Skip to content
HookProbe Docs

AEGIS AI Defense

AEGIS — Adaptive Endpoint Guardian with Intelligent Security

AEGIS is HookProbe’s multi-agent AI orchestrator that coordinates autonomous security operations across all product tiers.

Architecture

AEGIS uses a Blackboard + Event Bus hybrid coordination model:

  • PostgreSQL (Blackboard): Shared state, agent decisions, RAG context
  • ClickHouse (Event Bus): Real-time streaming events from XDP/HYDRA pipeline
                    ┌─────────────────────────┐
                    │  PostgreSQL (Blackboard) │
                    │  aegis_cognition table   │
                    └────────────┬────────────┘
                                 
         ┌───────────┬───────────┼───────────┬───────────┐
    ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐
    │ Network │ │Endpoint │ │ Threat  │ │Incident │ │ Content │
    │Sentinel │ │Guardian │ │ Intel   │ │Response │ │ Scribe  │
    └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘
         └───────────┴───────────┼───────────┴───────────┘
                    ┌────────────▼────────────┐
                    │  ClickHouse (Event Bus) │
                    └─────────────────────────┘

Agent Roles

Network Sentinel

Real-time traffic analysis via XDP/eBPF. Generates dynamic XDP filter rules from detected threats.

Endpoint Guardian

File integrity monitoring, process monitoring, authentication anomaly detection. Computes QSecBit component scores.

Threat Intel Analyst

CVE correlation, threat feed enrichment, campaign attribution. Uses RAG search over pgvector knowledge base.

Incident Responder

Automated playbook execution — XDP blocks, firewall rules, Discord alerts. Triggers when risk score > 0.8.

Content Scribe

Transforms security events into blog posts, video scripts, and social media content. Feeds the SEO Brain pipeline.

Orchestrator

Task routing, priority assignment, resource allocation. Decides local vs cloud inference per event.

Inference

AEGIS uses a 3-tier progressive inference backend:

  1. Local LLM (llama.cpp) — fast classification, ~100ms
  2. Cloud LLM (OpenRouter/Gemini) — complex reasoning, ~1s
  3. Template Fallback — instant, no API key needed

Tier-Specific Variants

TierAEGIS VariantCapabilities
SentinelAEGIS-PicoRule-based only, no ML/LLM
GuardianAEGIS-LiteL2-L7 detection, no deep training
FortressAEGISFull agents, cloud LLM
NexusAEGIS-DeepLocal GPU training, federated learning

Configuration

Terminal window
# Environment variables
AEGIS_ENABLED=true
AEGIS_BACKEND=auto          # auto | local | cloud | fast
AEGIS_OLLAMA_URL=http://localhost:11434
AEGIS_OLLAMA_MODEL=llama3.2:3b