AIOStackAIOStack

AI threats move fast.
This is your unfair advantage.

AIOStack helps secure the AI agents, models, and services running in your environment - including the ones nobody told you about. It reads your kernel and your cloud, maps every app, identity, endpoint, and datasource, and watches what each one actually does. Zero code changes. Your applications will not even know we exist.

$ install · 1 cmd
curl -fsSL https://aurva.ai/install.sh | bash
Install · 10 min How it works
discoversshadow AI · agents · models · endpoints
securesidentity · data flow · egress · prompts
installcurl · helm · zero code changes
deployin-VPC · read-only · data never leaves
FIG. 01aiostack · runtime mapcluster: aurva-prod
L4 · APPLICATIONk8sL3 · IDENTITYiamL2 · DATArds·s3·vecL1 · KERNEL · eBPFsyscallA1pii-analyzerbedrock · agentA2doc-classifierlangchain · agentS1aurva-ocronnx · serviceID·1dataplane-sakube · serviceaccountID·2iam: pii-analyzeraws · role · 12 permsID·3okta-svcfederatedEP·1bedrock.invokeclaude-3-haikuEP·2openai/embedexternalDS·1rds: docspostgres · piiDS·2s3: pii/*bucket · objL1aiostack-agent · DaemonSeteBPF probes · sock_ops · kprobe · tc · uprobe+ network FSM · parses queries · maps sensitive data flowsock_opskprobetcuprobeFSMobsobsobsobsnovel destination · 3 days ago600·720 / RUNTIME · LIVE0,0
§ 02

Four observatories.
One agent. Same evidence.

AIOStack does not give you a generic dashboard. It gives you four precise inventories — every app and model running, every identity that ran them, every endpoint they called, every datasource they read — joined onto the same runtime trace.

§ 02 · 01obs/apps-models

Apps & Models

every model invocation, observed
callerinvokeBEDROCKclaude-3-haikuOPENAIembedding-3-smSELF-HOSTllama-3-70bSEEN BY · eBPF KPROBE / SOCK_OPS
namekindsignal
claude-3-haikubedrock12,408 calls · 24h
claude-3-sonnetbedrock1,820 calls · 24h
text-embedding-3-smopenai84,012 calls · 24h
llama-3-70bself-host412 calls · 24h
gemini-1.5-flashvertex0 calls · 24h
catalog12 distinct models · 4 providers
unsanctioned2 models invoked off-list
traffic98,652 invocations · last 24h
dataprompts, completions, tokens, latency
§ 02 · 02obs/identities

Identities

every identity that touched AI
01actorhuman/sched02agentk8s pod03sa→roleiam chain04resourcerds·s3·modeldrift · 1 new perm 24hJOIN · K8S API · CLOUDTRAIL · IAMPER · IDENTITY · 90D BASELINE
namekindsignal
dataplane-sak8s-sa12 perms · 3 used
iam: pii-analyzeraws-roledrift · 1 new perm 24h
okta-svcfederated2 calls · sanctioned
scheduler-cronk8s-sabedrock only · OK
ci-runneraws-rolefirst seen 2d ago
catalog47 identities · 6 service accounts
drift3 identities with new perms this week
baseline90d · least privilege computed
datasa → role → resource, per call
§ 02 · 03obs/endpoints

Endpoints

every URL the AI talks to
CLUSTERegressapi.openai.comOKbedrock.awsOK38.142.21.7NEWpinecone.ioOKSEEN BY · TC · SOCK_OPS
namekindsignal
api.openai.com/v1/embeddingsegressexternal · sanctioned
bedrock.amazonaws.comegressin-vpc · sanctioned
38.142.21.7:443egressnovel · 3d ago
pinecone.io/vectors/upsertegressexternal · sanctioned
internal: rds.docs:5432internalin-cluster
catalog147 endpoints reached in 30d
new8 endpoints first-seen this week
traffic1.2 TB egress · 24h
datadestination, payload, mTLS, identity
§ 02 · 04obs/datasources

