Security operations for AI

You can't secure the AI you can't see.

AEGIS finds every model, agent, and prompt running in your business, sanctioned or not. It watches what they do, and proves your defences actually hold. One console, instead of seven tools that don't talk to each other.

Book a demo
Built for the SOC Works with your SIEM Cloud & model agnostic

Most teams run seven or more disconnected AI security tools and still can't answer one question: is our AI safe right now?

The product

Stop tab-hopping between tools that don't talk.

When your AI does something it shouldn't, the clock is already running. You shouldn't be logging into five consoles to work out what happened. Start at the incident, see the whole session and where it led, and shut it down in one click.

A single posture view across all eight layers: assets, incidents, red-team coverage and shadow AI, live.

OverviewDiscoveryIdentitiesTelemetryKill chainRed teamCompliance
Assets1,284+38 today
Open incidents73 critical
Red-team coverage94%OWASP LLM
Shadow AI22unsanctioned
Inference volume · last 6h
OverviewDiscoveryIdentitiesTelemetryKill chainRed teamCompliance
Multi-stage attack · incident #4471
Prompt injectionvia support ticket
Tool call abusedinternal search API
Credential reuseagent svc-rag-07
Data exfiltrationblocked by AEGIS

Four low-signal events. One correlated incident. Single-tool stacks see none of this.

OverviewDiscoveryIdentitiesTelemetryKill chainRed teamCompliance
Continuous full-stack red team · run rt-2026-0517
PASSLLM · indirect prompt injection · 142 variants
PASSAgent kill-chain · confused-deputy tool abuse
FINDINGIdentity · over-scoped agent token reachable
PASSSupply chain · model namespace substitution
PASSCloud infra · IMDS / GPU node escape attempts

Model, agents, identity, supply chain and the cloud underneath: every finding opens an incident in the same console.

OverviewDiscoveryIdentitiesTelemetryKill chainRed teamCompliance
AI asset inventory · 1,284 discovered
AssetTypeOwnerStatus
llm-prod · loan-assistantModelLendingVerified
svc-rag-07AgentSupportVerified
internal · credit-risk-pdModelRiskRe-scan
unsanctioned-mcp-bridgeMCP servern/aShadow

The platform

Eight layers. One data plane.

You bought seven point tools and still can't connect them. AEGIS is eight layers writing to one record, so the weak signal everyone else ignores becomes an incident you can act on.

01

Asset & workforce AI discovery

A live inventory of every model, agent, MCP server, vector store and prompt, plus how employees use AI across the major productivity suites, including built-in office AI assistants and browser LLMs. Sanctioned or shadow, you see it.

The gap today

Most teams can't say how many models and agents they actually run, and only see the AI that passes through the browser. Shadow-AI breaches add USD 670k each. You can't protect what you can't list.

Why you need it

One live inventory across cloud, code, OAuth and the office suites, with owners and dependencies, so the board question "how much AI do we run, and who owns it?" finally has a real answer.

02

Supply chain & provenance

Every model and dataset is signed, verified at ingestion, and re-checked against new threats. Namespace-substitution and unsafe deserialisation get caught on the way in.

The gap today

Models arrive unsigned from public hubs. Roughly 352,000 unsafe issues were found across 51,700 of them, and attackers have swapped backdoored models into cloud catalogues via namespace reuse.

Why you need it

Every model and dataset is signed and verified on the way in and re-checked against new CVEs. Substitution and unsafe deserialisation are blocked before production, not found after a breach.

03

Identity for AI

Treat every agent and inference call as its own identity. Short-lived scoped credentials, just-in-time access, and a tamper-evident receipt for every action.

The gap today

Agents run on broad, long-lived service keys; 97% of AI-breached organisations lacked proper access controls, so one compromised agent is a standing skeleton key.

Why you need it

Each agent gets its own short-lived, scoped identity with just-in-time access and a tamper-evident receipt. Damage is contained to one session and provable afterwards.

04

The data lake

An open telemetry schema that captures every prompt, completion, tool call, and inference event, and pipes straight into the SIEM you already run.

The gap today

Prompts, tool calls and inference events never reach your SIEM, so AI incidents leave no forensic trail and the SOC is effectively blind to them.

Why you need it

An open, OCSF-aligned record of everything the AI did flows into the SIEM you already run. AI finally has an audit trail you can investigate and retain for regulators.

