The Vigil Platform · v2.1.0 shipped

One engine. Every surface.

One Rust engine. Nine deployment surfaces. Six distribution channels. Three open protocols. This is how a single codebase defends consumer, developer, and enterprise without forking. This is the architecture.

See the architecture What it does GitHub →

Rust crates

362

Tests passing

Cloud endpoints

<10ms

Policy path latency

The doctrine

One engine runs identically everywhere AI acts.

Every mode we ship, every deployment surface, every enterprise integration, every partner embed. Same Rust binary. Same detection pipeline. Same VOAF audit format. Same revocation primitives.

No forks. No lite versions. No separate consumer and enterprise codebases drifting apart. The engine you run on your laptop is the engine a Fortune 500 CISO gets behind their firewall. The difference is the admin layer above it, not the defense underneath.

This is what makes coverage the enterprise, consumer, developer, and partner at the same time structurally possible. It is also what makes every line of this platform page provable.

The architecture

Four layers. One contract.

Every piece of Vigil fits into one of four layers. The engine runs every deployment. Every deployment plugs into every channel. Every channel is bound by the same open protocols. No part of the stack can drift from the others.

Layer 0101

Defense Engine

Rust monorepo. 11 crates. Two-surface detection pipeline. Four-model ensemble. Deterministic enforcement, never LLM-based.

vigil-proxyvigil-detectvigil-policyvigil-vault

Layer 0202

Deployment Surfaces

Nine surfaces. Desktop and Browser live. Gateway, Registry, Mobile, SDK, Daemon, Sidecar, Weekly Brief shipping Q2 and Q3 2026.

Desktop · LiveBrowser · BetaGateway · Q2Mobile · Q2

Layer 0303

Distribution Channels

Consumer direct, Developer, Team, Enterprise Gateway, B2B2C partnerships, Sovereign. Six channels, one engine, one API contract.

ConsumerDeveloperEnterpriseB2B2C

Layer 0404

Protocol Moat

TAP, VARP, VOAF. Published. Filed with NIST. Adoption outside Vigil makes us the default implementation. SSL, FICO, DigiCert before us.

TAP · PublishedVARP · NISTVOAF · OpenPatents · 2 filed

Layer 01 · Defense Engine

The Rust monorepo. 11 crates. One binary.

This is the only piece of Vigil that is not optional. Every surface, every channel, every partner embed runs this exact code. Deterministic enforcement. Sub-10ms policy path. Zero LLMs in the decision loop.

vigil-proxy-api

Interception

TLS-terminating proxy. Captures every AI provider call at the network layer. No plugin, no SDK, no provider cooperation needed.

vigil-core

Orchestration

Request routing, lifecycle, config, telemetry. The spine every other crate plugs into.

vigil-decompose

Intent parsing

Request-side analysis. What is the user asking for. Agency category, scope class, sensitivity tier.

vigil-detect

Detection

Four-model ensemble. Isolation Forest, LSTM, Bayesian, Multi-Window CUSUM. Response-side security target.

vigil-policy

Enforcement

Deterministic policy engine. Block, hold, allow, log. Never LLM-based. Evaluated in under 10ms.

vigil-pipeline

Flow control

Assembles decompose, detect, policy into the two-surface pipeline. Drives the Execution Gate.

vigil-store

Persistence

Local encrypted store. Events, baselines, configs. SQLite plus append-only chain. You own the keys.

vigil-vault

Memory layer

Tamper-evident conversation and authorization history. Provider-independent. Feeds Vault Recall and Personal Model.

vigil-authority

Identity + revocation

TAP attestation, VARP revocation, dead-man switch, bilateral trust. The Kill Switch primitives live here.

vigil-verify

Audit verification

Validates VOAF packages. Third-party court and insurance use. Standalone binary. No provider lock-in.

vigil-score

Risk scoring

Composite score across agency, scope, baseline drift, cross-surface correlation. Drives Gate decisions.

vigil-cloud

Cloud endpoints

31 Axum endpoints on Fly.io. Pairing, sync, Gateway routing, threat intel feed. Cryptographically separated from user data.

