classify any running process as an AI agent. Discovery looks for framework markers (langchain, autogen, crewai, openai, ollama, llamaindex, vllm, plus explicit HYVE_AGENT_ID tagging) in the process name or command line, OR an explicit HYVE_AGENT_ID tag in %ProgramData%\HyveRaptor\agent-tags.txt.

Resolution: To explicitly tag a process as a monitored agent, create %ProgramData%\HyveRaptor\agent-tags.txt with one line per tagged process in the format:

Where 12345/67890 are PIDs and the second column is the agent ID. Restart the shield with 7 - Restart Shield Service.exe.

Cause: The Electron renderer could not reach the raptor-command REST API on port 8080 at startup. Most commonly, the server was not running when the Command Center opened.

Resolution: Close the Command Center. Run 1 - Install Server.exe first (or 3 - Restart Server.exe if already installed). Wait for the "HYVE Raptor is running" dialog. Then launch Raptor Command Center.exe.

Cause: The Command Center attempted to auto-launch a bundled raptor-command instance, but port 8080 is already in use by an independently-running server (from 1 - Install Server.exe).

Resolution: This is cosmetic — the independently-running server is actually fine. Close the error dialog and re-open Command Center. It will now detect the existing server and connect to it instead of trying to start its own.

Cause: Either no shields have connected yet, or the Command Center is pointed at the wrong server address.

Resolution: Open the Settings tab and verify the Server Address field shows http://127.0.0.1:8080 (local) or your remote server IP:8080. If remote, verify network reachability from your workstation to that IP on port 8080.

Cause: Commands are delivered asynchronously via long-poll. Delivery can lag up to 30 seconds if the shield is mid-poll-cycle. Also, defense actions require the shield service to have privileges for the specific OS action (firewall modification, process termination).

Resolution: Wait up to 30 seconds for delivery confirmation in the Threat Feed tab. Check the shield log (%ProgramData%\HyveRaptor\raptor-shield.log) for the command execution trace. If the log shows "defense action FAILED" with an error, the RaptorShield service may lack the required privilege — ensure it runs as LocalSystem (default) and not a limited user account.

Cause: Ollama is not running on the server machine, or not reachable at http://localhost:11434.

Resolution: Open an elevated Command Prompt and run:

Leave that window open; the Alpha tab should turn ONLINE within 5 seconds (click REFRESH). For a permanent fix, set Ollama to auto-start by running its installer or adding ollama serve to a Windows Scheduled Task at logon.

Cause: The tier-aware installer's ollama pull was interrupted — power loss, network disconnect, or manual cancellation during download.

Resolution: Identify your tier's base model (Scout = llama3.2:3b, Guardian = llama3.1:8b, Sentinel = llama3.3:70b, Command = llama3.1:405b) and resume the pull:

Then build the HYVE Alpha profile:

Click REFRESH in the Alpha tab.

Cause: The selected Alpha profile exceeds the hardware capacity of this machine. See Section 9 and the product page for the real hardware requirements per tier.

Resolution: Fall back to a smaller profile. For a Sentinel or Command customer running on a commodity server, use Alpha-8 (16 GB RAM is enough):

Then set the Command Center's Alpha model selection to hyve-alpha-8 in the Settings tab. The smaller profile is still fully functional — only the reasoning depth on complex queries is reduced.

Cause: LLM hallucination. The model is constructing plausible-looking identifiers from the general pattern rather than from the live context.

Resolution: This is a known limitation of any open-weight LLM. Cross-check Alpha's answers against the live Threat Feed and Shields tabs. Ask Alpha to "cite the specific event ID" — it will either produce a real one or acknowledge uncertainty. Do not treat Alpha output as gospel for compliance or incident-report documentation; use it as an analyst draft.

Cause: Ollama is running on CPU-only inference, or the selected profile is too large for the available hardware and is spilling to disk (swapping).

Resolution: Check GPU acceleration with:

Look for "GPU" in the output. If only "CPU" is shown, install the NVIDIA CUDA toolkit (or AMD ROCm on supported platforms) and restart Ollama. Alternatively, downgrade to a smaller Alpha profile whose weights fit entirely in system RAM without swapping.