Datasources

every byte of sensitive data, traced
agentpii-analyzereBPF · FSMparses querySELECT · cols · rowsrds: docsPIIs3: pii/*PIIpineconeVECredisKVSEEN BY · NETWORK FSM · PG · MYSQL · HTTP · GRPC
namekindsignal
rds: docs.userspostgrespii · 24,108 reads · 24h
s3://pii-vault/*objectpii · 1.8 GB read
pinecone: emb-prodvector3.4M queries · embeddings
redis: session-cachekvtokens · in-cluster
snowflake: analyticswarehouse4 columns · pii
catalog38 datasources · 11 carry pii
fsmnetwork FSMs parse pg · mysql · http · grpc
flowagent → query → row → exfil, mapped
dataqueries, columns, rows, payload size
§ 03

How it works.

One install, four signal sources, zero application changes. The agent observes from below; cloud APIs enrich from above; the runtime trace is what you see.

FIG. 02signal pipeline · 5 sources → ai reasoninglive · 0 dropped events
SOURCE · YOUR INFRAFIVE FEEDS · ALL READ-ONLYK8S APIpods · sa · svcCLOUDTRAILiam · auditeBPF · syscallsock_ops · kprobeeBPF · NET FSMpg · mysql · http · grpcBEDROCK / VERTEXmodel invokeMERGED EVENT BUS§ 01 · INSTALLcurl · helmdaemonset · 1 cmd§ 02 · OBSERVEeBPF + FSMflows · queries · payloads§ 03 · CORRELATEidentity graphsa → role → resource§ 04 · REASONAI analyzerbaseline · narrate · rankLIVE INVENTORYapps · models · ids · dsDATA-FLOW MAPwho reads what · piiRIGHT-SIZED IAMgranted vs. usedNARRATED ALERTSplain language · evidence0,01200·380 / LIVE · 0 EVENTS DROPPED
01

Install in one command.

A single curl provisions the AIOStack agent across your nodes via Helm. No SDK to import, no proxy in front of your model, no sidecar. Your applications will never know we are there.

curlhelmdaemonsetin-vpc
02

eBPF observes from below.

Probes attached to socket and syscall paths capture every flow, every identity context, every payload boundary. Including agents and models nobody told security about — shadow AI surfaces the moment it runs.

sock_opskprobetcuprobe
03

Cloud APIs draw the rest.

Read-only IAM, CloudTrail, Bedrock, and metadata APIs map ServiceAccounts → roles → policies → resources. The full identity graph behind every AI agent, generated automatically.

iamcloudtrailbedrockk8s api
04

AI reasons over the trace.

An LLM-backed analyzer baselines every identity, narrates every drift, and explains every alert in plain language with linked evidence — so triage stops being archaeology.

baselinenarrateexplainrank
§ 04

Six outcomes.
One install.

01
Inventory
Every model, agent, endpoint, identity. Live. Without you asking.
02
Trace
One actor → one model → one endpoint → one row. End-to-end, in plain language.
03
Drift
First time an identity touches a new resource. First time a model is called from a new caller. First time data leaves.
04
Blast radius
What a compromised agent can actually reach — computed from observed behavior, not granted policy.
05
Right-size
Permissions trimmed to what was actually used in the last 90 days. With evidence attached.
06
Audit
Every action — call, query, egress — attributed to an identity, packaged for review.
§ AIO · DEPLOYED AT

Security & platform teams running AIOStack.

deployself-hosted · saas · in-vpc
since2025
Yubi
finopsasia-south
Meesho
d2casia-south
slice
finasia-south
Razorpay
finasia-mixed
Nykaa
d2casia-south
Rapyuta
coreasia-east
R Systems
dataus-east
CansoAI
ml-hubus-west
Yugen AI
ml-hubus-east
Instacart
engus-west
smallest.ai
aius-west
WisdomAI
aius-east
§ END

Every AI in your stack.
Discovered. Mapped. Secured.

One curl. Ten minutes. Your AI inventory, your endpoint inventory, your identity chains — read from the kernel up. Zero friction. Zero code changes.

Install · 10 min Read architecture
RUNTIMEkernel · eBPF probes
CONTROLiam · cloudtrail · bedrock
DEPLOYself-hosted · in-vpc · read-only
COMPLIANCEsoc 2 · iso 27001