Detection · four-model ensemble

No single model catches everything.

Four orthogonal detection models run inline on every AI action. Each one is blind to failure modes the others catch. Together they cover statistical anomaly, behavioral drift, prior-informed risk, and change-point events in a single pass.

Model 01

Isolation Forest

Statistical anomaly

Unsupervised. Isolates outliers in high-dimensional feature space. Catches actions that simply do not look like anything the user has done before.

Cold-start ready

Model 02

LSTM

Sequence drift

Recurrent network over action sequences. Catches slow scope creep that no single-request check can see. Warms up around 200 observations.

Baseline at 222 obs

Model 03

Bayesian

Prior-informed risk

Posterior updating on user baseline and population priors. Ships with strong priors for financial, health, legal agency categories.

Active at 222 obs

Model 04

Multi-Window CUSUM

Change-point detection

Parallel cumulative-sum windows. Flags abrupt transitions across short, medium, and long horizons. Catches attack onset in near real time.

Soak-test verified

The pipeline · patent-pending

Intent is not the target. Action is.

Most AI security reads the prompt and asks whether the user should say this. That is the wrong surface. A poisoned prompt plus a compliant action is harmless. A clean prompt plus a runaway action is catastrophic. Vigil scores both and enforces on the one that can hurt you.

Surface 01 · Request

Intent

What the user is trying to do. Used for classification and scope setting only. Never the enforcement target.

› Agency category
› Scope class
› Sensitivity tier
› Baseline lookup

→

Gate · Decision

Execution Gate

Deterministic policy engine. Composite score from all four detection models. Decides: allow, hold, block.

› Composite risk score
› Policy evaluation
› Pre-execution hold
› User approval path

→

Surface 02 · Response

Action

What the AI is actually about to do. This is the security target. Agency is always response-side action autonomy. Scope is action type, not topic.

› Outbound action analysis
› Agency score
› Post-response visibility
› VOAF sealing

Patent filedVIGIL-2026-002

Two-surface analysis pipeline. Provisional filed. Protects the architectural separation between intent parsing and action scoring, the composite-risk Gate decision, and the deterministic enforcement contract. Foundational IP that cannot be replicated by a provider who cannot sit on the outside of their own API.

Execution Gate · VIGIL-2026-001

The only place on the internet that can hold an AI action mid-flight.

Pre-submit hold on any action above the agency threshold. Mobile approval in seconds. VOAF evidence sealed either way. No provider ships this because no provider can hold their own outbound request.

The Gate is the reason Vigil works. The full breakdown lives on the Defense page.

See the Gate in action

PatentVIGIL-2026-001

Hold latency<10ms

Approval pathMobile push

EvidenceVOAF sealed

TierFortress up

Layer 02 · Deployment Surfaces

Nine surfaces. One engine underneath.

Wherever AI runs, Vigil meets it. On your laptop. In your browser. In your cloud VPS. In your mobile app. In a partner's embedded agent. The engine is the same. The surface changes.

Live

Desktop (macOS)

Menu-bar app. TLS proxy intercepts every AI provider call on the device. Chrome extension ships alongside for browser-based tools.

v2.1.0 · Signed · Notarized

Beta

Browser Extension

Chrome extension. DOM-level detection on ChatGPT, Claude.ai, and provider web consoles. Paired with Desktop for full coverage.

Programmatic injection · Manifest V3

Q2 2026

Cloud Gateway

Drop-in proxy URL for agents running on Replit, LangGraph, VPS, or any cloud runtime. Same engine, zero install on your server.

gateway.runvigil.ai/v1/{provider}

Q2 2026

Mobile Companion

iOS and Android. Execution Gate approvals. Weekly Brief. Kill Switch. The surface that receives every hold notification.

