# Detection Rules The kernel's anomaly detection is expressed as eight explicit rules (**R1–R8**), each a deterministic predicate over signals. When a rule fires, it pushes the [[Four-State Trust Machine]] toward lower trust. Rules are human-readable and auditable — there is no hidden model deciding what counts as anomalous. > [!tip] Cross-domain discriminative power > The most discriminative rule is the pressure baseline drift check (**R5/R5b**), which separates normal from anomalous behaviour by a factor of **1,262×** on SWaT and **1,188×** on HAI. See [[Pressure Baseline Drift]]. Rules operate on signals mapped per-site through [[Profile-Based Portability]], but the rule logic itself lives in the unmodified [[Common Trust Core]]. The same R1–R8 ran unchanged across all four [[Cross-Domain Validation|validation domains]]. Rules are paired with [[Proven Invariants]]: rules catch *deviation*, invariants assert *what must always hold*. Together they drive trust state. --- Related: [[Integrity Kernel MOC]] · [[Pressure Baseline Drift]] · [[Proven Invariants]] · [[Common Trust Core]] · [[Four-State Trust Machine]]