TL;DR: You should NOT trust by default. Unless…
How do you tell what's actually true from what's just confidently claimed, preached, or plain made up?
Should I trust my research conclusions, my findings, Gino's report, Laly's article, or the hot take by the latest Lenny's guest?
The unforgiving assumption Reaper. An adversarial auditor: what it checks, how, and the science under it.
There is no answer. There are months of falsification attempts and aggressive tests, and only I can attest to those. Have other options? Go for them. Or take a leap of faith: test it, like it or not.
Swan Attack exists for one problem: fluent, confident text that may or may not be wrong. A language model will hand you a clean paragraph with a citation that tells a different story, or a conclusion that sounds right but does not follow from the data. A LinkedIn post will wave a number at you with no method behind it. The audit pulls these apart. It checks that sources are real and say what they are quoted as saying, that conclusions actually follow from their facts, that the material does not contradict itself, and that the author does not have a quiet reason to mislead you.
The job is to separate two things that usually arrive looking identical: a claim backed by real, disclosed evidence, and a baseless assertion or a plain guess wearing the same confident tone. Once you can tell them apart, you know what to trust and what to set aside.
Your research conclusions are well grounded. Sources are scored, and most of the ones used are A++, with plenty of citations. You are scanning the corpus (never skip the human in the loop, ever), and one finding looks very interesting and slightly off. So you go for the exact sources behind it. Very strong ones. You don't concede, and you read the whole papers end to end. The statement does not fit: it uses the two sources' findings, but tilts them to support a baseless take, a fabricated one. That is very hard to detect. Swan Attack catches it, piece of cake.
Swan Attack usually catches this one. I have no counterexamples.
Now a harder one. Deep-research agents work as teams of sub-agents that scan and synthesize the web. Because they dig into a topic, they keep landing on the same popular user-generated pages: a Reddit thread, a Wikipedia article. Researchers call this retrieval overlap, and it turns those few pages into a concentrated attack surface. An adversary appends a short, crafted passage to one frequently retrieved page. From then on the agent reads it, cites it, and promotes the attacker's chosen entity across many related queries. The citation is real and clickable, pointing at a genuine site, so the manipulation looks entirely legitimate.
This is the hardest kind to catch: the source exists, and it really does say what it is quoted as saying, so a plain source check passes clean. What flags it is triangulation, the same planted entity surfacing as a suspiciously consistent signal across unrelated queries, plus asking who benefits.
Source: Cornell Tech, "AI Poisoning via Web Search," arXiv:2605.24245.I bet Swan Attack also catches this one, but I could not run the audit: no corpus has been made available.
Swan Attack catches invented sources, untestable claims, broken logic, self-contradiction, hidden conflicts of interest, and plans that collapse the moment you play them forward. It gives you a plain verdict on what survived, its own confidence shown out in the open, and the exact weak spots named, so the decision stays yours.
What it does not give you is certainty. There is no 100% on this planet. The rule underneath everything, from the philosopher Karl Popper, is that you can only ever prove something false, never fully true. So the audit makes no claim to truth. It gives you the strongest standing an idea can have short of measuring it yourself: it survived honest, repeated attempts to knock it down.
The rest of this page walks through each check: what it does, the plain reason it works, and the scientific method behind it. The map first.
Picture a turkey on a farm. Every morning the farmer brings food. Every single day confirms what the turkey believes: people are kind, food always arrives, life is safe. A thousand days of evidence, all pointing the same way. The turkey has never felt more certain than on the morning of the thousandth day. That afternoon, two days before Thanksgiving, the farmer does what he's supposed to do.
A thousand days of confirming evidence did nothing to warn the turkey about the one bad day that mattered.
The data was never proof. It was just the absence of the counterexample, right up until the counterexample arrived.
This is the principle the philosopher Karl Popper called falsification. An idea earns trust not by being confirmed, but by surviving honest, severe attempts to prove it wrong. So the audit never tries to confirm a claim. Confirming evidence can pile up forever and still hide a fatal flaw. As the bird witnessed.
The audit does the opposite. It tries to break what you give it, and reports what it could not break.
So is validation an empty word? Nope. It gets misused. The word only fits one situation: checking something against criteria you set in advance. Success criteria, qualification criteria, a clear pass or no-pass. "Did this meet the bar we defined?" is a fair thing to validate, because you control the bar.
"Is this claim about the world true?" is not. You can never fully validate that. You can only try to falsify it and report what survived.
