In the 16th century, the Spanish dollar — known as Pieces of Eight — became the world's first truly global currency. It worked not because of the authority of Spain, but because of a remarkable property: anyone could verify it.
Cut a Piece of Eight into pieces. Weigh it. Bite it to test for lead filling. The verification was built into the artifact itself, not dependent on trusting the issuer.
The Verification Gap
Modern trust infrastructure has the opposite problem. We rely on attestations of authority rather than verifiable artifacts:
| Trust Mechanism | Verification Method | Trustworthy? |
|---|---|---|
| SOC2 Type II Report | "Trust the auditor" | Somewhat |
| Security Questionnaire | "Trust the vendor" | Not really |
| Penetration Test Report | "Trust the pentest firm" | Depends |
| Corsair CPOE | Verify the signature | Mathematically |
A CPOE is verifiable by anyone, anywhere, without trusting Corsair, the vendor, or any intermediary. The Ed25519 signature is the mathematical equivalent of cutting, weighing, and biting.
The Dual Encoding
Every concept in Corsair carries dual meaning — pirate brand on the surface, functional description underneath:
- CPOE = Corsair Pieces of Eight = Certificate of Proof of Operational Effectiveness
- Marque = Letter of Marque (privateer license) = the signed CPOE document
- Parley = Pirate negotiation protocol = the trust exchange protocol
This isn't just branding. The historical parallels are structurally meaningful. Pieces of Eight succeeded because verification was decentralized. CPOEs succeed for the same reason.
From Tool Output to Signed Proof
Your security tools already generate the evidence. Scanners test your cloud posture, CI pipelines produce findings, and vulnerability engines track risk. The problem is that none of this output is cryptographically verifiable or machine-exchangeable.
Corsair bridges this gap. Run corsair sign --file scan-results.json --mapping ./mappings/toolx.json and the tool output becomes a signed CPOE — a W3C Verifiable Credential that anyone can verify with standard JWT libraries and the issuer's public key.
What Comes Next
The CPOE is the atomic unit of a new trust infrastructure. When enough organizations sign their tool output into CPOEs and exchange them, the network effect creates a trust graph — a web of cryptographically verified security assessments that replaces the current web of unverified questionnaires.
This is how you disrupt an $8.57 billion market: not by building a better questionnaire, but by making questionnaires obsolete.