Protection Network · L0-L5

    The first cross-tenant defensive network purpose-built for AI agents.

    Mnemom AEGIS — Adaptive Enforcement, Governance & Intelligence Substrate — is the runtime security network of Safe House. It screens every agent transaction at four checkpoints (front door, back door, inside.autonomy, inside.integrity) and ties every customer's Safe House into a single defensive substrate. One customer's detection becomes every customer's defence, signed and propagated within the SLO window.

    Open the threat thermometerFetch the STIX 2.1 feedTalk to sales
    Architecture

    L0-L5 — one substrate, three signal loops, four checkpoints

    Source-of-truth: concept.md §Three loops, one substrate. Every layer is wired at GA; honest operational state is surfaced live on the threat thermometer and IoC feed.

    AEGIS Protection Network — L0-L5 data flowCross-tenant defensive network architecture. Layer L0: every evaluation is stamped with substrate, vertical, pattern, and source axes. Three signal sources feed the candidate review queue: an adversarial arena with fifteen canonical personas; customer false-negative and false-positive reports; and a cross-tenant aggregator that rolls up per-axis statistics. Substrate fingerprints from supply-chain telemetry feed the aggregator as an extra axis. Candidates move to a signed promotion step where Ed25519 signatures and dual-control review apply at tier one and tier two. Promotion writes envelopes to Workers KV and R2 with independent signing chains. Gateway loads from the data plane and evaluates every transaction at four checkpoints: front door, back door, inside.autonomy, and inside.integrity. Layer L2 is a composition-layer under-attack overlay that elevates effective enforcement within the org's clamped ceiling. Outputs surface to the L4 threat thermometer at /dashboard/threats; the L5 IoC feed at /v1/trust/iocs in STIX 2.1; and signed L5 advisories at /trust/advisories.THREE SIGNAL LOOPS · ONE SUBSTRATEDATA PLANE · <30S P95 PROPAGATION TARGETPUBLIC SURFACES · L4 + L5axis fingerprintcomposition layerL0Axis identity — substrate · vertical · pattern · sourceEvery evaluation stamped with the four-axis fingerprint (mig 217)SIGNAL · ARENAAdversarial arena15 canonical personas · mutation-phase gatedSIGNAL · CUSTOMERCustomer FN / FP reportsPer-tenant feedback into the candidate queueSIGNAL · NETWORKCross-tenant aggregator (L1)network_campaign_state · rolling stats per axis-bucketSUBSTRATE AXISSubstrate fingerprintprovider · model · sdk@ver · lockfile-hashCANDIDATE QUEUECandidate table + review queuewriter_identity per source · manual default · auto-modes opt-inL3 · PROMOTIONSigned promotion · Ed25519Tier-1 / Tier-2 require dual-control (structural CHECK)DATA PLANE · PRIMARYWorkers KV (signed envelope)RECIPE_KV_SIGNING_KEY · 300s TTLDATA PLANE · SECONDARYR2 bucket (signed envelope)RECIPE_R2_SIGNING_KEY · independent chainGATEWAY · RUNTIMEGateway evaluates at four checkpointsfront door · back door · inside.autonomy · inside.integrityL4Threat thermometer/dashboard/threats · live per-axis stateL5 · FEEDIoC feed/v1/trust/iocs · STIX 2.1 bundleL5 · TRANSPARENCYAdvisories/trust/advisories · signed post-incident recordsL2 · OVERLAYUnder-attack overlayAuto-elevation · clamped by org ceiling
    Source-of-truth ASCII at concept.md §“Three loops, one substrate”. Every layer of the Protection Network is wired at GA; the visual aligns with the runtime architecture in ADR-AEGIS-01 and ADR-AEGIS-02.
    Signal

    Three signal sources. One promotion pipeline.

    Every recipe AEGIS promotes is fed by one of three independent loops, each stamped with a distinct writer_identity (ADR-004). The promotion path is the same; the trust posture differs.

    Adversarial arena

    15 canonical personas probe every Safe House continuously. The mutation-phase gate (95% detection-rate per bucket, 48h rolling window, 24h hysteresis) flips the arena from discovery into mutation when a bucket is well-covered.

    writer_identity = arena-bypass

    Customer FN / FP reports

    False-negative and false-positive reports flow from customer dashboards into the candidate queue. Each tenant's contribution is acknowledged; only the resulting recipe propagates to other tenants — never the raw report.

    writer_identity = customer-fn-report

    Cross-tenant aggregator

    network_campaign_state rolls per-axis statistics across every customer. Patterns no single customer can see — a substrate showing identical anomalies across orgs — surface as candidates here.

    writer_identity = internal-observation

    Layers

    What each layer does

    Five named, wired layers on top of the recipe data plane. Operational state for each layer is observable on the threat thermometer and the trust surface.

    L0 · Axis identity

    Every evaluation stamped with the four-axis fingerprint

    Per migration 217, every checkpoint evaluation carries a derived (substrate, vertical, pattern, source) tuple. Substrate is provider × model × SDK@version with an optional customer-supplied lockfile-hash header. The axis identity is the join key for cross-tenant correlation and the spine of supply-chain attribution.

    Read the supply-chain brief
    L1 · Cross-tenant aggregator

    Rolling stats per axis-bucket — the network's vision

    network_campaign_state maintains rolling detection-rate and bypass-rate windows per (substrate × vertical × pattern × source) bucket. The aggregator is the layer that catches campaigns no individual tenant can — behavioural deviation across every customer running on the same substrate, simultaneously.

    L2 · Under-attack overlay

    Composition-layer auto-elevation, clamped by org ceiling

    AEGIS adopts Cloudflare's additive-ratcheting model. Two posture knobs per org: normal posture and elevation ceiling. During a campaign, the effective mode is max(normal, min(threat_level, elevation_ceiling)).

