# Protection Network — Cross-tenant defensive network for AI agents | Mnemom

Protection Network · L0-L5

# The first cross-tenant defensive network purpose-built for AI agents.

Mnemom AEGIS — Adaptive Enforcement, Governance & Intelligence Substrate — is the runtime security network of Safe House. It screens every agent transaction at four checkpoints (front door, back door, inside.autonomy, inside.integrity) and ties every customer's Safe House into a single defensive substrate. One customer's detection becomes every customer's defence, signed and propagated within the SLO window.

[Open the threat thermometer](/dashboard/threats)[Fetch the STIX 2.1 feed](https://api.mnemom.ai/v1/trust/iocs)[Talk to sales](/contact)

Architecture

## L0-L5 — one substrate, three signal loops, four checkpoints

Source-of-truth: concept.md §Three loops, one substrate. Every layer is wired at GA; honest operational state is surfaced live on the threat thermometer and IoC feed.

Source-of-truth ASCII at concept.md §“Three loops, one substrate”. Every layer of the Protection Network is wired at GA; the visual aligns with the runtime architecture in ADR-AEGIS-01 and ADR-AEGIS-02.

Signal

## Three signal sources. One promotion pipeline.

Every recipe AEGIS promotes is fed by one of three independent loops, each stamped with a distinct writer\_identity (ADR-004). The promotion path is the same; the trust posture differs.

### Adversarial arena

15 canonical personas probe every Safe House continuously. The mutation-phase gate (95% detection-rate per bucket, 48h rolling window, 24h hysteresis) flips the arena from discovery into mutation when a bucket is well-covered.

writer\_identity = arena-bypass

### Customer FN / FP reports

False-negative and false-positive reports flow from customer dashboards into the candidate queue. Each tenant's contribution is acknowledged; only the resulting recipe propagates to other tenants — never the raw report.

writer\_identity = customer-fn-report

### Cross-tenant aggregator

`network_campaign_state` rolls per-axis statistics across every customer. Patterns no single customer can see — a substrate showing identical anomalies across orgs — surface as candidates here.

writer\_identity = internal-observation

Layers

## What each layer does

Five named, wired layers on top of the recipe data plane. Operational state for each layer is observable on the threat thermometer and the trust surface.

L0 · Axis identity

### Every evaluation stamped with the four-axis fingerprint

Per migration 217, every checkpoint evaluation carries a derived `(substrate, vertical, pattern, source)` tuple. Substrate is provider × model × SDK@version with an optional customer-supplied lockfile-hash header. The axis identity is the join key for cross-tenant correlation and the spine of supply-chain attribution.

[Read the supply-chain brief →](/supply-chain)

L1 · Cross-tenant aggregator

### Rolling stats per axis-bucket — the network's vision

`network_campaign_state` maintains rolling detection-rate and bypass-rate windows per `(substrate × vertical × pattern × source)` bucket. The aggregator is the layer that catches campaigns no individual tenant can — behavioural deviation across every customer running on the same substrate, simultaneously.

L2 · Under-attack overlay

### Composition-layer auto-elevation, clamped by org ceiling

AEGIS adopts Cloudflare's additive-ratcheting model. Two posture knobs per org: _normal posture_ and _elevation ceiling_. During a campaign, the effective mode is `max(normal, min(threat_level, elevation_ceiling))`.

The customer's ceiling is honoured. Additional integrity-side protections (canaries planted, credential issuance frozen, full AIP proofs) ride underneath the ceiling because they are not posture changes.

**Honest operational state:** the L2 overlay ships in Phase 4 when the cards composition primitive stabilises. Until then, a manual operator override on the org flag covers the same protection without auto-elevation.

L3 · Managed Rules push

### Arena candidate → review → signed promotion → 24h observe soak → enforce

Every promotion is Ed25519-signed via `RECIPE_PROMOTION_SIGNING_KEY`. KV and R2 carry independent envelope signing chains (`RECIPE_KV_SIGNING_KEY` / `RECIPE_R2_SIGNING_KEY`) — three independent compromise paths are required to poison the rule plane. Tier-3 rules run a 24h observe soak before mode escalation; FP-rate threshold triggers auto-rollback.

**The dual-control invariant:** tier-1 and tier-2 rules — those that would actually block production traffic — can never auto-promote, regardless of reviewer mode. The constraint is structural (schema CHECK on `promotion_quorum_met`), not procedural.

**Honest operational state:** tier-3 path is fully live at GA. Tier-1/-2 dual-control enforcement activates 2026-06-01 once the second platform-admin is provisioned (single-operator interim is acknowledged in the audit chain).

