Aegis
High-assurance TLS/mTLS for everything you run. Prefer post-quantum hybrid, fall back safely, roll back instantly — and enforce one crypto policy across your front door, your service mesh, and partner egress, without ever moving plaintext or private keys.
TLS 1.3 / QUIC · mTLS · PQ-Hybrid · Canary + Rollback · Gateway + Mesh · Telemetry & Evidence
Why Aegis
- Crypto-agility by policy. Prefer hybrid or PQ-only where peers support it; fall back safely for legacy clients. Promote by percentage, service, or partner — and enforce on success.
- No plaintext, no key movement. Aegis enforces transit security at the edge of each workload; your secrets and cleartext stay in your environment.
- Operate with confidence. Canary rollouts, dead-man rollback, drift detection, and exportable evidence bundles (handshake outcomes, latency percentiles, failure codes).
Deployment modes
Aegis meets your traffic where it is — north-south at the gateway, and east-west in your service mesh — using the same policy model for both.
Gateway Mode (north-south)
Standard Kubernetes Gateway API, Aegis data plane. Bring your own
Gateway and HTTPRoute; the Aegis controller claims its GatewayClass
and programs aegis-gateway pods to terminate TLS, enforce mTLS, strip
downgrades, and apply your crypto policy at the front door. Canary and
rollback are built in, and the telemetry/evidence you use everywhere else
applies here too.
Service Mesh (east-west)
Write one crypto/authz policy and enforce it in your mesh — Aegis translates it into your mesh's own native resources and watches for drift, re-converging automatically. Aegis supports four meshes:
| Mesh | Install | Notes |
|---|---|---|
| Istio | istioctl (ambient/sidecar) |
Most battle-tested path; mTLS floor, identity allow-lists, path rules |
| Linkerd | linkerd install |
mTLS + identity allow-lists |
| Consul | helm install consul |
mTLS + service intentions |
| Envoy Gateway | helm install envoy-gateway |
Mesh routing + rate limiting (GAMMA) |
Per-adapter coverage
Each adapter is enabled per cluster and honors what its mesh can natively enforce — and tells you up front what it can't (for example, Linkerd has no native rate limiting; Envoy Gateway's mesh mode doesn't do path-based authz). Istio is the most complete and is the default on-path; the Linkerd, Consul, and Envoy adapters are opt-in. See the adapter status matrix for the exact capability coverage per mesh.
How it fits
┌─────────────┐ one policy, many enforcers
│ Policy │ ─────────────────────────────────┐
└─────────────┘ │
north-south │ east-west │
┌──────▼───────┐ ┌───────────────────────▼────────┐
│ Gateway Mode │ │ Service Mesh (Istio / Linkerd │
│ (Gateway API)│ │ / Consul / Envoy Gateway) │
└──────────────┘ └────────────────────────────────┘
Get started
Honest by design
Aegis provides controls and audit-readiness evidence that help you meet SOC 2 / PCI / HIPAA / GDPR objectives. It is not itself a certification and does not imply any audit has been passed — see Compliance.