Alyria is the endpoint agent-governance platform for the AI agents your people run. It governs what every agent may do, detects what it did, and brokers secrets encrypted under keys you hold and can revoke. Six modules cooperate across two pillars: APG (Agent Policy Governance, prevention) and ADR (Agent Detection & Response, detection), on a mesh where fleet data stays encrypted under keys you hold.
The path of a request
A request from a local agent travels through the platform in order:
- Beacon — a signed daemon on every machine. It inventories installed AI tooling and CVEs, then routes the agent's inference and network calls through a local policy service. Enforcement happens at the endpoint, with no cloud hop on the hot path.
- Constellation — the mesh. Beacons check in over MCP and share org memory and ingested docs, scoped by division and role resolved from your IdP groups. The same ACL is enforced twice from one source of truth.
- Lyra — policy-as-code. One capability-brokered, information-flow-aware policy decides which tools, MCP servers, models, data, and egress each agent may touch. Authored once, enforced at the Beacon.
- Umbra — the wedge. Secrets under your keys, with agent-to-agent key exchange (roadmap: keys we never hold). Client-side crypto is open and auditable, so the cloud is never the breach target.
- Spectra — telemetry. OpenTelemetry from the whole fleet is collected and routed to Alyria Cloud or straight into your own SIEM (Elastic/Kibana).
- Observatory — the cloud console. Enterprise SSO, tenant onboarding, fleet health, CVE posture, policy decisions, and detections in one plane.
Why under your keys
A conventional cloud control plane must decrypt your traffic to inspect it, which makes it the thing worth attacking. Alyria inverts that: enforcement is local and offline, and any fleet data that reaches the cloud is encrypted under a key that lives in your KMS. Revoke the key and you can verify our access died, in your own CloudTrail. The roadmap moves further, toward client-held keys we never hold at all, under an externally audited protocol.
Continue to the Quickstart to deploy your first Beacon.