aegisgatesecurity/aegisgate-platform

## The Problem Your AI infrastructure spans multiple attack surfaces — and most teams are only protecting one. Traditional security solutions (WAFs, API gateways) weren't designed for AI-specific threats like prompt injection, agent impersonation, or tool poisoning. ### Attack Surface Comparison | Attack Surface | Risk | Traditional | AegisGate | |---|---|---|---| | **HTTP APIs** | Prompt injection, data leakage, PII exposure | ⚠️ WAFs exist (AI-agnostic) | ✅ AI-aware scanning, PII detection | | **MCP Protocol** | Tool poisoning, session hijacking, supply-chain attacks | ❌ No native protection | ✅ Built-in protocol guard | | **A2A Communication** | Agent impersonation, data tampering, capability escalation | ❌ No native protection | ✅ Agent-to-agent verification | | **Agent Response** | PII leakage, secret exposure, hallucination, toxicity | ❌ No native protection | ✅ Real-time response guard | | **ACP Protocol** | Message tampering, capability escalation, replay attacks | ❌ No native protection | ✅ HMAC-signed messages | | **ANP Protocol** | Protocol downgrade, routing manipulation, message injection | ❌ No native protection | ✅ Message validation, routing integrity | AegisGate fills these gaps with a single unified platform. **AegisGate secures all six in a single 19 MB binary you deploy in 60 seconds.** ## Five Pillars of AI Security ### 🌐 HTTP API Security Bidirectional scanning of every request and response with **144+ detection patterns**: | Category | Patterns | Coverage | |----------|----------|----------| | **MITRE ATLAS** | 52 techniques | Adversarial AI tactics | | **OWASP LLM Top 10** | 49 patterns | LLM01–LLM10 | | **Secrets Scanning** | 44+ regex patterns | API keys, tokens, credentials | | **PII Detection** | 12+ patterns | GDPR/CCPA compliance | **Features:** - Bidirectional inspection — scans both requests and responses - Rate limiting — per-client, per-IP with token-bucket algorithm - Circuit breaker — automatic failure recovery - Tamper-evident audit — RFC 5424-compliant structured logging - SIEM integration — CEF (ArcSight), LEEF (QRadar), STIX 2.1 ### 🔗 MCP Protocol Protection Session authentication, tool authorization, and **8 guardrails** for every MCP connection: | # | Guardrail | Description | |---|-----------|-------------| | 1 | **Session Authentication** | Auth required for all MCP sessions | | 2 | **Concurrent Session Limits** | Max simultaneous sessions per tier | | 3 | **Tools per Session** | Max tools available per session | | 4 | **STDIO Validation** | Command injection prevention | | 5 | **Execution Timeout** | Max execution time per tool call | | 6 | **Memory Monitoring** | Alerts at configurable threshold | | 7 | **Per-Client RPM** | Max requests/minute per client | | 8 | **Tool Authorization** | Risk-based tool call approval matrix | ### 🤝 A2A Agent-to-Agent Security Zero-trust guardrails for inter-agent communication — the first purpose-built A2A security layer: | # | Guardrail | Description | |---|-----------|-------------| | 1 | **mTLS Authentication** | X.509 certificate verification with agent identity | | 2 | **HMAC-SHA256 Integrity** | Full request body validation | | 3 | **Capability Enforcement** | Least-privilege per agent from YAML config | | 4 | **Token-Bucket Rate Limiting** | Per-agent request quotas (default 100 req/min) | | 5 | **Request Size Limits** | Rejects bodies > configurable limit | | 6 | **Timeout Enforcement** | Configurable request timeouts | | 7 | **License Validation** | ECDSA P-256 cryptographic enforcement | | 8 | **Audit Logging** | RFC 5424 structured log