Mnemom AEGIS is the runtime security network behind Safe House. It inspects every agent transaction — the prompts coming in, the tool calls and tool results in between, and the actions going out — at four checkpoints: front door, back door, inside.autonomy, and inside.integrity. And it connects every customer into one defense: when AEGIS detects a new attack against any agent on the network, the protection is signed and rolled out to everyone.
Three independent sources feed a single pipeline. Confirmed detections are reviewed, signed, and pushed to every gateway, where they are enforced at four checkpoints. What is live today is shown honestly — on the threat thermometer and the public feed.
Every protection AEGIS ships comes from one of three independent sources. The path to promotion is the same; what differs is where the signal originates.
A standing red team of fifteen attacker personas probes every Safe House continuously, around the clock — surfacing new bypasses before they reach a customer.
When a customer flags a missed attack or a false alarm from their dashboard, it enters the review queue. Their contribution is credited — but only the resulting protection is shared with other customers, never the underlying report.
AEGIS rolls up anonymized signals across every customer. Patterns no single customer could see alone — the same anomaly appearing across many organizations at once — surface here.
Six layers, from the fingerprint on every check to the public feed anyone can audit. What is live today is observable on the threat thermometer and the trust surface.
Each evaluation carries the agent's substrate fingerprint — its provider, model, SDK version, and dependency lockfile — alongside the kind of attack and where it came from. That fingerprint is what lets AEGIS connect the same attack across every customer running on the same stack.
AEGIS tracks detection and bypass rates for each combination of supply chain, use case, and attack type. This is the layer that catches coordinated campaigns no single customer can see — the same behavior deviating across many customers on the same stack, at the same time.
AEGIS borrows Cloudflare's under-attack model. You set two levels per organization: your normal posture, and a ceiling for how high AEGIS may elevate on its own. During a campaign, AEGIS raises enforcement toward that ceiling — and never past it.
Your ceiling is always honored. Extra integrity-side protections — planting canaries, pausing new credential issuance, running full integrity proofs — apply underneath it, because they tighten verification without changing your enforcement posture.
Every protection is cryptographically signed (Ed25519) before it ships, and travels through two independent, separately-signed delivery paths — so corrupting the rules that reach your gateway would mean breaking more than one of them at once. New rules run in observe-only mode for 24 hours before they can escalate; if false alarms climb, an operator rolls them back — automatic rollback ships shortly after GA.
Two-person review, enforced by the system. The rules powerful enough to act on live traffic can never be promoted by one person alone — the requirement is built into the platform, not left to process.
A customer dashboard showing the current campaign state across your stack, the Managed Rules active right now, and your effective enforcement level under any elevation. If the network is calm, the dashboard says calm — we never manufacture activity.
Two public surfaces. A STIX 2.1 feed that drops straight into your existing threat-intelligence pipeline, and signed post-incident advisories that label clearly what was a real campaign and what was a synthetic exercise. At launch the feed may be empty and the advisory list may show a single labeled synthetic seed — that is the system telling the truth, not a placeholder.
Here is our promise: if the network is genuinely quiet at launch, the threat thermometer says calm, the advisory list shows a single, clearly-labeled synthetic exercise, and the public feed is empty. That is not an unfinished page — it is the system telling the truth. Every other vendor in this space dresses an empty feed in theater. We don't.
Loading advisories…
AI-agent security is splitting into four categories. Each does its job well, and AEGIS runs alongside any of them. We built AEGIS for the job none of them do: watching what an agent actually does, and turning one customer's detection into everyone's defense.
AWS Bedrock Guardrails · Google Model Armor
Strong at: Configurable content filtering bundled with your model platform — injection and jailbreak screening, PII redaction, denied topics, grounding and malicious-URL checks.
Where it stops: Cloud-bound and single-tenant. They screen the prompt and the response, not what the agent does in between — and one customer's detection never becomes another customer's defense.
Palo Alto Prisma AIRS · Cisco AI Defense
Strong at: Broad coverage — model scanning, posture management, red-teaming, and runtime protection — backed by world-class threat research teams.
Where it stops: Runtime telemetry stays inside your own organization. Their intelligence is vendor-curated research, not a live customer-to-customer network: one customer's detected attack isn't signed and pushed to every other customer.
Lakera Guard · NVIDIA NeMo Guardrails
Strong at: Fast, accurate defense at the conversation layer — managed prompt-injection detection that learns from millions of crowdsourced attacks, and open-source programmable rails you embed in your app.
Where it stops: They act one conversation at a time, and improve a shared model on a release cadence. Neither propagates a signed defense across a live network the moment one customer is hit.
Cloudflare AI Gateway · AI Security for Apps
Strong at: Best-in-class HTTP and edge defense, with a genuine cross-customer network effect — injection and PII detection, rate-limiting, caching, and observability in front of any model.
Where it stops: That network runs at the web-traffic layer, built for apps and people. It doesn't reach the agent-decision layer — the tool calls an agent makes, the tool results it trusts, the actions it takes.
AEGIS complements the tools you already run. Keep Bedrock or Model Armor guardrails on your model, Lakera or NeMo at the prompt, and Cloudflare at the edge — and run AEGIS as the cross-tenant layer that watches what your agents actually do.
These are published targets. The first 30-day measurement window opens 30 days after GA; until then we report them as targets, not results. We don't pre-announce numbers we can't defend.
Your live threat picture — current campaign state, active Managed Rules, and your effective enforcement level.
Open the dashboard →curl https://api.mnemom.ai\ /v1/trust/iocsFetch the STIX 2.1 bundle →
Walk through the architecture, the SLO commitments, the EU AI Act mapping, and what self-hosting means for your compliance posture.
Contact us →