Protection Network

Three signal sources. One defensive network.

Every customer benefits from every detection. Mnemom AEGIS — the Adaptive Enforcement, Governance & Intelligence Substrate — feeds three independent signal loops into a single candidate review queue, then signs the promoted recipes and propagates them to every gateway in the network. Same vocabulary as the cards: four checkpoints × four enforcement modes, Platform → Org → Team → Agent, strictest-wins.

See the four checkpointsInspect the IoC feed

Three signal loops feed one substrate.

Three independent signal loops. One review queue. The detection content and the enforcement controls travel through the same signed machinery — so a lesson learned anywhere lands everywhere.

Signal 1 — Adversarial arena

15 canonical personas. Mutation-phase gated. Live in production.
  • Fifteen adversarial personas span every canonical threat type across the four Safe House checkpoints, including a supply-chain mole at inside.integrity.
  • Mutation-phase gating lets attacks evolve only while per-bucket detection holds above threshold, with sustained hysteresis to prevent thrash — evaluated independently per substrate fingerprint.
  • Arena traffic runs on its own isolated write path, kept separate from production signal so synthetic attacks can never contaminate customer data. The isolation is enforced server-side, not by convention.

Signal 2 — Customer reports

False positives and false negatives, reported by the customers running the agents.
  • Customers report misses (false negatives) and over-blocks (false positives) directly from the dashboard or through the report API.
  • Every report flows into the same review queue the arena feeds — one shared queue, one signed pipeline, regardless of where the signal came from.
  • Calm-at-GA: this signal exists because false positives are inevitable. Mutation-phase gating and false-positive auto-rollback are both built on the assumption that we will get things wrong — and that you will tell us when we do.

Signal 3 — Cross-tenant aggregator

The L1 worker. The network's vision. The genuinely new work.
  • The network keeps rolling statistics for every substrate fingerprint — the provider, model, and SDK combination an agent runs on. Every evaluation across the network is stamped with that fingerprint.
  • When seemingly unrelated security events at different customers share a substrate fingerprint, the aggregator ties them into a single campaign signature — the cross-tenant view no individual customer can see on their own. Live in production.
  • This is what nobody else in the market has. Hyperscaler guardrails, in-process detectors, and per-tenant proxies all see one customer at a time. The aggregator sees across all of them.

Three loops. One substrate. Signed all the way through.

Three loops, one substrate — the AEGIS pipeline end to end.

Arena
15 personas + mutation-phase gate
Customer signal
Customer reports + telemetry
Cross-tenant aggregator
Rolling stats per substrate fingerprint
Candidate table + review queue
Each signal source writes on its own isolated path. Manual review by default; automatic modes are opt-in.
Signed promotion
Ed25519-signed at promotion. Tier-1 and tier-2 rules require two-person review — enforced structurally, not by process.
Promoted recipes
Composed like cards. Platform → Org → Team → Agent, strictest-wins.
Gateway — 4 checkpoints × 4 modes
KV-signed + R2-signed envelopes. <30s P95 propagation target on /trust/slos.
Supply-chain detection is a sub-dimension, not a parallel system. Every evaluation carries a substrate fingerprint — provider, model, SDK version, and an optional lockfile hash. The same four-checkpoint model carries every recipe.
Promotion pipeline

Every promoted recipe is signed. Tier-1 and tier-2 never auto-promote.

All three signals feed the same review queue, and every promoted recipe rides the same signed pipeline. The protective invariant is built into the system structurally — it isn't a procedure or a policy that can be skipped.

  1. 01
    Candidate
    Each signal writes on its own isolated path. Recipe content is normalized into one shape, while the source it came from stays attached for the audit trail.
  2. 02
    Review
    Three reviewer modes per Cloudflare-peer pattern: manual (default), auto-approve-trusted-sources, auto-approve-high-confidence. Tier-3 candidates are eligible for auto-modes; tier-1/-2 are not — regardless of mode setting.
  3. 03
    Signed promotion
    Ed25519-signed at the moment of promotion. The review history is append-only. A rule can't go active until the two-person review quorum is met.
  4. 04
    24h observe soak
    Every promoted recipe ships in observe mode for 24 hours, regardless of tier. False-positive rate is sampled in a 7-day rolling window. Auto-rollback fires on threshold breach per CLPI Phase 2.
  5. 05
    Enforce + propagate
    The rule is written to two storage tiers, each signed with an independent key, then loaded by every gateway — where Managed Rules block in production today. The target is a P95 ≤ 30s propagation, measured continuously on /trust/slos.
The protective invariant

A tier-1 or tier-2 recipe — one that would actually block production traffic — can never promote without two-person human review, no matter how aggressively the reviewer mode is set. The system enforces this structurally. Automatic modes only speed up tier-3 landing (observe / nudge / log), where the blast radius of a bad call is bounded.

Vendor-neutral network effect

Substrate-aware across OpenAI, Anthropic, Gemini, and any model on the Mnemom gateway.

The substrate fingerprint stamped on every evaluation includes the provider, the model, and the SDK version — plus an optional lockfile hash customers can send in. Cross-tenant signal flows across providers, not just within one.

No provider lock-in.

AEGIS sees substrate-attributed behavioral deviation across every customer running on the same provider/model/SDK combination. One customer's evaluation stream surfacing anomalies elevates protection for every other customer on that substrate — across OpenAI, Anthropic, Gemini, or any local model fronted by the gateway.

Complements; does not replace.

AEGIS is the network layer. Customers running Lakera Guard, NeMo Guardrails, Cloudflare WAF, AWS Bedrock Guardrails, or Robust Intelligence can run AEGIS alongside — it complements; it does not replace. Different layer, different signal.

AAP declares. AIP verifies. AEGIS signs.

AAP makes the agent's intent public — transparency, not trust. AIP delivers in-flight integrity verdicts. CLPI governs the card lifecycle. AEGIS signs the cross-tenant defenses that act on the integrated picture. No layer pretends to be the one before it.

Calm-at-GA contract

If the network is calm, the page says calm.

At GA the IoC feed is empty by design. The advisory list shows one synthetic post-mortem clearly labeled synthetic. The threat thermometer is calm. We don't fake activity. Mutation-phase gating is live; the first activation in production will be reported on /trust/advisories when it happens. Tier-3 dual-control is live; tier-1/-2 dual-control begins when our second platform-admin onboards.

Inspect the network.

Three signal sources. One signed pipeline. Every promotion, every advisory, every IoC publicly verifiable.

See what we screenFetch /v1/network/threat-stateOpen your dashboard
Featured on There's An AI For That