L4 · Threat thermometer

### Live per-axis state on /dashboard/threats

Customer-facing dashboard showing per-axis campaign state, active Managed Rules, and the org's effective enforcement mode under any current overlay. If the network is calm at GA, the thermometer says _calm_ — the page does not invent activity.

[Open the thermometer →](/dashboard/threats)

L5 · IoC feed + advisories

### Public STIX 2.1 feed and signed post-incident advisories

Two public surfaces. `/v1/trust/iocs` exports a STIX 2.1 Bundle that slots into existing threat-intel pipelines. `/trust/advisories` publishes signed post-incident records with explicit synthetic-vs-real labels. At GA the feed may be empty and the advisory list shows the single synthetic seed — that is the system telling the truth.

[Inspect the IoC feed →](/trust/iocs)

The calm-at-GA contract

## If the network is genuinely calm, the surfaces say so. We do not fake activity.

From `concept.md`: if at GA the network is genuinely calm, the thermometer says calm, the advisory list shows one synthetic seed post-mortem clearly labelled synthetic, and the IoC feed is empty. That is not a stub — that is the system telling the truth. Every other vendor in this space dresses an empty feed with theatre. Mnemom does not.

[See the advisory list →](/trust/advisories)·[Inspect the IoC feed →](/trust/iocs)

Landscape

## What every other agent-security vendor does — and does not — do.

The agentic-AI-security market is fragmenting into hyperscaler guardrails, retrofitted enterprise platforms, AI-native single-detectors, and edge inference proxies. None is an integrated cross-tenant network. Source: AEGIS-15 positioning brief §3.

Capability

Mnemom AEGIS

Cloudflare WAF

AWS Shield

Lakera Guard

Cisco AI Defense

Palo Alto Prisma AIRS

Google Model Armor

Cross-tenant defensive network for AI agents

Signal pooled across customers; signed Managed Rules push to every gateway.

Substrate fingerprinting (provider · model · sdk@ver · lockfile-hash)

Detect behavioural deviation across every customer on the same substrate.

Adversarial arena with mutation-phase gating

15 canonical personas, per-bucket 95% / 48h / 24h-hysteresis.

Vendor-curated threat DB

Customer FN / FP feedback into signed promotion pipeline

Public STIX 2.1 IoC feed

Machine-readable, signed envelope, no auth required.

Append-only signed advisory CMS

Synthetic-vs-real labelled per the calm-at-GA contract.

Dual-control invariant on Tier-1 / Tier-2 promotions

Structural CHECK constraint, not procedural.

Vendor-only review

Vendor-only review

Vendor-only review

Vendor-only review

Vendor-only review

Vendor-only review

Four-checkpoint × four-mode runtime

front door · back door · inside.autonomy · inside.integrity.

Single inline filter

Build-time embedding

Aggregated platform

Content-filter inline

Designed for AI agents (not HTTP / not humans)

HTTP-layer WAF

Network DDoS

Prompt-layer firewall

Build-time guardrails

Platform aggregation

Prompt + URL filter

Provider-neutral (OpenAI · Anthropic · Gemini · self-hosted)

n/a

AWS only

Google only

Hyperscaler-locked

Mnemom complements — does not replace — guardrails, WAFs, and pre-deployment evals. Customers running Lakera Guard, NeMo Guardrails, Cloudflare WAF, AWS Bedrock Guardrails, or Robust Intelligence can run AEGIS alongside. AEGIS is the cross-tenant network layer; the others sit elsewhere in the stack.

Public SLOs

## What we commit to, with numbers.

Source: ADR-AEGIS-02 §5, published on /trust/slos. First 30-day measurement window publishes 30 days post-GA.

Propagation latency

P95 ≤ 30s

Signed promotion → gateway loaded

Rule-set freshness

P99 ≤ 5 min

Under normal operation

Failover availability

99.99%

KV + R2 + isolate last-known-good

[See the full SLO table →](/trust/slos)

Get started

## Three ways in.

[

### Customer dashboard

The threat thermometer — per-axis campaign state, active Managed Rules, your effective enforcement posture.

/dashboard/threats →](/dashboard/threats)[

### Machine-readable feed

curl https://api.mnemom.ai\\
  /v1/trust/iocs

Fetch the STIX 2.1 bundle →](https://api.mnemom.ai/v1/trust/iocs)[

### Talk to sales

Walk through the AEGIS architecture, the SLO commitments, the EU AI Act mapping, and what self-hosted means for your compliance posture.

Contact us →](/contact)

---
_Source: /protection-network/index.html · Generated by build-markdown-mirrors.mjs · For agent-readability commitment #4 see https://www.mnemom.ai/for-agents_