Aegis
v0.1 — research previewA Bingran You preview

Security infrastructure for the agent era.

Your agents read the open web, install tools they discover at runtime, and write to memory you can’t inspect. Aegis is the layer that watches them, verifies them, and contains them— built so trust in agents can be proven, not assumed.

Join the early-access waitlistSee the platformor read the manifesto →
S/1StatusResearch preview · v0.1
S/2Modeled threat surfaces47 / agent-era
S/3Frameworks coveredOpenAI · Anthropic · LangChain · CrewAI · MCP
S/4Memory backends mappedPostgres · pgvector · LanceDB · Mem0

The premise

Agents are running in production with the security model of a browser tab — and the privileges of a CTO.

Today’s app-security stack was built for code that humans ship. Agents are code that ships itself, recompiles itself, and is steered by whatever it reads on the open web in the last 200ms.

Aegis assumes the agent is the new endpoint, the new supply chain, and the new attack surface — all at once.

0 ms

is the average latency between an agent reading malicious content and acting on it.

Indirect prompt injection bypasses every existing AppSec layer because the attack lives in data the agent was told to trust.

12+

agent frameworks ship to production with no runtime sandbox.

Most agents inherit the operator's full shell, browser, mailbox and credentials. The blast radius of a compromise is the user's life.

is the half-life of a poisoned memory entry.

Once an attacker writes to a vector store an agent re-reads each turn, the compromise persists across sessions, machines and even teammates.

The platform

Four layers. One contract: verifiable trust in every agent action.

Each Aegis layer ships independently and emits the same evidence format. Adopt the one that hurts most today; compose the rest as your agents earn more privilege.

Platform overview
01 / Runtime

Aegis Sentinel

A 360° guard for the agent process.

Local CLI that audits an agent's runtime: scans installed tools, isolates compromised environments, scrubs leaked credentials and sweeps the agent's working memory between tasks.

  • Tool & MCP server fingerprinting
  • Credential & token leak sweep
  • Process isolation profiles
  • Compromised-state quarantine
Read more
02 / The web

Aegis Attest

TLS, but for whether a site is safe to feed to an agent.

A signed attestation layer that classifies websites and tools by adversarial risk before your agent loads them. Block prompt-injection traps, typo-squatted tools, and content farms designed to hijack agents.

  • Adversarial-content classifier
  • Tool authorship & supply-chain checks
  • Live attestation registry
  • Browser-level enforcement plugin
Read more
03 / Memory

Aegis Cleanse

Hygiene for agent memory — long-term, episodic, vector.

Detects and removes poisoned entries inside agent memory stores. Differential checkpoints, tainted-trace recovery, and policy-as-code rules for what may persist between sessions.

  • Memory-poisoning detector
  • Tainted-trace replay
  • Differential rollback
  • Retention policy enforcement
Read more
04 / Evidence

SecureBench

An adversarial benchmark agents must pass before they ship.

Versioned suites of red-team scenarios: tool-poisoning, indirect prompt injection, exfiltration via memory, social-engineered escalation. Get a verifiable score, not a vibes-based audit.

  • 200+ adversarial scenarios
  • Deterministic test environments
  • Per-framework score cards
  • Continuous regression tracking
Read more

Architecture

Beside the agent. Between the agent and the world.

Aegis runs as an out-of-process supervisor — not as middleware inside the agent loop. The agent can’t bypass it, prompt it, or talk it into stepping aside. Every read from the web, every write to memory, every tool spawn passes through a verified control plane.

  • Observe

    All inputs, tool calls, memory reads/writes are mirrored to a tamper-evident log.

  • Verify

    Each event is checked against attestation, policy, and adversarial classifiers in <2ms.

  • Contain

    On signal, Aegis quarantines the agent, snapshots state, and rolls memory to last clean checkpoint.

Diagram · 1.0

AGENTPlannertools • memory • planAEGISSentinelprocess & runtimeAttestweb & toolsCleansememorySecureBenchevidenceWEBuntrustedTOOLSmcp · cli · apiMEMORYvector · sql · fileHUMANchat · email · cmdAGENT ── AEGIS ── WORLD

Coverage on day one

We’re building Aegis to drop into the agent stacks teams are already running.

No SDK rewrite, no proprietary runtime. Aegis attaches at the process and network boundary; existing frameworks light up immediately.

OpenAI Agents
Anthropic Claude Code
Codex CLI
LangChain
LangGraph
CrewAI
AutoGen
MCP
LlamaIndex
Inkeep
Mem0
pgvector

A short history of why we’re here

Each capability we shipped to agents was a new attack surface we forgot to guard.

  1. 2023

    Tool calling

    Agents could call APIs.

  2. 2024

    Multi-step

    Agents could plan across calls.

  3. 2025

    Persistent memory

    Agents remembered between sessions.

  4. 2026

    Autonomous workdays

    Agents operate the user's machine for hours, unsupervised.

  5. next

    Aegis

    A security layer that operates beside them, not after them.

Manifesto, in five lines

  1. 01

    An agent is a privileged user. Treat it like one.

  2. 02

    If a finding can’t be reproduced, it isn’t a finding.

  3. 03

    The web is hostile by default — agents must opt in to read it.

  4. 04

    Memory is not infrastructure. It’s an attack vector.

  5. 05

    Security for agents must be invisible to the human and inevitable to the agent.

Read the full manifesto

Next move

Build the agent. Aegis watches its back.

Reserve a slot in the early-access program. We pair with twelve teams in 2026 — pick one threat model, ship verifiable evidence in a week.

Join the waitlistSee SecureBench