05

Correlation

AI kill-chain logic that turns scattered, low-signal events into one incident: injection to tool abuse to credential reuse to exfiltration.

The gap today

Every tool sees one weak signal; nobody joins injection → tool abuse → credential reuse → exfiltration, so multi-stage AI attacks read as background noise.

Why you need it

Cross-layer kill-chain logic fuses those scattered signals into one high-confidence incident in seconds: the attack single-tool stacks never see.

06

Investigate & respond

Reconstruct the full session, trace output back to its source, and respond in one click: revoke an agent, quarantine a model, roll back a prompt, isolate a store.

The gap today

After an AI incident, piecing together what the model saw, did and leaked across tools takes hours, but SEC disclosure is four days and attacker hand-off is 22 seconds.

Why you need it

Full session reconstruction and output-to-source lineage in one place, with one-click revoke, quarantine, rollback and isolate. Contain in minutes, with the evidence already written.

07

Model assurance

Drift, bias, and hallucination tracking for the models you build, wired into the same engine, so a quality regression also reads as a security signal.

The gap today

Drift, bias and hallucination sit in notebooks the SOC never sees; a regulated model going wrong is both a quality and a security failure, and nobody catches it in time.

Why you need it

The same engine tracks PSI drift, disparate impact and hallucination on your own models. A quality regression also fires as a security signal, with regulator-ready evidence (e.g. credit-risk PD under MAS / Basel III).

08

Continuous full-stack red team

Red teaming stops being a PDF from six weeks ago. It runs every day, inside the same data plane as your detections, and it doesn't just probe the model. It attacks the whole stack that hosts your AI: agents and their kill chains, MCP servers and tools, the model supply chain, non-human identities and secrets, the vector and data plane, and the cloud infrastructure underneath. Every finding sharpens a defence; every defence invites the next attack. Attack and defence become one loop. It is the product no point tool can rebuild.

The gap today

Red teaming is a six-week-old PDF describing a system that has already changed, and it only tested the model, not the agents, identity, supply chain or cloud beneath it.

Why you need it

Automated adversarial testing runs daily in the same data plane across the whole stack; every finding tunes a detection and opens a real incident, so you can answer "did our controls actually hold this quarter?" with proof.

Capabilities

Everything in AEGIS.

AI risk isn't in one neat place. It's across your models, your agents, your supply chain and your people. Here's every gap we close, so you're not buying ten more tools to find out where you stand.

01 Discovery & workforce AI

  • Continuous inventory: models, agents, MCP servers, vector stores, prompts, datasets
  • Shadow-AI discovery via browser, OAuth, network and code scanning
  • Employee AI use across the major productivity suites & their office AI assistants
  • Data-loss detection: PII, source code, secrets, PHI/PCI into any AI surface
  • Harmful-use detection with one-click block; complements CASB/DLP
  • Live dependency graph: which app uses which model, agent and tool

02 Supply chain & provenance

  • Cryptographic signature verification at ingestion and re-verification over time
  • Model namespace-reuse / substitution detection
  • Pickle & safetensors deserialisation scanning (nullifAI class)
  • CycloneDX ML-BOM and SPDX 3.0.1 AI/Dataset profiles
  • Dataset licence verification and provenance tracing
  • Continuous re-scan against new CVEs and threat intel

03 Identity for AI

  • Non-human identity governance for models, agents and MCP servers
  • Just-in-time, short-lived scoped credentials, destroyed on session end
  • Attribute- and intent-based access control for tool invocation
  • Tamper-evident audit receipt for every action
  • Native integration with your identity, PAM and access-governance tooling

04 Telemetry & data lake

  • Open, OCSF-aligned schema for every prompt, completion and tool call
  • Agent-to-agent (A2A) and MCP transaction capture
  • RAG retrieval, embedding query and vector-store events
  • GPU / DPU-level inference event capture
  • Pipes natively into your existing SIEM and observability stack

05 Correlation & the AI kill chain

  • Prompt injection → unauthorised tool-call chains
  • Compositional exfiltration: permitted actions that add up to a breach
  • System-prompt drift and tampering detection
  • Cross-session credential reuse by an agent identity
  • Membership inference and training-data extraction detection
  • Model namespace substitution between SDK pull and provenance

06 Investigation & response

  • Full multi-turn session reconstruction
  • Lineage: output → model → training data → retrieval source
  • Hallucination, jailbreak and exfiltration triage workflows
  • One-click: revoke agent, quarantine model, roll back prompt, isolate store
  • AI-native MITRE-style ATT&CK mapping

