Every agent, every endpoint, every MCP call, visible, governed, provable.
Alyria puts a signed, user-space agent, Beacon, on every endpoint, because the endpoint is where AI agents actually run. Beacon inventories the AI layer continuously: every agent and CLI, every version, every MCP server configuration, flagged for hygiene and exposure. Policy is evaluated locally against every MCP call: monitor first, enforce when you’re ready. Every decision lands in a hash-chained, tamper-evident audit trail. Fleet data is encrypted under keys in your KMS: revoke the key, and you can watch our access die in your own CloudTrail. No kernel driver. Nothing to rip out. The read-only assessment intercepts nothing; enforcement is opt-in and monitor-first.
One request, authorized on the machine.
The hot path never touches a cloud. A request is intercepted, decided, secret-injected, and recorded locally — so enforcement keeps working with the network unplugged.
01Agent request
MCPAn agent on the endpoint issues an MCP tool call or model request. It never leaves the machine to be authorized.
02Beacon intercepts
LocalThe signed local daemon holds the call at a local policy service — inside the same process boundary the work runs in, not out at a gateway.
03Lyra decides
APGCapability-brokered, information-flow-aware policy-as-code evaluates the call: which tool, which model, which data, which egress. Deterministic and sub-millisecond.
04Umbra leases the secret
BYOKIf the call needs a credential, Umbra injects a short-lived lease under your keys. Nothing is written to disk.
05Inference & egress
EnforcedOnly an allowed call proceeds, to the model or the network, with prompt-injection defenses applied inline. Start in monitor mode to see what enforcement would do before you turn it on.
06Spectra records
ADRThe decision, the trajectory, and the outcome are emitted as signed OpenTelemetry — to Observatory or straight into your Elastic/Kibana SIEM.
cloud hop to authorize a call
A cloud gateway adds a network round-trip to every model and tool call. In an agentic loop those seconds stack. Alyria decides in-process.
Works offline
Policy is pulled and cached locally. If the machine loses network — or the SaaS is down — enforcement, secret leasing, and detection keep running. Telemetry buffers and drains later.
Encrypted under keys you hold. Cut us off, verifiably.
Your audit chain and fleet data are encrypted under a key that lives in your KMS, not ours. The static blobs we store are opaque to us at rest. In every pilot we run the kill-switch drill: you revoke the key, watch our access die in your own CloudTrail, and never take our word for anything.
umbra.blob {
alg: xchacha20-poly1305
ct: 9f3a·c1e0·77b2·…
key: ∅ not present
}Stored under a key held in your KMS. A breach of our cloud yields static blobs that are opaque to us at rest.
A cloud gateway becomes the breach target
To inspect, route, and attribute a call, a cloud control plane has to decrypt it. That makes the plane itself the highest-value target: one breach exposes every customer’s prompts, outputs, and secrets. You are forced to trust it.
Alyria holds blobs under your keys
Fleet data is encrypted under a key in your KMS. What we store is a static blob, opaque to us at rest. Run the kill-switch drill: revoke the key and watch our access die in your own CloudTrail. Verifiable, not promised.
Two planes govern. One plane sees what a gateway can’t.
Planes A and C govern inference and network at the endpoint, monitor first. Plane B adds user-space runtime observation of local agent activity a cloud proxy never sees, all feeding one tamper-evident audit trail.
Plane A — Inference control
Evaluates model and MCP calls in-process. Monitor first, then apply allow/deny, model routing, and prompt-injection defenses when you're ready to enforce.
- Per-agent capability + model policy
- Inline prompt-injection screening
- Tool and MCP-server allow-listing
Plane B — Runtime observation
Process- and config-level telemetry for agent activity, from user space. No kernel driver.
- User-space runtime observation, no hooking
- Sees shadow / local AI outside any gateway
- Signed evidence feeding the audit trail
Plane C — Network egress control
Observes where data goes at the socket and DNS layer. Egress policy runs locally: monitor first, enforce when you're ready.
- DNS + socket-level allow/deny
- Egress monitoring and destination policy
- Deterministic, offline-capable enforcement
Monitor first, enforce when ready. Under your keys.
APG and ADR are two sides of one platform: prevention and detection, on one engine and one tamper-evident audit chain.
Agent Policy Governance
Prevention: what an agent may do
- Lyra policy-as-code, brokered capabilities
- Evaluated at the endpoint by Beacon planes A and C
- Umbra leases secrets with zero standing credentials
Agent Detection & Response
Detection: what an agent did
- Beacon plane B user-space runtime observation
- Spectra correlation and trajectory analysis
- Observatory response over one signed audit log
Six modules, one platform.
Each component does one job well and shares one identity, one policy engine, and one signed audit trail. Open any of them for the detail.
BeaconNode agent
A signed, user-space agent that inventories and governs where agents run.
Learn moreObservatoryCloud console
Alyria Cloud: signup, SSO, and fleet/tenant dashboards.
Learn moreLyraPolicy-as-code
The capability-brokered, information-flow-aware policy engine.
Learn moreConstellationMesh + shared memory
The agent mesh and shared org memory, spoken over MCP.
Learn moreSpectraTelemetry
Collect local OTel and route it to the cloud or your SIEM.
Learn moreUmbraAgent secrets
Secrets and fleet data under your keys, moving toward keys we never hold.
Learn moreShared org memory, scoped by who’s asking.
Beacons form a Constellation — a context and knowledge plane spoken over MCP. Agents and engineers recall curated facts and ingested docs, but only what their identity permits.
- Access is scoped by division and role, resolved from your IdP groups — a CTO reads software-dev, exec, and data, never HR.
- Multi-tenant by construction: tenantId is the outermost gate, with no admin escape hatch.
- Enforced twice from one source of truth — row policy for CRUD and an identical pre-filter on vector search, so they can't drift.
- A prompt-injection content-safety layer screens every write and recall.
One ACL over curated Memory and ingested DocumentChunk corpora — non-secret facts are promotable to a global scope.
Govern at the endpoint. Under your keys.
Deploy a signed, user-space Beacon read-only, inventory every agent and MCP call, and govern them under keys you hold. No kernel driver. Nothing to rip out.