Open-source · MIT · v0.1.0
Every tool call — classified, gated, audited. Zero code change.
Same code either way. Watch the 90-second tour → · Compare the two paths
Describe the rule
Block USDC > $10,000 to
non-allowlisted wallets. Require 2 of finance-ops.
rule: "stablecoin-egress-2of2" when: - tool.name == "circle_usdc_transfer" - amount > 10_000_00 - wallet NOT IN treasury.allowlist require: approvers: 2 scope: "finance-ops" action: ESCALATE
Live · acme-pay · refund-agent
stripe.refund · $47.00 285 ms ALLOW coinbase_prime.deposit · 3,200 USDC 412 ms ALLOW circle_usdc.transfer · 24,500 USDC → 0x7f31…aE92 12 ms ESCALATE ↑ stablecoin-egress-2of2 · wallet not on treasury allowlist · needs 2 approvers
Merkle log · acme-pay · 14,829 events / 24h
witness.aegistraces.com Compatible with the stacks teams already ship
What you see
One dashboard surfaces every agent decision, every block, every anomaly — across every workflow you ship.
What it does
Pre-deploy scan
Point AEGIS at any agent codebase. Tree-sitter AST across Python / JS / TS finds every tool call, every framework, every credential — and proposes a starting policy before the first deploy.
Plain English → Policy
No DSL to learn. Type one sentence — "block emails to personal addresses during checkout" — and AEGIS emits a grammar-constrained policy your gateway can enforce instantly. Auditable, reversible, version-controlled.
Describe the rule
Block emails to personal addresses during checkout flow. Allow [email protected] but flag anything to gmail, outlook, or icloud.
↓ ✨ Generate
rule: "block-personal-email-in-checkout" when: - tool.name == "send_email" - context.workflow == "checkout" recipient: deny: ["@gmail.com", "@outlook.com"] allow: ["@acme.io"] action: BLOCK
Runtime block
The same gateway that serves your agents enforces every policy. Allow, escalate, block — decided before the call ever leaves your network. PII redacted, anomalies surfaced, every decision cryptographically chained.
Forensic audit
Every block lands in a Merkle-chained log. Group by policy to find the rule that's actually firing. Filter by CRITICAL / HIGH / MEDIUM / LOW. Hand the same pack to your auditor that you'd hand to an incident responder.
Agent registry
Every agent registers once and stays accountable: status, owner, scope, secret rotation, last-seen environment. One place to suspend a misbehaving agent, rotate a key, or grant a new scope.
Coverage
Pull up a per-agent coverage report at any time: which tools are policy-gated, which categories have only audit coverage, which CVE detectors are subscribed. No mystery gaps when the auditor asks "what's enforced?"
Beyond the call
Single-call inspection misses three classes of attack: tainted data resurfacing from memory hours later, undeclared agent-to-agent crossings, and sensitive values that appear in tool arguments without ever being in the user prompt. AEGIS surfaces them as a distinct layer.
5-minute integration
import openai
client = openai.OpenAI(
api_key="sk-xxxx"
)OPENAI_BASE_URL=https://gateway.aegistraces.com/openai/v1
AEGIS_API_KEY=aeg_xxx
# code unchangedvs. the category
| Capability | AEGIS | Others |
|---|---|---|
| Cryptographic audit (Merkle + witness) | RFC 6962, built-in | none |
| Sequence-aware anomaly | n-gram LM, per-agent | single-call only |
| Multi-agent collusion | burst / relay / cycle | single-agent only |
| Workflow → per-node policy | 5 frameworks | none |
| Counterfactual explainer | verified by re-validation | partial |
| AST scan rules | tree-sitter + YAML | regex only |
| GenAI OTel semconv | full | proprietary |
| SCIM + SAML + OIDC | all three | one or the other |
| Policy effectiveness scoring | P/R/F1 + retire signal | none |
| License | MIT | closed |
From the field
Assistant Professor, USC · AI Risk Audit & Control
@AEGIS is the runtime control layer the agent ecosystem has been missing. The architecture is clean, the cryptographic audit is real, and the DSL is the right primitive.
Head of AI · healthcare SaaS
HIPAA review used to take six months. With @AEGIS we got the evidence pack in two weeks and the auditor signed off without a follow-up call.
CTO · payments infra
Our refund agent shipped to production the day after we wired @AEGIS in. Two reviewers, three policies, ten minutes. The audit log alone saved us a six-week SOC 2 cycle.
CISO · neobank
We tried to write our own policy DSL twice and shipped neither. @AEGIS gave us grammar-constrained NL-to-DSL the same week we integrated. Three policies in production by Friday.
Staff Engineer · healthcare AI
The Memory & Cross-Agent layer in @AEGIS caught two undeclared crossings on day one — neither was in our threat model. We standardized on it for all agent rollouts.
Founder · agent observability · YC W26
The Merkle audit log is a real moat. Every other guard product I evaluated stores decisions in plain Postgres. @AEGIS is the only one I'd hand to an auditor.
Head of DevRel · Web3 ops
Stablecoin transfers used to require a human on every $10k+ wire. With @AEGIS the policy enforces 2-of-N approval automatically. Our ops team got their evenings back.