Always run 3 - Restart Server.exe after generating a key. The server reads the key file only at startup.

Verify key formatting — %APPDATA%\HyveRaptor\license-keys.txt must contain comma-separated keys on a single line with no quotes or extraneous whitespace.

Re-run 2 - Generate License Key.exe for each client you need to re-issue. Maintain a separate out-of-band record of which key belongs to which client — the Raptor platform does not store this association.

Open %APPDATA%\HyveRaptor\license-keys.txt, delete the key, save the file, run 3 - Restart Server.exe. This terminates all active sessions — the revoked shield will fail re-authentication on its next heartbeat (within 30 seconds).

Cause: Compliance scores reflect live system state. Common drops:

• A shield went offline → HYC-001 (Agent Identity) drops proportionally
• No threat events received in 24+ hours → HYC-005 (Continuous Threat Monitoring) evidence ages
• No defense commands issued recently → HYC-006 (Incident Response Plan) may show as unverified
• Audit log file not written in 24h → HYC-004 fails

Check the Compliance tab for the specific failing control's Evidence line — it tells you exactly which condition is not met.

Cause: Most common — clock drift between the server and the authenticator app. TOTP codes are valid for a ~30-second window.

Resolution: Sync your server's clock via w32tm /resync (Windows). Try the code at the start of the next 30-second interval. If still failing, your enrollment may not have saved correctly — delete %APPDATA%\HyveRaptor\mfa.json and re-enroll via /api/mfa/enroll. This will force a fresh QR code.

Break-glass procedure: On the server machine (where MFA enrollments are stored), open %APPDATA%\HyveRaptor\mfa.json in Notepad. Delete your operator entry from the JSON array. Save. Restart the server. MFA gate will now allow enrollment again — re-enroll with a fresh authenticator.

Resolution: Open inbound port 8443 (and 9443 if clients validate licenses directly) on every firewall between the client and the server — Windows Firewall on the server, corporate edge firewall, ISP router, cloud security group. Never open port 8080 externally — that's the operator dashboard API.

Verify end-to-end connectivity from the client:

Cause: VPN split-tunneling or DNS mismatch — the server hostname resolves differently inside vs. outside the VPN.

Resolution: Use the server's public IP rather than a hostname in the shield configuration. Or, publish a consistent DNS record accessible from both inside and outside the VPN.

Resolution: On a connected machine, install Ollama and pull the desired base model (ollama pull llama3.1:8b). Copy the resulting model files from %USERPROFILE%\.ollama\models\ to the same path on the air-gapped server. Also copy the Ollama binary to the air-gapped machine (from %LOCALAPPDATA%\Programs\Ollama\). Start the server, run ollama create hyve-alpha-X -f Modelfile.alpha-X against the local Modelfile. Alpha now works fully offline with no external connections.

Procedure:

1. Install Raptor on the new server via 1 - Install Server.exe.
2. Stop the new server immediately (5 - Stop Server.exe).
3. Restore the %APPDATA%\HyveRaptor\ folder from your backup of the old server. Critical files: signing-secret.txt, license-keys.txt, raptor-command.db.
4. Update each client shield's server address to point to the new server's IP (re-run 6 - Install Shield (Client).exe on each client, or edit the shield's config file directly).
5. Start the new server (3 - Restart Server.exe). Shields reconnect within minutes.

The compliance evidence is computed live from the event database. If your raptor-command.db is fresh, the evidence will rebuild as new shields reconnect and new events arrive. For audit continuity, restore the old DB file per the procedure above.

Gather this information and email it to majixx@vibesoftwaresolutions.com:

1. The specific error message you see (screenshot or exact copy)
2. Output of 4 - Check Status.exe
3. Contents of %APPDATA%\HyveRaptor\logs\raptor-command-err.log (last 200 lines)
4. Contents of %ProgramData%\HyveRaptor\raptor-shield.log (last 200 lines, if client-side)
5. Output of ollama ps (if an Alpha Advisor issue)
6. Your Windows version, server specs (CPU, RAM), and license tier

Response target: within 48 hours during business hours. Critical incidents (a live threat in progress on a Command-tier deployment) are prioritized — clearly mark the email subject [CRITICAL].