Before any audit is run, you must define a specific goal.
Everything below this is about checking other people's material. But the very first thing the audit checks is your own input: the project and the goal you hand it. Before any work starts, it treats your goal the same way it treats any claim. It does not try to confirm your goal is good. It goes looking for the reason it must fail. This is the falsification idea from the opening, pointed back at you. Swan Attack calls it the Feasibility Thesis.
Example: you say "launch the product in 24 hours." The audit goes hunting for the one hard fact that kills it, and finds that the App Store review alone takes 48 hours. That single fact proves the 24-hour goal impossible, and the goal gets revised before a minute is spent building toward something that could never happen.
The goal is the one fixed point. Everything else is measured against it: whether a path is on track, whether the work has drifted, how close you are to done. A vague goal gives the audit nothing to measure against, so every later check loses its ruler. "Make it better" cannot be tested, cannot be drifted from, cannot be finished. "Cut the signup form from nine fields to three without lowering completion" can be checked at every step. The more precisely you state the goal, the more the audit can actually catch. A loose goal is the most common reason the whole thing runs soft. It's a failure mode. Ambiguous goal, nothing starts. If the goal is too unclear to work with, the audit stops and asks for it.
When a problem has several possible paths, which happens often, the audit can spin up temporary helper agents on the spot, one per path, and run them at the same time, up to five at once. Each one is locked to the same goal you set.
They are goal-oriented by construction: the goal travels with each agent as a fixed limit it cannot break, the way a contractor cannot ignore the budget you signed. Each agent chases its own path, reports what it found, and the audit compares the results and keeps the strongest. The agents are created only when needed and dropped when done, so the work runs in parallel without wandering, because they all answer to the one locked goal.
When the material quotes a source or cites a study, the audit checks two simple things. First: does that source actually exist? Second: does it really say what it is being quoted as saying, word for word, not a loose version of it. It also refuses to invent numbers. If a number was never actually measured, it writes "not measured" instead of guessing one.
Why it works: a quote is just another claim. Someone saying "studies prove this" does not make it true. You have to go and look at the study. It is the same reason a careful journalist will not print a juicy tip until a second person, an ombudsman, confirms it. The source has to earn its place before anyone leans on it.
For each claim, the audit asks one question: what would I need to see for this to be false? If the honest answer is "nothing could ever show this is false," it sets the claim aside.
Why it works: a claim that can never be wrong tells you nothing useful. Take "everything happens for a reason." No matter what happens, good or bad, you can say it fits. Because nothing could ever contradict it, it carries no information. A claim worth something sticks its neck out. It says "if you see this, I am wrong." Those are the claims worth testing. This is Popper's idea again, used as a filter: only testable claims are worth the effort of testing.
The audit separates the facts from the conclusion drawn out of them, and checks whether the conclusion really follows from those facts. Sometimes every single fact is correct, but the jump to the conclusion is not.
Why it works: correct facts with a bad jump still land on a wrong answer. For example: "It rained last night. The streets are wet. So it must rain here every night." The two facts are true. The conclusion does not follow at all. The audit looks hard at the word "so," not just at the facts before it. That jump is where a lot of confident-sounding nonsense hides.
The audit hunts for places where the material says two things that cannot both be true. That can be inside the same document, or against well-known facts, or against its own earlier logic. When it finds a pair, it shows both side by side.
Why it works: if someone says two opposite things, at least one of them is wrong, or they are hiding a distinction they never explained. For example, a report that says "we did not lose a single person" and later says "the software took over most of those jobs." Both cannot be fully true as written. That clash points straight at the spot that needs a harder look, with no extra digging.
Before backing a plan, the audit lays out several realistic ways things could actually go. It plays each one forward, and discards the ones that fall apart. From what survives, it picks the path that needs the fewest things to go right.
Why it works: a plan you never test in your head falls apart the first time it meets the real world. This borrows two ideas. The first is the Monte Carlo method, where instead of trusting one prediction you run many varied versions and see which hold up. The second is Gary Klein's pre-mortem: before you commit, imagine the plan has already failed and ask why. Both force you to meet the failure on paper, when it is cheap, instead of in reality, when it is not. The plan that needs the fewest things to go right is the safest, because there is less that can break.
Before tearing an idea down, the audit first builds it up. It fixes the weak wording, gives it the benefit of the doubt, and makes it the strongest version it can be. Then it attacks that strong version. If even the strong version falls apart, the idea is dead for good.