Native apps · Push approval

Q3 2026

Agent Registry

Public registry of agents with verifiable TAP attestations. On-device agent process monitoring for Claude Code, Cursor, and peers.

TAP integration · Process monitor

Q3 2026

Developer SDK

Rust, TypeScript, Python. Embed the engine directly into agent frameworks. Same crates as the desktop app, no fork.

cargo add vigil-core

Q3 2026

Daemon

Headless system service. Linux and Windows. Used in server, kiosk, and enterprise endpoint deployments where no UI is appropriate.

systemd · Windows Service

Q4 2026

Sidecar

Container sidecar for Kubernetes and enterprise agent platforms. Sits next to the agent pod, terminates outbound AI traffic.

Docker · Helm chart

Live

Weekly Brief

Longitudinal self-knowledge report. What your AI did, what patterns emerged, what drift the Vault surfaced. This is the retention surface.

Email · Dashboard · Vault

Layer 03 · Distribution Channels

Six channels. One API contract.

The same engine reaches a solo user buying Guardian on Stripe, a startup running 500 agents on Gateway, an enterprise buying a CISO-grade deployment behind SSO, and a bank bundling Vigil into its consumer app. One API contract across all of it.

Channel 01

Consumer Direct

Individual purchase via runvigil.ai. Guardian, Fortress, Citadel, Sovereign tiers. Stripe checkout. Live today.

$129 to $99/mo · 4 tiers

Channel 02

Developer

Gateway API key. 1M requests per month. Custom policy per project. For builders running cloud agents on LangGraph, Replit, VPS.

$49/mo · Self-serve

Channel 03

Team

10M requests. SSO. SIEM export. Shared policies. For engineering teams running production agents with compliance in scope.

$499/mo · Self-serve

Channel 04

Enterprise Gateway

SLA. SOC 2. Self-hosted option. WARDEN standard. SSO, SCIM, MDM, SIEM integrations. Admin console above the same engine.

$5k+/mo · Direct sale

Channel 05

B2B2C Partner

Banks, insurers, wealth platforms, healthcare apps bundle Vigil into their consumer product. Rev share or flat license. Brand-forward or white-label.

Custom · BD contract

Channel 06

Sovereign

Full WARDEN mode. Active threat hunting. Priority support. Typically family offices, principals, and high-exposure individuals.

$99/mo · Direct

Layer 04 · Protocol Moat

Three open standards. Two directions of leverage.

The protocols are open. Anyone can implement them. Adoption outside Vigil is the point. It makes the category real and makes us the default implementation. FICO, SSL, DigiCert. Publish the standard. Become the issuing authority.

Protocol 01

TAP

Trust Attestation Protocol

Verifiable, revocable identity for AI agents. Every agent gets a signed certificate binding code, config, and operator. Inspired by X.509. Designed for a world where the agent is the signer.

Published · Spec v0.9 · vigilsec.ai

Protocol 02

VARP

Vigil Agent Revocation Protocol

Instant, cryptographic revocation of agent trust and authority. One-second propagation across every provider that implements the protocol. Powers the Kill Switch Layer 3 primitive.

NIST-submitted · Reference impl in vigil-authority

Protocol 03

VOAF

Vigil Open Audit Format

Cryptographically sealed audit package. Court-admissible. Insurance-admissible. Third-party verifiable via vigil-verify with no dependency on Vigil infrastructure. Training-ready JSONL variant (VOAF-M) feeds Personal Model in 2027.

Open · github.com/vigilsec/voaf-spec

Shipping proof

Every claim has code underneath it.

This is not a deck. Every capability on this page is in production today, on device, under test, and running in v2.1.0.

362

Tests passing
Unit, integration, soak

<10ms

Policy path latency
P99, on device

Cloud endpoints
Fly.io Singapore, healthy

Crashes in soak
Multi-day, chain intact

One engine. Every surface. Your move.

Platform explains how. Defense explains what happens when AI acts. Download runs the engine on your device today.

See what Defense does Download for macOS Build with Gateway →