Skip to content

Aegis

High-assurance TLS/mTLS for everything you run. Prefer post-quantum hybrid, fall back safely, roll back instantly — and enforce one crypto policy across your front door, your service mesh, and partner egress, without ever moving plaintext or private keys.

TLS 1.3 / QUIC · mTLS · PQ-Hybrid · Canary + Rollback · Gateway + Mesh · Telemetry & Evidence

Why Aegis

  • Crypto-agility by policy. Prefer hybrid or PQ-only where peers support it; fall back safely for legacy clients. Promote by percentage, service, or partner — and enforce on success.
  • No plaintext, no key movement. Aegis enforces transit security at the edge of each workload; your secrets and cleartext stay in your environment.
  • Operate with confidence. Canary rollouts, dead-man rollback, drift detection, and exportable evidence bundles (handshake outcomes, latency percentiles, failure codes).

Deployment modes

Aegis meets your traffic where it is — north-south at the gateway, and east-west in your service mesh — using the same policy model for both.

Gateway Mode (north-south)

Standard Kubernetes Gateway API, Aegis data plane. Bring your own Gateway and HTTPRoute; the Aegis controller claims its GatewayClass and programs aegis-gateway pods to terminate TLS, enforce mTLS, strip downgrades, and apply your crypto policy at the front door. Canary and rollback are built in, and the telemetry/evidence you use everywhere else applies here too.

Gateway Mode guide

Service Mesh (east-west)

Write one crypto/authz policy and enforce it in your mesh — Aegis translates it into your mesh's own native resources and watches for drift, re-converging automatically. Aegis supports four meshes:

Mesh Install Notes
Istio istioctl (ambient/sidecar) Most battle-tested path; mTLS floor, identity allow-lists, path rules
Linkerd linkerd install mTLS + identity allow-lists
Consul helm install consul mTLS + service intentions
Envoy Gateway helm install envoy-gateway Mesh routing + rate limiting (GAMMA)

Per-adapter coverage

Each adapter is enabled per cluster and honors what its mesh can natively enforce — and tells you up front what it can't (for example, Linkerd has no native rate limiting; Envoy Gateway's mesh mode doesn't do path-based authz). Istio is the most complete and is the default on-path; the Linkerd, Consul, and Envoy adapters are opt-in. See the adapter status matrix for the exact capability coverage per mesh.

Service Mesh guide

How it fits

        ┌─────────────┐        one policy, many enforcers
        │   Policy    │  ─────────────────────────────────┐
        └─────────────┘                                    │
   north-south │                          east-west        │
        ┌──────▼───────┐            ┌───────────────────────▼────────┐
        │ Gateway Mode │            │  Service Mesh (Istio / Linkerd  │
        │ (Gateway API)│            │   / Consul / Envoy Gateway)     │
        └──────────────┘            └────────────────────────────────┘

Get started

Honest by design

Aegis provides controls and audit-readiness evidence that help you meet SOC 2 / PCI / HIPAA / GDPR objectives. It is not itself a certification and does not imply any audit has been passed — see Compliance.