Why it works: it is easy to win against a sloppy, weak version of what someone meant. But winning that way proves nothing, because they never meant the weak version. This is steelmanning, the opposite of a strawman. The only fair fight is against the best version of the idea. If the best version survives the attack, now there is really something there. If it does not, no time was wasted on a weak target.
The audit takes every "we can't do that" in the material and sorts it into three piles. One: a hard limit, backed by real evidence. Two: a limit we put on ourselves, which we could change if it were worth it. Three: an assumption nobody ever actually checked. Anything not clearly sorted gets treated as an unchecked assumption. Then it asks, for each one: what would change if this limit were not there?
Why it works: a lot of things people treat as solid walls are really just habits, or old decisions, or guesses nobody ever questioned. Treating a problem as a set of real constraints to satisfy, and nothing more, is how planning software works: it only respects the limits that are actually binding. Sorting them shows which walls are real stone and which are painted on. Very often there is one fake wall that, once you walk through it, opens up the whole problem.
The audit also keeps an eye on itself, not just on the material. Is it wandering off the actual question? Is it padding? Is it going in circles? Is it making something more complicated than it needs to be? The tds tag in the header line is this self-watch running.
Why it works: it is easy to hand back a clean-looking answer that is only clean because the hard question got quietly swapped for an easier one. Two ideas keep it honest. It treats your feedback as new evidence and updates its read of what you want, rather than clinging to its first guess. And it measures how far the current thread has drifted from the locked goal, the way you would measure the angle between two directions, and flags it when the gap grows too wide.
Swan Attack borrows the reasoning of these methods. It does not run them as literal mathematics.
| Method | In plain terms | What it informs in Swan Attack |
|---|---|---|
| Falsificationism (Karl Popper) | An idea is only worth anything if it could be proven wrong; trust comes from surviving attack, not from confirmation. | The whole audit stance. |
| Occam's Razor (lex parsimoniae) | Among answers that work, prefer the one with the fewest assumptions. | Picking the simplest surviving path; trimming steps. |
| Constraint Satisfaction (CSP) | A problem defined as a set of limits that a solution must all satisfy at once. | Goal lock and decision lock, treated as binding constraints. |
| Communication Accommodation Theory (Howard Giles) | People shorten the distance between each other by matching language and style. | Mirroring your vocabulary and directness. Governs delivery, not the audit itself. |
| Monte Carlo method | Instead of one prediction, run many varied versions and keep what holds up. | Playing a plan forward across several paths. Inspiration only, not literal random sampling. |
| Pre-mortem (Gary Klein) | Before acting, assume the plan already failed and work out why. | The failure hunt inside simulation. |
| Bayesian updating | Revise your belief as new evidence arrives, rather than holding the first guess. | Updating its read of what you want each time you push back. Spirit, not literal Bayes math. |
| Vector space and cosine similarity | Turn ideas into directions and measure the angle between them to see how far apart they are. | The drift watch (tds), comparing the current thread against the locked goal. The model, not literal math. |
| Aviation preflight checklists | Fixed-order checks run every time, so nothing critical is skipped under pressure. | The discipline of running the same checks in order, and situational awareness. |
| Earned Value Management | Track progress and variance out in the open so trouble shows early. | Showing confidence, position, and drift in the header on every reply. |
| Critical Discourse Analysis | Read how something is framed, not just what it claims. | Spotting spin and loaded framing in a source. |
| Diachronic contextualization | Place a claim in its moment, e.g. is this just the noisy peak of a hype cycle. | Weighing a claim against where it sits in time. |
Once a goal is set and the audit is triggered, it reports its own result before the verdict and all related arguments, using a line in brackets. A few examples:
H means clean. You can act on it. M means a couple of loose ends are still open, so read the warning line first. L means shaky. Do not act on it.Held means it stuck to its answer even when pushed. Moved means a real new argument changed its mind. Being pushed without a new argument should never move it.Trust it fully when it is clean, when it says it has reached the goal, and when it held its answer under at least one round of pushback. If a warning is showing, or it says there are loose ends, trust it only for what it is not warning you about.
I used to do it in earlier versions. I found little divergencies, none of which concerning. As it is today, it will tell you that you are auditing its own verdicts, and won't like it, because the results will be unstable and unreliable. Fair enough.
For updates, new articles, or more details, find me here.
Subscribe nowFollow me on Substack — free.