Only during the initial installation, to download the Ollama engine and the Alpha AI model (~2 GB combined). Once installation is complete, HYVE Raptor operates with zero internet connectivity. There is no telemetry to HYVE, no license check over the internet, no update server to reach. The platform can run indefinitely in an air-gapped or classified environment. Alpha Advisor continues to work fully offline once the model is downloaded.

The raptor-command and hyve-backend binaries are cross-compiled for both Windows and Linux. The launcher EXE files are Windows-only convenience wrappers. On a Linux server, start the processes directly from the bin/ directory. Contact support for Linux-specific deployment documentation. The client-side raptor-shield service is Windows-only in the current release.

Yes. Stop the server with 5 - Stop Server.exe. Copy the entire Raptor package folder and the contents of %APPDATA%\HyveRaptor\ to the new machine. Run 1 - Install Server.exe on the new machine. Your signing secret, license keys, and event database will be carried over. Shields will need to be updated with the new server's IP address — run 6 - Install Shield (Client).exe on each client with the new address, or update the configuration on each client machine directly.

No existing software is modified. The installer creates a data directory in %APPDATA%\HyveRaptor\, starts two background processes, installs Ollama (if not already present), and adds firewall rules. It does not touch your system registry beyond what is required for the processes to run, does not modify any existing application, and does not change any environment variables that other applications depend on.

This is determined by your license plan — Scout (10 shields), Guardian (50 shields), Sentinel (250 shields), Command (unlimited). The platform enforces no hard technical limit on simultaneous connections beyond your plan entitlement. If you need to expand, contact Vibe Software Solutions to upgrade your plan.

Each raptor-shield deployment operates independently. If the connection to your server is lost, the shield continues monitoring AI agents on the client machine. Threat events are queued locally and transmitted when the connection is restored. The shield does not stop protecting the client — it just cannot report back or receive defense commands until connectivity is restored. The client will not see any disruption or error on their machine.

Yes. Multiple operators can open the Command Center simultaneously from different machines, all connecting to the same raptor-command server on port 8080. They will see the same live data. Defense commands issued by any operator are visible to all others in the threat feed audit trail. Each operator's machine needs network access to port 8080 on your server — ensure your LAN routing allows this.

Event retention is configured by your plan. Events are stored in a local database on your server. The database uses write-ahead logging for reliability — events are never lost to process crashes or unexpected shutdowns. If disk space becomes a concern, older events can be archived or pruned. Contact support for guidance on event database management for high-volume deployments.

Yes, via the REST API on port 8080. The API exposes all threat events, shield data, and compliance state in structured JSON format. Sentinel-tier and above plans include webhook delivery — events are pushed to your configured endpoint in real time as they arrive. Contact support for the API reference documentation.

raptor-shield is designed to monitor AI agent processes broadly — it profiles any process that exhibits AI agent behavior characteristics (autonomous API calls, capability declarations, model interactions, external service communication). It is not limited to a specific framework or tool. Agents built on OpenAI, Anthropic, local models, LangChain, AutoGen, and custom stacks are all within scope. Contact support if you have a specific agent runtime you want to confirm coverage for.

No. Zero. There is no telemetry, no crash reporting, no usage analytics, no license phone-home, and no automatic update check that transmits data to HYVE. The only outbound internet traffic during installation is the download of Ollama and the Alpha model from ollama.com. After installation, the platform generates no outbound traffic to any external server. You can verify this by monitoring your network traffic — you will find no connections to HYVE infrastructure.

No. This is an architectural property, not a policy statement. The protocol between raptor-shield and raptor-command transmits threat metadata — behavioral signals, anomaly scores, attack vector classifications, event timestamps — not the underlying data that the AI agents were processing. A healthcare client's PHI, a law firm's case files, a government agency's classified documents — none of this can reach the operator's server because the shield is designed to never transmit it. This is not enforced by a terms of service. It is enforced by how the system is built.

