MeshGuard.
AI neural watermarking embedded into the mesh geometry itself — not into a sidecar file, not into a STL header, not into a metadata tag. The watermark survives slicing, scaling, infill choice, and the eighteen months of handling we measured in the field. Detection runs offline in eleven milliseconds on commodity hardware. False-positive rate, at the deployed decision threshold, sits below 10-9.
Why watermarks on meshes are hard.
The naive approach — embed a payload in mesh metadata — dies on the first slicer pass; slicers strip metadata, re-triangulate, decimate, repair. The slightly less naive approach — embed in vertex coordinates — survives slicing but produces detectable surface artifacts at the precision required for survival.
MeshGuard takes a different approach: a small neural network learns a mesh-level perturbation that is below the perceptual and metrological detection threshold, yet survives the standard slicer pipeline because it is encoded in topology-stable features (curvature spectrum, geodesic landmark spacing) rather than in raw vertex coordinates. The detector is a sibling network trained on the same feature space.
The AI model is the product core.
MeshGuard uses paired AI models: an embedder that learns topology-stable perturbations and a detector that reads mesh or point-cloud features after manufacturing transformations. The model output is always paired with a signed payload and customer key binding.
| embedder | Generates watermark perturbations below the customer's dimensional tolerance budget. |
|---|---|
| detector | Scores mesh files, slicer outputs, or scanned point clouds against a customer payload. |
| triage model | Ranks suspicious parts by confidence, supplier history, part class, and mismatch severity. |
Algorithm sketch.
- Feature extraction. The embedder computes a topology-stable feature spectrum on the input mesh — curvature distribution, geodesic landmark spacing, surface normal entropy.
- Payload encoding. A 128-bit payload (customer identifier + part identifier + nonce) is expanded into a perturbation vector in feature space, signed by the customer's MeshGuard key.
- Perturbation embedding. The embedder back-projects the perturbation onto vertex positions, bounded by a configurable perceptual budget. The default budget is 12 µm maximum vertex displacement — below the dimensional tolerance of every printer process we have certified for.
- Mesh emission. The watermarked mesh is emitted in the customer's preferred format (STL, 3MF, OBJ). The watermark is in the geometry, not the file format.
- Detection. The detector accepts a mesh (or a point cloud sampled from a physical part) and produces a confidence score against a customer key. Scores above the decision threshold are accepted; below, rejected.
The detector runs on the same feature spectrum, which is what makes the watermark survive: a slicer cannot reasonably modify the curvature spectrum without producing a part that looks different to a human.
What it survives.
The field measurement programme (advisory 3DC-2026-04-A2) measured watermark survival across 41 sites, 11 material classes, 7 slicer builds, and 18 months of physical handling. Headline survival rates from the programme below.
| operation | survival rate | notes |
|---|---|---|
| slicer pass (Prusa / Cura / Orca / Bambu / Materialise) | 100.00% | n = 41,184 slices, no failures |
| uniform scaling 0.5× to 2.0× | 99.998% | 1 failure at 2.0× on a coarse mesh, recovered after re-mesh |
| infill change (10% ↔ 100%) | 100.00% | watermark is in the shell topology, infill is irrelevant |
| shell thickness change (1–6 perimeters) | 100.00% | as above |
| orientation change | 100.00% | feature spectrum is orientation-invariant by construction |
| FDM print + cooled handling (PLA, PETG, ASA) | 99.94% | 2 failures across 3,180 parts; failures correlated with extreme warping |
| SLS print + post-process (PA12, PA11, glass-filled PA12) | 99.86% | 4 failures across 2,840 parts; investigated, traced to surface bead damage |
| SLA print + UV cure | 99.71% | residual cure shrinkage near vertical features; 0.5% across cohort |
| metal DED + machining finish | 97.40% | finishing removes some surface; threshold increased for metal parts |
| 18 months physical handling (cohort sample) | 99.62% | n = 1,580 parts tested, parts returned from customer use |
The numbers above are signed against the field-study programme key. The full report (advisory 3DC-2026-04-A2) carries the per-material breakdown, the regression analysis on warping, and the four edge-case failures we did not recover.
False-positive rate.
