Skip to content
The platform

Every agent, every endpoint, every MCP call, visible, governed, provable.

Alyria puts a signed, user-space agent, Beacon, on every endpoint, because the endpoint is where AI agents actually run. Beacon inventories the AI layer continuously: every agent and CLI, every version, every MCP server configuration, flagged for hygiene and exposure. Policy is evaluated locally against every MCP call: monitor first, enforce when you’re ready. Every decision lands in a hash-chained, tamper-evident audit trail. Fleet data is encrypted under keys in your KMS: revoke the key, and you can watch our access die in your own CloudTrail. No kernel driver. Nothing to rip out. The read-only assessment intercepts nothing; enforcement is opt-in and monitor-first.

The data path

One request, authorized on the machine.

The hot path never touches a cloud. A request is intercepted, decided, secret-injected, and recorded locally — so enforcement keeps working with the network unplugged.

  1. 01Agent request

    MCP

    An agent on the endpoint issues an MCP tool call or model request. It never leaves the machine to be authorized.

  2. 02Beacon intercepts

    Local

    The signed local daemon holds the call at a local policy service — inside the same process boundary the work runs in, not out at a gateway.

  3. 03Lyra decides

    APG

    Capability-brokered, information-flow-aware policy-as-code evaluates the call: which tool, which model, which data, which egress. Deterministic and sub-millisecond.

  4. 04Umbra leases the secret

    BYOK

    If the call needs a credential, Umbra injects a short-lived lease under your keys. Nothing is written to disk.

  5. 05Inference & egress

    Enforced

    Only an allowed call proceeds, to the model or the network, with prompt-injection defenses applied inline. Start in monitor mode to see what enforcement would do before you turn it on.

  6. 06Spectra records

    ADR

    The decision, the trajectory, and the outcome are emitted as signed OpenTelemetry — to Observatory or straight into your Elastic/Kibana SIEM.

0ms

cloud hop to authorize a call

A cloud gateway adds a network round-trip to every model and tool call. In an agentic loop those seconds stack. Alyria decides in-process.

Works offline

Policy is pulled and cached locally. If the machine loses network — or the SaaS is down — enforcement, secret leasing, and detection keep running. Telemetry buffers and drains later.

Trust, verifiable

Encrypted under keys you hold. Cut us off, verifiably.

Your audit chain and fleet data are encrypted under a key that lives in your KMS, not ours. The static blobs we store are opaque to us at rest. In every pilot we run the kill-switch drill: you revoke the key, watch our access die in your own CloudTrail, and never take our word for anything.

Endpoint Aplaintext
agent-svc-eu
holds the key
Alyria Cloudciphertext
umbra.blob {
  alg: xchacha20-poly1305
  ct:  9f3a·c1e0·77b2·…
  key: ∅ not present
}

Stored under a key held in your KMS. A breach of our cloud yields static blobs that are opaque to us at rest.

Endpoint Bplaintext
agent-worker-us
holds the key

A cloud gateway becomes the breach target

To inspect, route, and attribute a call, a cloud control plane has to decrypt it. That makes the plane itself the highest-value target: one breach exposes every customer’s prompts, outputs, and secrets. You are forced to trust it.

Alyria holds blobs under your keys

Fleet data is encrypted under a key in your KMS. What we store is a static blob, opaque to us at rest. Run the kill-switch drill: revoke the key and watch our access die in your own CloudTrail. Verifiable, not promised.

Three planes of Beacon

Two planes govern. One plane sees what a gateway can’t.

Planes A and C govern inference and network at the endpoint, monitor first. Plane B adds user-space runtime observation of local agent activity a cloud proxy never sees, all feeding one tamper-evident audit trail.

AAPG · Enforcement

Plane AInference control

Evaluates model and MCP calls in-process. Monitor first, then apply allow/deny, model routing, and prompt-injection defenses when you're ready to enforce.

  • Per-agent capability + model policy
  • Inline prompt-injection screening
  • Tool and MCP-server allow-listing
BADR · Detection

Plane BRuntime observation

Process- and config-level telemetry for agent activity, from user space. No kernel driver.

  • User-space runtime observation, no hooking
  • Sees shadow / local AI outside any gateway
  • Signed evidence feeding the audit trail
CAPG · Enforcement

Plane CNetwork egress control

Observes where data goes at the socket and DNS layer. Egress policy runs locally: monitor first, enforce when you're ready.

  • DNS + socket-level allow/deny
  • Egress monitoring and destination policy
  • Deterministic, offline-capable enforcement
Two pillars, one platform

Monitor first, enforce when ready. Under your keys.

APG and ADR are two sides of one platform: prevention and detection, on one engine and one tamper-evident audit chain.

APG

Agent Policy Governance

Prevention: what an agent may do

  • Lyra policy-as-code, brokered capabilities
  • Evaluated at the endpoint by Beacon planes A and C
  • Umbra leases secrets with zero standing credentials
ADR

Agent Detection & Response

Detection: what an agent did

  • Beacon plane B user-space runtime observation
  • Spectra correlation and trajectory analysis
  • Observatory response over one signed audit log
The mesh

Shared org memory, scoped by who’s asking.

Beacons form a Constellation — a context and knowledge plane spoken over MCP. Agents and engineers recall curated facts and ingested docs, but only what their identity permits.

  • Access is scoped by division and role, resolved from your IdP groups — a CTO reads software-dev, exec, and data, never HR.
  • Multi-tenant by construction: tenantId is the outermost gate, with no admin escape hatch.
  • Enforced twice from one source of truth — row policy for CRUD and an identical pre-filter on vector search, so they can't drift.
  • A prompt-injection content-safety layer screens every write and recall.
See Constellation in the module family →
constellation · recallMCP
CTO · exec
software-devexecdata
resolve
Eng · software-dev
software-dev
resolve
Any role
hr
outside division

One ACL over curated Memory and ingested DocumentChunk corpora — non-secret facts are promotable to a global scope.

Govern at the endpoint. Under your keys.

Deploy a signed, user-space Beacon read-only, inventory every agent and MCP call, and govern them under keys you hold. No kernel driver. Nothing to rip out.