Skip to main content
Normative reference for GET /v1/network/threat-state — the customer-readable read of the AEGIS Protection Network L1 cross-tenant aggregator. The endpoint returns a snapshot of per-axis bucket states for the customer’s tenant view. The underlying aggregator table is internal; this spec documents what is on the wire, not the table column list. The cross-tenant aggregator composes into the cards composition primitive via the four axis dimensions.

1. Top-level response shape

2. Bucket state object

3. Per-axis bucket identifier semantics

The four axes scope cross-tenant aggregation along orthogonal dimensions: Bucket identifiers are opaque to the customer; the customer reads the threat level, not the bucket’s underlying composition. Internal aggregation thresholds and per-bucket state-transition logic are platform-level config — they are not surfaced on the wire.

4. Threat-level enum

The threat-level enum has four values, ordered by severity: The state transitions are bidirectional with hysteresis; a bucket that elevates to high does not immediately demote to calm even when the underlying signal subsides — the aggregator requires sustained low signal across the exit hysteresis window before demotion.

5. Query parameters

Auth: customer API key via X-Mnemom-Api-Key: $MNEMOM_KEY.

6. Example — calm-at-GA response

At GA, with the network calm across all axes, the response per the calm-at-GA contract:

7. Example — one bucket elevated (synthetic for documentation)

This example is documentation-only — at GA there is no real elevated bucket. The shape is what the customer sees if the substrate axis registers cross-tenant elevation:

See also