What we publish is the FPR at the deployed decision threshold. The full ROC curve from the field study is in the report.
| threshold | false-positive rate | true-positive rate | recommendation |
|---|---|---|---|
| 0.50 | ≈ 10-3 | 99.98% | too lenient; rejected |
| 0.85 | ≈ 10-7 | 99.91% | acceptable for non-regulated |
| 0.93 | < 10-9 | 99.84% | deployed default |
| 0.97 | ≈ 10-12 | 99.62% | recommended for high-stakes contested claims |
The deployed default sits at 0.93. Customers with contested-claim use cases (e.g. legal evidence in counterfeit litigation) typically run a parallel scan at 0.97 and rely on the lower-threshold scan for ambient detection.
Detection in production.
Mesh-form detection.
The detector accepts a mesh file directly (STL, 3MF, OBJ, PLY). Useful when an OEM is checking a third-party CAD file uploaded to a licensed-manufacture portal. Runs at 11 ms median on a single CPU core for a typical 800k-triangle aerospace bracket.
Physical-part detection.
A point cloud sampled from a physical part (structured light scan, photogrammetry, CT for opaque parts) is sufficient. The detector reconstructs the feature spectrum from the point cloud. Detection on a 1.2 million-point scan runs in approximately 40 ms.
Both detection modes are offline. The detector binary is approximately 18 MB and ships with the SDK; the model weights are signed and pinned to a customer's MeshGuard key cohort. There is no telemetry to us during detection; we do not know what you scan or when.
Where MeshGuard earns its keep.
- Licensed third-party manufacture.
- OEMs that license out-of-warranty replacement printing keep track of which third parties manufacture under licence. MeshGuard embeds the licensee identifier in every shipped CAD; physical parts can be traced back to the licensee even after a year in service.
- Counterfeit detection in spare-parts logistics.
- Industrial spare-parts OEMs scan inbound parts at warehouse intake. Watermark match means a legitimate licensed copy; watermark absence triggers a deeper inspection. The cost per scan is below the cost of one call-centre minute on a returned counterfeit.
- Provenance evidence in litigation.
- Two ongoing IP-litigation cases (under NDA) use MeshGuard scans as part of their evidence chain. Detection at the 0.97 threshold provides confidence at the standard required.
- Regulatory traceability.
- Medical implants printed at multiple sites under the same OEM brand can be traced to their print site. The watermark resolves to a site-and-printer identifier that the OEM's quality system reconciles against its TwinCert records.
What MeshGuard does not do.
Honest limits, surfaced rather than buried.
- It does not stop counterfeit production. A determined counterfeiter can manufacture without the watermark; what MeshGuard does is make the counterfeit identifiable as such after manufacture.
- It does not survive arbitrary mesh remodeling. A counterfeiter who manually remodels a part in a CAD system (rather than printing your CAD file) produces a fresh mesh with no watermark. MeshGuard defends against the high-volume scenario, not the artisan one.
- It does not survive aggressive surface-finishing on metal. Heavy machining removes the surface features the watermark sits in. Metal parts intended for heavy post-process should rely on TwinCert for provenance, not MeshGuard alone.
- It does not perform cryptographic verification. MeshGuard tells you a part originated from your CAD; it does not tell you the part was actually made by an authorised printer. For that, you want Vault3D + TwinCert.
Integration shape.
For OEMs distributing CAD to third parties.
The embedder runs at the OEM's distribution point. A typical pipeline: licensee requests CAD via portal, portal calls MeshGuard embedder with the licensee identifier as payload, embedder emits a watermarked mesh, the watermarked mesh is what the licensee downloads. The OEM keeps the source mesh; the licensee gets a per-licensee variant.
For OEMs operating their own print fleet.
The embedder runs at the slicer entry — before any tool-path generation. The payload is per-printer, per-batch, or per-customer order, depending on the OEM's traceability policy. The watermarked mesh feeds the slicer normally; the resulting part is identifiable to its print event.
For verification at the receiving site.
The detector runs locally on the verifier's hardware. Mesh-form for digital files, point-cloud for physical parts. The customer console exposes a one-click scan flow; the SDK exposes the same operation for high-throughput pipelines.