Aegis — Kernel-Level DLP for AI Apps
Aegis
Book a Call
KERNEL-LEVEL DLP FOR AI APPS

Shadow AI is your enterprise's blind spot.

Aegis stops it at the kernel.

Your teams already paste code, keys and customer data into AI apps. Aegis intercepts every flow at the OS layer and blocks sensitive data before it leaves the device.

ENFORCED ACROSS
Claude Claude
Cursor Cursor
VS Code VS Code
GitHub Copilot Copilot
ChatGPT ChatGPT
SCROLL ↓
AN ORDINARY TUESDAY · UNMANAGED FLEET

It's already happening on your laptops.

CLAUDE DESKTOP · ENG
api_key_prod pasted for "quick help"
CURSOR · PLATFORM
payments-service repo sent for "debugging"
CHATGPT · SUPPORT
customer ticket thread pasted for a draft reply
COPILOT · ENG
auth architecture diagram uploaded
CLAUDE CODE · INFRA
prod .env attached to a prompt
CLAUDE COWORK · SUCCESS
customers_q3.csv shared in a team session
VS CODE · DATA
notebook with prod credentials sent to a chat extension
NONE OF IT WAS SEEN 47 days average time exfiltration goes undetected (Verizon DBIR)
89% of enterprises don't know who uses which AI tools (Gartner, 2026)
60% of AI IDEs route straight past the system proxy; native binaries ignore HTTPS_PROXY
$4.9M average cost of a breach (IBM, 2025) · a single leak dwarfs the cost of prevention
WHY KERNEL-LEVEL

Your proxy never saw any of it leave.

Native binaries ignore HTTPS_PROXY. CLIs open direct TLS connections. Web apps route around appliances inside the browser sandbox. If enforcement lives above the operating system, AI traffic simply goes underneath it.

EVERYTHING YOU ALREADY OWN

Four controls. Four bypasses.

01
01 · SYSTEM PROXY
ChatGPT, Claude Desktop and VS Code are native binaries. They never read HTTPS_PROXY.
BYPASSED
02 · NETWORK APPLIANCE
Claude Code and Cursor open direct TLS connections. Your appliance sees ciphertext to a CDN.
BYPASSED
03 · BROWSER CONTROLS
Claude Cowork runs in the browser sandbox. Session traffic routes around your policies.
BYPASSED
04 · ENDPOINT DLP
It watches the clipboard. LLM prompts travel in API request bodies it never inspects.
BYPASSED
SCROLL ↓ TO SEE WHAT CATCHES IT

This is what the kernel catches.

secops@fleet-mbp: ~ — aegis-ne — 120×32
secops@fleet-mbp ~ % aegis tail --enforce --follow
aegis-ne v1.4.2 · NE system extension attached · watching 6 AI-app hosts · ctrl-c to detach
[10:47:12] flow #4821 intercepted at kernel · claude-desktop → api.anthropic.com:443
[10:47:12] whitelisted AI-app host → routed to in-line inspection
[10:47:12] tls decrypted (on-device) · scanning: credit cards, api keys, secrets, custom patterns
[10:47:12] parser: json ok · grpc ok · protobuf ok
[10:47:13] pattern match · AWS access key (AKIA…) in prompt body
[10:47:13] ✗ VERDICT: BLOCK · payload never left the device
[10:47:13] user notified inline · policy: secrets/aws-access-key
[10:47:13] audit: "User A attempted to share aws_access_key in Claude Desktop" → portal · siem export ok
[10:47:15] ✓ flow #4822 chatgpt clean · passed unchanged → api.openai.com
[10:47:15] all non-AI traffic: tunneled · untouched · unread
# the employee keeps working. the data stays home.
# no vpn, no pop-ups, no behavior change — enforcement no app can route around.
secops@fleet-mbp ~ %
scroll to follow the flow ↓

The stack behind the terminal.