per request | ### 🛡️ Agent Response Security (v3.1) Protection for LLM outputs — the fourth pillar of AI security: | # | Guardrail | Description | |---|-----------|-------------| | 1 | **PII Scanner** | Detects SSN, credit cards, emails, phones, health info | | 2 | **Secret Detector** | Detects API keys (Stripe, GitHub, AWS, OpenAI, Slack) | | 3 | **Hallucination Detector** | Identifies false statements, overconfidence, unverified claims | | 4 | **Toxicity Filter** | Detects hate speech, violence, harassment | | 5 | **Token Limiter** | Rate limiting for response token counts | | 6 | **Response Redactor** | Intelligent redaction with multiple strategies | | 7 | **Compliance Reports** | Auto-generates GDPR, HIPAA, PCI-DSS, SOC2 reports | | 8 | **Response Guard Middleware** | Unified scanning for HTTP, MCP, A2A | **Features:** - Bidirectional inspection — scans both requests AND responses - 12 PII categories with validation (SSN format, Luhn algorithm for CC) - 10 secret patterns with provider detection - Real-time hallucination detection with risk scoring - Fail-closed security — blocked responses return sanitized versions - Sub-5ms scanning latency (typical response scan < 1ms) ### 🔐 ACP Protocol Security (v3.1) **Agent Communication Protocol** — The newest pillar for agent-to-agent security. The ACP guard provides comprehensive protection for agent communication: | Feature | Description | |---------|-------------| | **HMAC Verification** | Full message body signature validation | | **Rate Limiting** | Per-session token-bucket algorithm | | **Response Scanning** | PII, secrets, toxicity, hallucination detection | | **Capability Enforcement** | Fine-grained permission control | | **Input Validation** | Method blocking, schema validation | // ACP middleware integrates seamlessly import "github.com/aegisgatesecurity/aegisgate-platform/pkg/acp" func main() { scanner := acp.NewACPResponseScanner() mw := acp.NewMiddleware(scanner) http.Handle("/acp/", mw.WrapHandler(handler)) } - **Coverage:** 90.1% | **Tests:** 164 | **Metrics:** 10 Prometheus counters ## 🔐 Enterprise Authentication Production-grade SSO and access control — not stubs: | Feature | Tier | Details | |---------|------|---------| | **OIDC / OAuth 2.0** | Community+ | Full OpenID Connect with PKCE, auto-discovery | | **SAML 2.0** | Community+ | SP-initiated login, pre-configured templates | | **RBAC** | Community+ | Role-based access control with session-scoped permissions | | **Tool Authorization Matrix** | Community+ | Risk-weighted tool call approval by role | | **License Enforcement** | Community+ | ECDSA P-256 cryptographic validation | | **API Key Fallback** | Community+ | Key-based auth for CI/CD pipelines | ## 📊 Compliance Frameworks Maps security controls to **9 frameworks** across all tiers: | Framework | Category | Patterns | Tier | |-----------|----------|----------|------| | **MITRE ATLAS** | Adversarial AI | 52 techniques | Community | | **NIST AI RMF 1.500** | AI Risk Management | Full coverage | Community | | **OWASP LLM Top 10** | LLM Security | 49 patterns | Community | | **GDPR** | Data Protection | PII detection, retention | Community | | **HIPAA** | Healthcare | PHI detection, BAA available | Professional | | **PCI-DSS** | Payment Security | Card data detection | Professional | | **SOC2 Type II** | Enterprise Controls | CC6.6 monitoring | Professional | | **ISO 27001** | Information Security | Full framework | Professional | | **ISO 42001** | AI Management | AI-specific controls | Professional | ### Threat Model Comprehensive threat analysis with STRIDE methodology, CVSS scoring, and