Start with the report.
Every engagement starts with the Agent Exposure Report, a scoped, fixed-price pilot that ends with a board-ready artifact and a live kill-switch drill. Convert, and the pilot fee credits toward your first year.
Pilot
The Agent Exposure Report engagement. Time-boxed and fixed-price: a decision artifact, not a subscription. Credited toward year one when you convert.
Get your Agent Exposure Report- 10–25 endpoints, read-only deploy
- Board-ready Agent Exposure Report
- Policy baseline in monitor mode
- Weekly posture-and-violations reporting
- BYOK kill-switch drill, run live with your team
- Concierge onboarding: we do the work with you
Platform
Continuous governance for the whole fleet, priced by fleet size and tier.
Book a demo- Continuous fleet inventory
- MCP policy: monitor first, enforce when ready
- Tamper-evident audit chain
- BYOK: fleet data under keys you hold and can revoke
- Enterprise SSO (OIDC / SAML)
- Observatory fleet views
- Weekly reporting
Enterprise
Scale and controls for regulated fleets.
Talk to us- Everything in Platform
- Spectra SIEM routing
- SSO / SCIM at scale
- Extended audit retention
- Security-guarantees tier as it ships: signed builds, attestations, CVE response SLAs
Governance at $3–10 per developer per month, on an AI investment of $20–40 per developer per month: the cheapest line item in the rollout, and the one that gets it approved.
Questions, answered.
- How does the pilot work?
- It's a scoped, fixed-price engagement on 10–25 endpoints. Beacon deploys read-only and nothing is enforced. The engagement is time-boxed and ends with the board-ready Agent Exposure Report, a policy baseline in monitor mode, weekly posture-and-violations reporting, and the BYOK kill-switch drill run live with your team. Convert to Platform, and the pilot fee credits toward your first year.
- What does “under your keys” mean for my data and my bill?
- Fleet data and the tamper-evident audit chain are encrypted under a key that lives in your KMS, not ours. During the pilot we run the kill-switch drill: you revoke that key and watch our access die in your own CloudTrail, so you never have to take our word for it. For the bill, pricing is based on fleet size and tier, never on reading or monetizing your data.
- Does Alyria read my data?
- Static blobs stored with us are opaque to us at rest, and fleet data is encrypted under a key you hold and can revoke, verifiably. Client-held keys, where we never hold the key at all, are on our roadmap pending an externally audited protocol; we describe that as future work, not a present guarantee.
- Can I self-host, or does Alyria host it?
- The platform core is source-available and can run on your own infrastructure. Most teams choose the hosted offering: Observatory hosts the console, SSO, fleet dashboards, and the secrets broker, and your data stays under your keys either way.
- What does open-core actually mean here?
- The platform core is source-available (BSL 1.1) and Umbra’s client-side crypto and SDK are fully open (Apache/MPL) so the client-side crypto stays auditable; the full licensing story lives on the security & trust page.
- How does enterprise SSO work?
- Platform includes enterprise SSO via OIDC or SAML out of the box. Enterprise adds SCIM provisioning, extended audit retention, and SIEM routing at scale for larger, regulated fleets.
- What are “security guarantees”?
- A distinct Enterprise tier, independent of license, delivered as it ships: SLA, warranty/indemnity, SOC 2 and pen-test attestations, signed/reproducible builds, and committed CVE response windows. Details on the security & trust page.
Find out what your fleet is running. This week.
A 30-minute read-only deploy. A board-ready report of every agent, tool, and MCP connection. Your keys from day one, and a kill-switch drill to prove it.