07 Model assurance & in-house AI

  • Population stability (PSI) and per-feature drift monitoring
  • AUC / Gini performance tracking with regression alerts on new versions
  • Disparate-impact & bias on protected attributes (e.g. age, geo proxy)
  • Explainability / SHAP coverage and unexplained-decision rate
  • Regulated-model risk packs (e.g. credit-risk PD under MAS / Basel III)
  • Integrates with your experiment-tracking and ML platform tools

08 Continuous full-stack red team

  • LLM: OWASP LLM Top 10, refreshed jailbreak & injection libraries
  • Agents: kill-chain execution, confused-deputy, compositional exfiltration
  • MCP & tools: tool-poisoning and description-injection
  • Supply chain: namespace-reuse, pickle deserialisation
  • Identity & secrets: over-scoped tokens, credential abuse
  • Cloud & infra: IMDS, GPU-node and container escape attempts
  • Data & network: vector-store egress and DLP-bypass simulation
  • Purple-team: every finding opens an incident in the same console

09 Compliance & governance

  • One-click automated audits, scored with an exportable report, for:
  • ISO/IEC 42001: clauses 4 to 10, plus Annex A
  • EU AI Act: Art. 9 to 15, Annex IV, post-market & incident duties
  • NIST AI RMF: GOVERN, MAP, MEASURE, MANAGE
  • Singapore IMDA: Model AI Governance Framework, GenAI & AI Verify
  • MAS FEAT principles & OWASP LLM / Agentic Top 10
  • SEC four-day blast-radius; SOC 2, GDPR, HIPAA, PCI DSS evidence packs

10 Executive & full reporting

  • Board-grade executive summary: posture score, top risks, trend
  • Full technical report across all eight layers with evidence
  • Regulated model-risk reports (e.g. credit-risk PD, MAS / Basel III)
  • Per-incident, red-team campaign and workforce-AI DLP reports
  • Signed, exportable PDF / JSON; immutable evidence log
  • Scheduled distribution to the CISO, board and regulators

That's the whole platform, not a slide deck.

A 30-minute guided run-through of the whole platform.

Book a demo

How it works

Live in a day. Value in a week.

No agents on every box, no rip-and-replace. AEGIS reads the signals your stack already emits and adds the ones it doesn't.

01

Connect

Point AEGIS at your clouds, gateways and SIEM with read-only roles and an OpenTelemetry collector. No code changes to your apps. Typical first connection: under an hour.

02

Discover

Within the first sweep you get a live inventory of every model, agent, MCP server and vector store, including the shadow AI nobody told you about, with owners and a dependency graph.

03

Defend

Correlation and the continuous red team turn on. Detections are exercised against live attacks daily, and every finding lands as an incident in the same console your SOC already works in.

Who uses it

The teams who never agree, finally on one screen.

Security leadership

Answer the board with evidence

How many agents do we run? What can they reach? Did our controls actually hold last quarter? AEGIS gives you the audit trail behind the answer: dashboards, evidence packs mapped to the EU AI Act, NIST AI RMF and ISO 42001, and disclosure-ready blast-radius reports.

The SOC

Investigate AI incidents, not tabs

One pane: prompts, tool calls, identities, models, and data flows. AI-native ATT&CK mapping, one-click containment, and detections that are exercised live by the red-team layer, so you know they work before an attacker tells you they don't.

ML & product

Ship your models with confidence

Drift, bias, fairness and robustness checks where data scientists already work. Push-button adversarial testing before release and regression alerts on every version. Security consumes the same signals downstream. Velocity without new exposure.

Why AEGIS

The tools you've already bought don't cover this.

What you run todayWith AEGIS
Prompt firewalls

See text in, text out. Blind to tool calls, identity, lineage and supply chain. Nowhere to investigate.

AEGIS

The inline gateway is one of eight layers, all feeding one engine and one investigation console.

AI-BOM scanners

A snapshot in time, disconnected from runtime. No re-verification, no response.

AEGIS

Inventory is continuous and signed, and feeds detections that catch model substitution at runtime.

Red-team firms

A report describing a system that has already changed. No link to live detections.

AEGIS

Red teaming runs continuously in the same data plane. Findings tune detections the same day.

Hyperscaler bundles

One cloud's identity, SIEM and models. Multi-cloud teams are stranded.