MITRE ATLAS mappings: | Element | Coverage | |---------|----------| | **STRIDE** | 41 threats across HTTP, MCP, A2A, Response | | **Data Flow Diagrams** | 3 DFDs with trust boundaries | | **Attack Trees** | 4 major attack vectors | | **CVSS 3.1** | 25+ threats scored (7 Critical, 11 High, 7 Medium) | | **MITRE ATLAS** | Full ATLAS-MCP, ATLAS-A2A, ATLAS-LLM coverage | ## 🏗️ Architecture %%{init: {'theme': 'dark', 'themeVariables': { 'primaryColor': '#00ADD8', 'primaryBorderColor': '#00ADD8', 'lineColor': '#F97583', 'secondaryColor': '#238636', 'tertiaryColor': '#1f6feb'}}}%% flowchart TB subgraph "Client Layer" A[💻 HTTP Client] B[🤖 MCP Client] C[🤝 A2A Agent] end subgraph "AegisGate Platform v3.1.0" subgraph "Entry Points" D["🌐 HTTP Proxy\n:8080"] E["🔗 MCP Server\n:8081"] F["🤝 A2A Endpoint\n:8082"] G["📊 Dashboard\n:8443"] end subgraph "Security Core" H[🔍 Scanner — 144+ patterns] I[🛡️ A2A Guardrails — 8 guardrails] J[⚡ Rate Limiter — token-bucket] K[📋 Audit Logger — RFC 5424 + hash chain] end subgraph "Auth & Access" L["🔐 SSO — OIDC/SAML"] M["🛡️ RBAC Engine"] N["🔑 Tool Authorization Matrix"] O["📜 License — ECDSA P-256"] end subgraph "Compliance" P[ATLAS • NIST • OWASP] Q[HIPAA • PCI • SOC2 • ISO] end subgraph "Persistence" R[(💾 Data Store)] S["📝 Audit Logs — tamper-evident"] T["🔑 Cert Store — mTLS"] end end subgraph "Upstream" U[🤖 AI Services] V[🛠️ MCP Tools] W[🤝 Peer Agents] end A --> D B --> E C --> F D --> H & J & K E --> M & N & K F --> I & J & K H --> P & Q I --> M L --> M O --> M M --> R K --> S T --> D & E & F P & Q --> U & V & W ## ⚡ Performance (v3.1.0 Benchmark) | Metric | Target | Achieved | Status | |--------|--------|----------|--------| | **Peak Throughput** | 10,000+ RPS | **24,806 RPS** | ✅ 2.1x exceeded | | **Average Latency** | < 10ms | **3.2 ms** | ✅ | | **P95 Latency** | < 50ms | **43.78 ms** | ✅ | | **P99 Latency** | < 100ms | ~70 ms | ✅ | | **Error Rate** | < 0.1% | **0.00%** | ✅ | | **Binary Size** | < 50MB | **19.1 MB** | ✅ | | **Code Coverage** | 95%+ | **97.8%** | ✅ | | **Tests Passing** | — | **5,484** | ✅ | | **CVEs** | 0 | **0** | ✅ | *Full methodology in [PERFORMANCE.md](PERFORMANCE.md). k6 load testing, 60+ second scenarios, real attack vectors.* ## 🚀 Quick Start ### Docker (30 seconds) docker run -d \ --name aegisgate \ -p 8080:8080 \ -p 8081:8081 \ -p 8443:8443 \ -p 8082:8082 \ -v aegisgate-data:/data \ ghcr.io/aegisgatesecurity/aegisgate-platform:latest ### Kubernetes (Helm) helm repo add aegisgate https://charts.aegisgatesecurity.io helm install aegisgate aegisgate/aegisgate-platform \ --set aegisgate.config.tier=community Includes HPA autoscaling, NetworkPolicy, ServiceMonitor, rolling updates. ### Verify curl http://localhost:8443/health # {"status":"healthy","version":"v3.1.0","tier":"community",...} ## 🔄 Integration Examples ### OpenAI Client import openai openai.api_base = "http://localhost:8080/v1" # AegisGate proxy response = openai.ChatCompletion.create( model="gpt-4", messages=[{"role": "user", "content": "Hello!"}] ) # AegisGate scans request/response, logs to audit trail ### MCP Client from mcp.client import Client client = Client( name="secure-agent", version="1.0.0", transport="stdio" ) await client.connect() # All tool calls pass through 8 guardrails ### A2A Agent (mTLS) import requests import ssl # mTLS with AegisGate ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ssl_context.load_cert_chain("agent.crt", "agent.key") ssl_context.load_verify_locations("aegisgate-ca.crt") response = requests.post( "https://aegisgate:8082/a2a", json={"agent_id": "my-agent", "action": "query"}, cert=ssl_context ) # mTLS + HMAC + capability enforcement + audit ## 🛡️ Security Hardening ### Built-in Security | Feature | Description | |---------|-------------| | **Self-signed CA** | Auto-generates certificates on first run | | **mTLS** | Mutual TLS for A2A agent communication | | **Fail-Closed** | Unknown requests are blocked by default | | **Tamper-Evident Logs** | Hash chain audit trail (legally admissible) | | **RFC 5424 Syslog** | Structured logging for SIEM integration | | **Zero CVEs** | All dependencies scanned, 0 vulnerabilities | | **Threat Model** | Full STRIDE analysis, CVSS scoring, MITRE ATLAS mapping | ### Threat Model (v3.1 — Full STRIDE Analysis) | Category | Coverage | Top Threat | |----------|----------|-----------| | **HTTP API** | 10 STRIDE threats | License bypass (CVSS 9.8) | | **MCP Protocol** | 10 STRIDE threats | Session spoofing (CVSS 9.5) | | **A2A Agent** | 10 STRIDE threats | Impersonation (CVSS 9.1) | | **AI Response** | 11 STRIDE threats | PII disclosure (CVSS 9.1) | | **ANP Protocol** | 8 STRIDE threats | Protocol downgrade (CVSS 8.2) | | **ACP Protocol** | 9 STRIDE threats | Message tampering (CVSS 9.3) | ### SIEM Integration # Enable SIEM output logging: format: rfc5424 # or cef, leef, json siem: endpoint: splunk.company.com:8089 protocol: raw tcp facility: local0 Supports: **Splunk** (CEF), **IBM QRadar** (LEEF), **ArcSight** (CEF), **Elastic** (JSON), **Microsoft Sentinel** (JSON) ## ✨ Features at a Glance | Category | Feature | |----------|---------| | **HTTP Security** | Bidirectional scanning · 144+ patterns · Rate limiting · Circuit breaker | | **MCP Security** | 8 guardrails · Session isolation · Tool authorization · STDIO validation | | **A2A Security** | mTLS · HMAC-SHA256 · Capability enforcement · Per-agent rate limiting | | **ACP Security** | HMAC verification · Per-session rate limiting · Message validation · Response scanning | | **Authentication** | OIDC/OAuth 2.0 + PKCE · SAML 2.0 · RBAC · API keys | | **Compliance** | ATLAS · NIST AI RMF · OWASP · HIPAA · PCI · SOC2 · ISO 27001/42001 · GDPR | | **Observability** | Prometheus metrics · RFC 5424 audit · Hash chain logs · Grafana dashboard | | **Deployment** | Docker (19.1MB) · Kubernetes + Helm · HPA · NetworkPolicy · Rolling updates | | **SIEM** | RFC 5424 · CEF (ArcSight) · LEEF (QRadar) · STIX 2.1 | ## 🎯 Tier Comparison ## 📚 Documentation | Document | Description | |----------|-------------| | [PERFORMANCE.md](PERFORMANCE.md) | Sprint 10 load testing results (24,806 RPS, 3.2ms) | | [SECURITY.md](SECURITY.md) | Security policies and vulnerability disclosure | | [CHANGELOG.md](CHANGELOG.md) | Release history | | [docs/METRICS.md](docs/METRICS.md) | Prometheus metrics reference | | [docs/A2A Technical Spec](docs/a2a-guardrails-technical-spec.md) | A2A security deep dive | ## 🔒 Security Disclosure **Email**: security@aegisgatesecurity.io | Item | Detail | |------|--------| | Response Time | 48 hours | | Resolution Target | 90 days | | PGP Key | Available on request | ## 🙏 Acknowledgments - [MCP Protocol](https://modelcontextprotocol.io) — Model Context Protocol - [A2A Protocol](https://a2a-protocol.org/latest/) — Agent-to-Agent communication standard - [ACP Protocol](https://github.com/aegisgatesecurity/aegisgate-platform/tree/main/pkg/acp) — Agent Communication Protocol security layer - [MITRE ATLAS](https://atlas.mitre.org) — AI threat framework - [NIST AI RMF](https://www.nist.gov/itl/ai-risk-management-framework) — AI risk management - [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/) — LLM security - [RFC 5424](https://datatracker.ietf.org/doc/html/rfc5424) — Syslog protocol

标签：EVTX分析