    The customer's ceiling is honoured. Additional integrity-side protections (canaries planted, credential issuance frozen, full AIP proofs) ride underneath the ceiling because they are not posture changes.

    Honest operational state: the L2 overlay ships in Phase 4 when the cards composition primitive stabilises. Until then, a manual operator override on the org flag covers the same protection without auto-elevation.
    L3 · Managed Rules push

    Arena candidate → review → signed promotion → 24h observe soak → enforce

    Every promotion is Ed25519-signed via RECIPE_PROMOTION_SIGNING_KEY. KV and R2 carry independent envelope signing chains (RECIPE_KV_SIGNING_KEY / RECIPE_R2_SIGNING_KEY) — three independent compromise paths are required to poison the rule plane. Tier-3 rules run a 24h observe soak before mode escalation; FP-rate threshold triggers auto-rollback.

    The dual-control invariant: tier-1 and tier-2 rules — those that would actually block production traffic — can never auto-promote, regardless of reviewer mode. The constraint is structural (schema CHECK on promotion_quorum_met), not procedural.

    Honest operational state: tier-3 path is fully live at GA. Tier-1/-2 dual-control enforcement activates 2026-06-01 once the second platform-admin is provisioned (single-operator interim is acknowledged in the audit chain).
    L4 · Threat thermometer

    Live per-axis state on /dashboard/threats

    Customer-facing dashboard showing per-axis campaign state, active Managed Rules, and the org's effective enforcement mode under any current overlay. If the network is calm at GA, the thermometer says calm — the page does not invent activity.

    Open the thermometer
    L5 · IoC feed + advisories

    Public STIX 2.1 feed and signed post-incident advisories

    Two public surfaces. /v1/trust/iocs exports a STIX 2.1 Bundle that slots into existing threat-intel pipelines. /trust/advisories publishes signed post-incident records with explicit synthetic-vs-real labels. At GA the feed may be empty and the advisory list shows the single synthetic seed — that is the system telling the truth.

    Inspect the IoC feed
    The calm-at-GA contract

    If the network is genuinely calm, the surfaces say so. We do not fake activity.

    From concept.md: if at GA the network is genuinely calm, the thermometer says calm, the advisory list shows one synthetic seed post-mortem clearly labelled synthetic, and the IoC feed is empty. That is not a stub — that is the system telling the truth. Every other vendor in this space dresses an empty feed with theatre. Mnemom does not.

    See the advisory list →·Inspect the IoC feed →
    Landscape

    What every other agent-security vendor does — and does not — do.

    The agentic-AI-security market is fragmenting into hyperscaler guardrails, retrofitted enterprise platforms, AI-native single-detectors, and edge inference proxies. None is an integrated cross-tenant network. Source: AEGIS-15 positioning brief §3.

    CapabilityMnemom AEGISCloudflare WAFAWS ShieldLakera GuardCisco AI DefensePalo Alto Prisma AIRSGoogle Model Armor
    Cross-tenant defensive network for AI agents
    Signal pooled across customers; signed Managed Rules push to every gateway.
    Substrate fingerprinting (provider · model · sdk@ver · lockfile-hash)
    Detect behavioural deviation across every customer on the same substrate.
    Adversarial arena with mutation-phase gating
    15 canonical personas, per-bucket 95% / 48h / 24h-hysteresis.
    		Vendor-curated threat DB
    Customer FN / FP feedback into signed promotion pipeline
    Public STIX 2.1 IoC feed
    Machine-readable, signed envelope, no auth required.
    Append-only signed advisory CMS
    Synthetic-vs-real labelled per the calm-at-GA contract.
    Dual-control invariant on Tier-1 / Tier-2 promotions
    Structural CHECK constraint, not procedural.
    		Vendor-only reviewVendor-only reviewVendor-only reviewVendor-only reviewVendor-only reviewVendor-only review
    Four-checkpoint × four-mode runtime
    front door · back door · inside.autonomy · inside.integrity.
    		Single inline filterBuild-time embeddingAggregated platformContent-filter inline
    Designed for AI agents (not HTTP / not humans)
    		HTTP-layer WAFNetwork DDoSPrompt-layer firewallBuild-time guardrailsPlatform aggregationPrompt + URL filter
    Provider-neutral (OpenAI · Anthropic · Gemini · self-hosted)
    		n/aAWS onlyGoogle only
    Hyperscaler-locked

    Mnemom complements — does not replace — guardrails, WAFs, and pre-deployment evals. Customers running Lakera Guard, NeMo Guardrails, Cloudflare WAF, AWS Bedrock Guardrails, or Robust Intelligence can run AEGIS alongside. AEGIS is the cross-tenant network layer; the others sit elsewhere in the stack.

    Public SLOs

    What we commit to, with numbers.

    Source: ADR-AEGIS-02 §5, published on /trust/slos. First 30-day measurement window publishes 30 days post-GA.

    Propagation latency
    P95 ≤ 30s
    Signed promotion → gateway loaded
    Rule-set freshness
    P99 ≤ 5 min
    Under normal operation
    Failover availability
    99.99%
    KV + R2 + isolate last-known-good
    See the full SLO table →
    Get started

    Three ways in.

    Customer dashboard

    The threat thermometer — per-axis campaign state, active Managed Rules, your effective enforcement posture.

    /dashboard/threats →

    Machine-readable feed

    curl https://api.mnemom.ai\
  /v1/trust/iocs
    Fetch the STIX 2.1 bundle →

    Talk to sales

    Walk through the AEGIS architecture, the SLO commitments, the EU AI Act mapping, and what self-hosted means for your compliance posture.

    Contact us →
    Featured on There's An AI For That