AEGIS

Cloud-, model- and SIEM-agnostic. Built to sit on top of what you already run.

The stakes

The exposure is already here.

0%
of the Fortune 500 run active AI agents
Microsoft, 2026
0%
of organisations lack full visibility into AI identities
Cybersecurity Insiders, 2026
0%
of CISOs are confident they could contain a compromised agent
Cybersecurity Insiders, 2026

EU AI Act enforcement lands August 2026. SEC disclosure is four business days. Median attacker hand-off is 22 seconds. The time to see your AI is before someone else does.

Integrations

Sits on top of what you run.

We instrument where the AI runs, not where it was built, and we don't ask you to rip out your SIEM.

Models & frameworks

Every major commercial LLM provider and managed model service, the common agent and orchestration frameworks, open agent protocols, and self-hosted inference servers. Same telemetry, same controls.

SIEM, XDR & identity

The major productivity suites and their built-in AI assistants for workforce-AI DLP. Your existing SIEM, XDR and observability stack. Your identity, PAM and governance tooling. Your ITSM and incident-workflow channels.

Compliance

EU AI Act Annex IV, NIST AI RMF, ISO/IEC 42001, OWASP LLM & Agentic Top 10, SEC disclosure, SOC 2, GDPR. Singapore IMDA, CSA, MAS; FCA, ECB, OCC.

The detail

What you actually get.

The questions your security, legal and procurement teams will ask in week one, answered here, not after you've signed an NDA.

DeploymentSaaS or in-VPC

Fully managed, or deployed inside your own cloud account. The data plane can run air-gapped.

Your dataStays in your tenant

Telemetry is processed in your region. Prompt and completion content never leaves your boundary by default.

AccessSSO · SAML · SCIM

Works with any standards-based identity provider. Role-based access, scoped API tokens, full admin audit log.

Inline latency< 40 ms p50

The optional inline gateway adds single-digit-to-low-tens of milliseconds. Monitor-only mode adds zero.

Availability99.9% SLA

Multi-region, active-active. Detections degrade safe; telemetry is never dropped silently.

RegionsSG · EU · US

ap-southeast-1, eu-west-1, us-east-1. Data residency pinned per tenant.

AssuranceSOC 2 Type II

ISO 27001 in progress. Penetration-tested quarterly; the platform red-teams itself continuously.

CommercialPlatform + usage

Annual platform fee plus asset- and event-based metering, so cost rolls to the AI initiative budget.

Questions

Before you ask.

Do you replace our SIEM?

No. AEGIS is built to sit on top of the SIEM you already run. We make it AI-fluent and feed it correlated incidents in OCSF.

How is this different from an AI firewall?

A prompt firewall sees text in and text out. AEGIS also sees tool calls, agent identity, model lineage and supply chain, and correlates them. The gateway is one of eight layers, not the whole product.

Does our prompt data leave our environment?

Not by default. The data plane runs in your region or your VPC. You choose what is redacted before anything is stored, and content can stay entirely in your tenant.

Can you see employee AI use across our office suites?

Yes. AEGIS watches workforce AI across the major productivity suites: their built-in office AI assistants, connected GPTs and browser LLMs. It flags data loss (PII, source code, secrets or regulated data leaving into an AI surface) and harmful use, with the user, the data class and a one-click block. It complements your CASB and DLP rather than replacing them.

What does onboarding look like?

Read-only cloud roles plus a collector. First inventory inside the first sweep, correlation and continuous red team typically live within the first week. No app code changes.

Which models and frameworks are supported?

Every major commercial LLM provider and managed model service, the common agent and orchestration frameworks, open agent protocols, and self-hosted inference servers. Same telemetry, same controls, wherever the AI runs.

Can it audit us against ISO 42001, the EU AI Act and Singapore's frameworks?

Yes. AEGIS runs one-click, scored conformity audits for ISO/IEC 42001, the EU AI Act, NIST AI RMF, the Singapore IMDA Model AI Governance Framework (incl. GenAI & AI Verify), MAS FEAT and OWASP. Each control is mapped to live platform evidence, with findings, remediation and an exportable report. Executive board packs and full technical reports are generated from the same live data.

Is the continuous red team safe to run in production?

Yes. Attacks run with safe-execution scaffolding against production-equivalent targets. Findings open as incidents in the same console; purple-team by design.

See the platform in action.

A 30-minute guided run-through of the platform. Tell us a little about your context and we'll focus on what matters to you.