5651 compliance, engineered as proof
Every access record is bound into a tamper-evident chain, sealed daily, and signed with an independently verifiable timestamp. Not just logging — producing legally defensible evidence.
Chain of evidence
A record's tamper-evident journey
Four layers of sealing, from each event to a signed evidence pack.
- 1
Hash chain
Each event is chained to the previous with SHA-256; append-only.
- 2
Daily Merkle root
Each day's records are gathered into a single root hash.
- 3
RFC 3161 TSA
The daily root is signed by the TÜBİTAK Kamu SM timestamp authority.
- 4
Signed export
An independently verifiable evidence pack is produced.
Signed export
One click in an audit produces an independently verifiable evidence pack.
web_access.csv
Who accessed what destination, when, and from which IP.
manifest.json
Hash-chain roots and TSA timestamp references.
verify.sh
A script that lets a third party verify the evidence independently.
Two modes
Correlation and Inline
Correlation mode (Lite / Standard)
Firewall syslog + NAC session table are merged into an enriched access record.
Inline mode (Pro / On-Prem)
The Edge N100 bridges traffic and captures the destination (HTTP Host, TLS SNI, DNS) directly, without MitM.
Why it's stronger
Beyond log-only tools
Tools like FortiLogger collect logs; Anchor turns those logs into legally defensible evidence.
Hash chain (SHA-256)
Append-only; the smallest change is detected instantly.
RFC 3161 TSA anchoring
The daily root is signed by TÜBİTAK Kamu SM — not alterable retroactively.
Sigstore Rekor + cosign
Supply-chain signing and a transparency log.
Independent verification
The signed export pack can be verified by a third party.
Standards referenced
Let us take 5651 off your plate
Let's discuss how to deploy audit-ready, signed 5651 infrastructure in your organisation.