GET /v1/network/threat-state — the customer-readable read of the AEGIS Protection Network L1 cross-tenant aggregator. The endpoint returns a snapshot of per-axis bucket states for the customer’s tenant view.
The underlying aggregator table is internal; this spec documents what is on the wire, not the table column list. The cross-tenant aggregator composes into the cards composition primitive via the four axis dimensions.
1. Top-level response shape
2. Bucket state object
3. Per-axis bucket identifier semantics
The four axes scope cross-tenant aggregation along orthogonal dimensions:
Bucket identifiers are opaque to the customer; the customer reads the threat level, not the bucket’s underlying composition. Internal aggregation thresholds and per-bucket state-transition logic are platform-level config — they are not surfaced on the wire.
4. Threat-level enum
The threat-level enum has four values, ordered by severity:
The state transitions are bidirectional with hysteresis; a bucket that elevates to
high does not immediately demote to calm even when the underlying signal subsides — the aggregator requires sustained low signal across the exit hysteresis window before demotion.
5. Query parameters
Auth: customer API key via
X-Mnemom-Api-Key: $MNEMOM_KEY.
6. Example — calm-at-GA response
At GA, with the network calm across all axes, the response per the calm-at-GA contract:7. Example — one bucket elevated (synthetic for documentation)
This example is documentation-only — at GA there is no real elevated bucket. The shape is what the customer sees if the substrate axis registers cross-tenant elevation:See also
- Protection Network — the five-layer model; L1 + L4 + L2 context
- AEGIS — protection-layer framing
- Substrate fingerprint — what the
substrateaxis buckets aggregate - Managed Rules — the rule plane the under-attack overlay engages
- Managed rule envelope schema — wire format on the rule push side (L3)