The channel between each raptor-shield and your raptor-command server uses ML-KEM-768, a NIST-standardized post-quantum key encapsulation mechanism (FIPS 203). This is applied at the application layer — not just at the transport layer. This means that even if standard TLS encryption is broken by future advances in quantum computing, the threat intelligence in transit remains protected. This is the "harvest now, decrypt later" threat model — adversaries recording your traffic today cannot decrypt it in the future with quantum hardware.

Each shield generates a unique cryptographic identity key the first time it runs. That key is stored at %ProgramData%\HyveRaptor\vault\ on the client machine, encrypted using Windows DPAPI with machine-scope protection. Machine-scope DPAPI means the key can only be decrypted by processes running on that specific machine — it cannot be copied to another machine and decrypted, and it cannot be accessed by user-level processes without the appropriate service context. Only the RaptorShield service can read its own identity key.

HYVE Raptor is sold as a white-labelable operator platform. You are the authority — you generate keys, you run the server, you own the relationship with your clients. The shield installer can be configured with your organization's branding. Contact Vibe Software Solutions for white-label configuration options for your deployment.

Alpha reads live system state for operational questions (threats, shields, compliance). For questions about external topics — regulatory frameworks, security concepts, specific CVEs — Alpha uses the knowledge baked into its language model, which has a training cutoff date. For current events or recently published standards, cross-reference Alpha's answers with authoritative sources. Alpha is most reliable and most powerful when you ask it about your specific deployment, not about the external world.

In the current release, Alpha uses the llama3.2 base model without custom fine-tuning. Customization through document ingestion (retrieval-augmented generation) and custom model fine-tuning are planned for a future release. Contact support to register your interest in this capability.

Alpha is designed to work with models served by Ollama. If you have specific model requirements — a larger model for higher quality, a smaller model for faster inference on constrained hardware, or a domain-specific model — contact support for guidance on supported model configurations. Swapping models is technically possible but the integration has been tested and validated against llama3.2 specifically.

Alpha's recommendations are advisory, not automatic. The platform will never issue a defense command without your deliberate action. Alpha surfaces its reasoning — you can see what evidence it drew on and why it made a given recommendation. Use Alpha's analysis as one input alongside your own judgment, your knowledge of the client's environment, and the operational context. For NEUTRALIZE and LOCKDOWN recommendations especially, treat Alpha as a well-informed analyst whose advice you weigh, not an authority whose instructions you execute without thought.

The compliance engine provides real-time posture scoring based on your live deployment state. The evidence and control mapping are based on published framework requirements. Whether this data is accepted by a specific auditor as audit evidence depends on the auditor and the audit framework. The reports are accurate representations of your platform state at the time of export. We recommend presenting them as part of a broader evidence package alongside your policies, procedures, and other technical controls. Alpha Advisor can help you prepare audit narratives based on your current compliance state.

Compliance scores reflect live system state. If a shield went offline, a required control that depended on connected shield coverage may have lapsed. If no defense commands have been issued recently, incident response controls may have aged out. Check the Compliance tab for the specific failing controls and review the evidence column — it will show you exactly what condition is not being met. Alpha Advisor can give you a fast path to restoring the score.

The platform will accept connections up to your plan's shield limit. Shields that attempt to connect beyond that limit will fail authentication. They will not damage the platform or affect existing connected shields. To add capacity, upgrade your plan and contact Vibe Software Solutions. The upgrade takes effect immediately — no reinstallation required.

HYVE Raptor is software you run on your infrastructure. Cancellation ends your entitlement to updates, new feature access, and support. The currently deployed binaries continue to run. Nothing in the platform phones home to validate your subscription status at runtime — there is no kill switch. Your existing deployment remains functional. However, continuing to run a version that no longer receives security updates is not recommended for production environments.

Yes. Contact Vibe Software Solutions at majixx@vibesoftwaresolutions.com or book a demo at vibesoftwaresolutions.com/hyve-raptor to request an evaluation package. Trial deployments are fully functional with a time-limited license key and a reduced shield limit. All features — including Alpha Advisor and the full compliance engine — are available during the trial.