All five layers ship with the mechanism wired at GA. Where any layer’s content is partial (no campaigns active; the IoC feed empty), the surface displays the partial state honestly — see the calm-at-GA contract.
L0 — Axis identity
Every evaluation, checkpoint, and trace row that flows through Safe House is stamped server-side with four axis-identity fingerprints:substrate_id— the AI substrate the agent ran on (<provider>:<model>at minimum; see Substrate fingerprint for the full composition).vertical_id— the customer industry vertical the agent serves (enum).pattern_fingerprint— the canonicalized hash of the detection pattern that matched (or the empty pattern, for unflagged evaluations).source_fingerprint— the canonicalized hash of the request source identity (channel + principal class + region).
integrity_checkpoints, arena_attempts, sideband_analyses) so every historical row carries axis identity as well.
L0 is the foundation of every upstream layer: the aggregator (L1) buckets by axis; the under-attack overlay (L2) elevates per-axis; the Managed Rules push (L3) targets per-axis. Without L0, none of the cross-tenant primitives have a substrate to operate on.
L1 — Cross-tenant aggregator
L1 maintains rolling stats per axis-bucket. For each(axis, bucket, window) triple — substrate × 24h, vertical × 1h, pattern × 6h, etc. — the aggregator counts detection events, computes baseline rate, and triggers state transitions when the rolling delta crosses thresholds.
The wire format readable by customers is GET /v1/network/threat-state. The endpoint returns per-axis arrays of { bucket, threat_level, updated_at } objects; the threat_level enum is calm | elevated | high | under_attack. The aggregator’s internal table schema is not part of the public surface; what is on the wire is documented in Threat state response schema.
L2 — Under-attack overlay
L2 is a composition-layer auto-elevation. When an axis-bucket transitions tohigh or under_attack, AEGIS inserts an under-attack overlay layer between Platform and Org in the card cascade — present only during the campaign, removed when the bucket falls back to calm. The overlay tightens detection thresholds and surfaces the elevation to the affected customers.
Under-attack ceiling — additive ratcheting, not override
L2 honors a customer-configured elevation ceiling. The platform may auto-ratchet protection up to the ceiling; it does not override the customer’s hard configured maximum. This matches the Cloudflare “I’m Under Attack” pattern:- Normal posture —
enforcement_modeduring calm conditions (off / observe / nudge / enforce). - Elevation ceiling — maximum AEGIS may auto-ratchet to during a campaign. Default
enforce(full headroom); customers may clamp lower.
Three honest customer scenarios
The third scenario surfaces a key insight: the under-attack overlay is not just
enforcement_mode ratcheting — it is a whole overlay layer of “what under_attack means.” Most of the integrity-side primitives (canaries planted, credential issuance frozen, full AIP proofs) kick in regardless of customer ceiling because they are not posture changes; they are integrity-side primitives the customer cannot toggle.
Honest GA disclosure. The L2 mechanism is wired at GA — the bucket transitions fire, the toggle UI is live, the audit log records every elevation. The composition-layer auto-elevation ships in Phase 4 (depends on the card composition primitive); manual operator override on the org flag covers the interim. Un-defer trigger: Phase 4 production cutover (2026-05-29).
L3 — Managed Rules push
L3 is the cross-tenant rule plane. A candidate enters the review queue with awriter_identity stamped by its auth context (arena-bypass, customer-fn-report, researcher-submission, internal-observation, or manual-admin). After review, the candidate is signed with RECIPE_PROMOTION_SIGNING_KEY and propagated to every gateway via two parallel signed envelopes:
- KV envelope — signed with
RECIPE_KV_SIGNING_KEY; the gateway’s primary read tier. - R2 envelope — signed with
RECIPE_R2_SIGNING_KEY(an independent signing chain from KV); the gateway’s secondary read tier for failover.
/trust/slos for the published commitments and Managed rule envelope schema for the wire format.
The protective invariant
A tier-1 or tier-2 Managed Rule — one that would block real production traffic — can never auto-promote without a human in the loop, regardless of how aggressive the platform’s reviewer-mode setting is. The invariant is enforced structurally by a schema CHECK constraint (promotion_quorum_met = TRUE required when status = 'active'), not procedurally. See Managed Rules for the three reviewer modes and the tier breakdown.
24-hour observe soak
Newly-promoted rules enterobserve mode for 24 hours before any mode escalation. The aggregator computes the per-recipe false-positive rate during the soak; rules above the FP threshold auto-rollback under CLPI Phase 2 trust recovery. Only rules that survive the soak escalate to their target mode.
L4 — Threat thermometer
L4 is the customer-facing read of L1. The/dashboard/threats page displays per-axis state pulled live from the aggregator — calm, elevated, high, or under_attack per axis-bucket — plus a 30-day trend line per axis.
At GA, if all axes are calm, the thermometer shows calm. There is no fabricated activity to make the page look busy; the page reflects actual operational state per the calm-at-GA contract.
L5 — IoC feed + advisories
L5 is the public transparency surface. Two endpoints:/v1/trust/iocs— STIX 2.1 bundle of Indicators of Compromise AEGIS has published to the network. See IoCs and the wire-format spec at IoC STIX mapping./trust/advisories— published per-incident summaries. See Advisories.
{ "type": "bundle", "objects": [] } — empty by design. The advisories page lists the synthetic seed post-mortem with synthetic: true. When AEGIS publishes a real advisory it will carry synthetic: false; the field is reliable.
How a signal becomes a Managed Rule
The end-to-end flow from raw signal to gateway-active enforcement:See also
- AEGIS — the overall protection-layer framing
- Managed Rules — the signed rule plane (L3)
- Substrate fingerprint — the supply-chain axis stamped at L0
- IoCs — the STIX 2.1 transparency feed (L5)
- Advisories — published post-incident summaries (L5)
- Safe House — the per-customer perimeter the Protection Network operates above
- Card Composition — the scope cascade Managed Rules compose into
- Threat state response schema — wire format for L1 read
- Managed rule envelope schema — wire format for L3 push