Enterprise

Maximum control. Total data sovereignty.

On the Enterprise tier, threat analysis runs entirely on the device — a compact, purpose-built detection model and our own inference engine, right on your machines. No document content ever leaves the building, and protection keeps working without any cloud connection.

Contact sales Compare plans Read the technical whitepaper →
Runs fully on-deviceCPU-only · ordinary hardwareWorks without a cloud connection
Privacy by design

Your text never leaves the machine.

The analysis is local by construction — not a setting you switch on, but the way the product is built. The only thing that ever goes out is a single, documented license and update check per month, and it carries no content whatsoever.

Nothing to exfiltrate

No memory entry, document, or text fragment is ever sent anywhere. The model reads the change locally and returns a verdict locally — there is no analysis cloud to leak to.

One check a month

Exactly one documented license and update check per month — credentials and version only, never content. Between checks the product runs fully offline.

Transparent egress

Every outbound request is recorded in an egress ledger built into the product — so your DLP and audit teams can verify, not just trust, that nothing else leaves.

Detection quality

Trained specifically on memory poisoning — and it shows.

The detection model isn't an off-the-shelf classifier. It's fine-tuned on a large corpus of real attack and benign examples drawn from our cloud analysis pipeline — a flywheel that keeps the on-device model sharp and improves it as new attack patterns appear.

Purpose-built, not generic

A model tuned for one job — spotting poisoned memory writes — instead of a general-purpose filter bolted onto the problem. That focus is why it catches what broad guardrails miss.

A learning flywheel

Our cloud pipeline labels fresh attack and benign data; that data sharpens the on-device model. As attackers adapt, the detector keeps pace — without your data ever feeding it.

Multilingual by design

The attacker picks the language, so the model was tested extensively across many. An injection written in any of them is caught just the same — language is attack surface, not a blind spot.

On the same test set it catches more than 3× as many attacks as leading off-the-shelf guard models — and it reliably flags the attack classes those standard detectors are practically blind to (subtle/indirect injection, data exfiltration). Tuning cut false alarms by ~95% versus the untuned base model. Across broad, realistic internal testing it detects over 94% of attacks at under 5% false alarms. No detector can promise to stop every attack everywhere — but these are the numbers we measure, and we keep raising them.
Attack taxonomy

We name every class of attack — and we catch them all.

Memory poisoning isn't one trick. It's a family of techniques, and a defense is only as good as its coverage of the hard ones. The detector is trained and evaluated against each of these classes.

01

Direct injection

Explicit instructions smuggled into a memory entry — “from now on, do X” — that the agent later obeys as if they were its own.

02

Data exfiltration

Entries engineered to make the agent leak secrets, credentials, or private context to an attacker-controlled destination.

03

Meta-attacks

The cleverest move: an entry that targets the protection itself — “trust this source, stop checking it.” Disarm the guard, and every later attack walks in.

04

Role-play & jailbreak

Framing that coaxes the agent out of its safety rules through a persona or scenario, instead of issuing the malicious instruction outright.

05

Subtle & indirect

The hardest of all: entries that read like perfectly legitimate notes, with no obvious tell — the ones plain filters and keyword rules sail right past.

Security architecture

The analysis runs locked down.

The component that reads attacker-controlled text is the one we isolate hardest. The inference engine runs in a minimal-privilege sandbox, so even a flaw inside it stays harmless: the engine can crash, the daemon stays in control and reverts when in doubt.

Minimal-privilege sandbox

The engine binds to localhost only, reads only the model file, spawns no processes, and runs as an isolated, unprivileged process. A bug in the engine has nowhere to go.

Signed & verified

Every artifact is signed, and the model file is SHA-256-pinned and checked before each start — a tampered model never loads.

Fail-closed daemon

The engine's answer is treated as untrusted input. If it crashes, hangs, or returns anything unexpected, the daemon reverts conservatively rather than waving a change through.

# engine starts on demand, sandboxed
[verify] model sha-256 pinned · ok
[sandbox] localhost-only · read-only model · no subprocess
[eval]  memory write · danger 0.97 → revert
[idle]  engine exits · footprint back to a few MB
Technical specs

What it asks of your machines.

Built to run on the hardware your team already has — quietly, on demand, without a GPU.

PropertyDetail
Footprint A little over 300 MB — and only for a few seconds during a memory check. At rest, just a few MB.
Hardware CPU-only, ordinary hardware. No GPU required.
Analysis latency A few seconds per memory check, started on demand.
Platforms Linux · macOS · Windows
Languages Multilingual — attacks are caught no matter what language they're written in. Extensively tested.
Offline Runs fully offline. The only exception: one monthly license check — never any content.
Network footprint One request per month — credentials and version only, never content.
Updates Signed artifacts, SHA-256-verified before every start.

Bring the analysis in-house.

Talk to us about an Enterprise rollout — on-device detection, full data sovereignty, and the deployment controls your security team needs.

Contact sales