THREE LAYERS · NOTHING ROUTES AROUND
01 Kernel interception A Network Extension (NE) sees every TCP connection at the OS layer and whitelists only AI-app hosts. Apps can't route around it.
02 Transparent in-line inspection AI-app TLS is decrypted on-device and parsed — JSON, gRPC, protobuf — while everything else tunnels through untouched.
03 Content verdicts Credit cards, API keys, secrets and your custom patterns are blocked before transmission — and every verdict is logged.
PRIVACY & TRUST ON-DEVICE · NOTHING STORED

Inspection without surveillance.

Only whitelisted AI-app hosts are decrypted, on the device itself. Employees are informed; enforcement is policy-based. Audit logs carry verdicts, never content.

All other traffic tunnels through fully encrypted
No browsing history, email or personal apps
No prompt payloads stored anywhere
Eclipse glow
SCOPE OF DECRYPTION api.anthropic.com · api.openai.com · api2.cursor.sh · copilot endpoints Everything else: untouched, unread, unlogged.
Claude Cowork session
A B C
A pastes api_key_prod into the shared context
Aegis blocks it before it reaches the session. B and C never see it. The log knows who tried.
TEAM COLLABORATION EVERY PARTICIPANT COVERED

Shared sessions, covered.

Claude Cowork multiplies exposure: shared prompts, shared artifacts, one-click uploads, no per-user trail. Aegis enforces policy for every participant at the network layer and attributes every attempt in the audit log.

Collaboration stays productive. Data stays protected.

Why security teams pick Aegis.

PURPOSE-BUILT FOR AI TRAFFIC
Prevents, not just detects Sensitive data is blocked before it reaches the LLM, not flagged after.
Unbypassable by design Kernel-level enforcement on managed Macs; not a proxy, not an agent, and users can't disable it.
Full Claude ecosystem Desktop, Code and Cowork, plus gRPC/protobuf parsing for Cursor.
Invisible to users No VPN, no MDM, no install wizard. Developer ID native on macOS.
NE architecture proven at Bitdefender-class scale gRPC/protobuf parsing on live Cursor traffic 100+ concurrent flows · zero user friction
DEPLOYMENT ROLLOUT IN MINUTES

Runs quietly in your fleet.

Developer ID-signed installer; MDM optional for fleet-wide push
macOS today, native NE; Windows agent on the roadmap
Fail-safe by policy: AI-app traffic fails closed; everything else unaffected
Your definitions: custom patterns for internal key formats, codenames, PII
COMPLIANCE EVIDENCE, NOT PROMISES

The trail your auditors ask for.

GDPRArt. 32 technical measures; PII blocked before it leaves the device
SOXPer-user, per-app enforcement with tamper-evident logs
HIPAAPHI patterns detected and blocked across all AI apps
SIEMEvery flow is a logged, attributable verdict; exports to Splunk or Sentinel

Two weeks to full visibility.

NO IT INFRASTRUCTURE NEEDED
DAY 1 Install on a pilot group Signed installer on ten machines; no proxy config, no VPN profile.
WEEK 1 Shadow AI visibility report Who uses which AI apps, and what nearly leaked; observe-only mode.
WEEK 2 Enforcement on Blocking and audit logs across the pilot; expand to the fleet when ready.

The questions your red team will ask.

STRAIGHT ANSWERS
Can a user just uninstall it? Not without admin approval — removal requires elevated rights and alerts your security team. Users can't disable, pause or route around the extension from their session.
What does the employee see when something is blocked? An inline notice with the exact policy reason — no silent failures, no mystery errors. The rest of their session keeps working.
Does this slow the machine down? Only AI-app flows are inspected; everything else tunnels straight through. Tested at 100+ concurrent flows with no visible latency.
What about personal devices and hotspots? Aegis protects managed devices — enforcement travels with the machine, on any network, VPN or hotspot. Unmanaged personal hardware is a policy conversation, not a technical one; the pilot's visibility report shows you how much of your exposure is on managed machines today.
Are you reading our prompts? No. Inspection happens on the device and nothing is stored — audit logs carry verdicts ("blocked: aws-access-key"), never content. See Privacy & Trust.
START A PILOT DAY 1 INSTALL · WEEK 1 REPORT · WEEK 2 ENFORCEMENT
Stop the leak. At the kernel.
pilots@aegis.example Book a Call