This is the line-item list of every model, scanner, feed, surface, deployment shape, integration, compliance pack, and operational deliverable included in a Safeguard engagement. Read top to bottom, or jump to the section you need to staple onto a procurement form.
Five Griffin variants for reasoning, Eagle for ranking, Lino for inline. Pick by complexity score or let the auto-router pick for you.
| Variant | Parameters | Deployment shapes | Best for | Detail |
|---|---|---|---|---|
| Griffin Lite | 8B | Shared cloud · Dedicated · VPC · Air-gapped | Inline IDE reasoning, CI gate quick passes, edge inference. | |
| Griffin S | 14B | Shared cloud · Dedicated · VPC · Air-gapped | Repo-wide sweeps with reachability ranking, PR review depth. | |
| Griffin M | 32B | Shared cloud · Dedicated · VPC | Multi-finding correlation, cross-package taint chains to seven hops. | |
| Griffin L | 70B | Dedicated · VPC · Sovereign | Exploit-hypothesis generation, sanitiser-aware patch synthesis. | |
| Griffin Zero | 671B (MoE) | Dedicated · VPC · Sovereign | The hardest reasoning: novel taint chains, audit-grade disproofs. | |
| Eagle | 13B | Shared cloud · Dedicated · VPC · Air-gapped | Reachability ranking, candidate-path retrieval, cluster dedup. | |
| Lino | 1B | On-device (CPU/GPU) · Air-gapped | Sub-100 ms inline sink, secret, and sanitiser checks. |
CVE write-ups, exploit research, patched diffs, advisory text, taint graphs, MITRE ATT&CK procedures, labelled SAST findings. Not general web crawl, not StackOverflow without a security frame.
Sliding-window plus landmark attention with retrieval gates that pre-rank call-graph chunks before attention runs. Long context that actually holds at its advertised window.
Best-in-class scanners run in parallel; Eagle ranks and dedupes; Griffin reasons on the survivors. You see one finding per real issue, not eleven copies.
OS and language package CVE matching against curated vuln DB.
Containers, IaC, filesystems, and Git repos in one engine.
SPDX-aligned license detection with policy-grade obligations.
Secret detection across history, branches, and pre-commit hooks.
Open Source Vulnerability database matched by purl coordinates.
GitHub Security Advisory feed, ecosystem-aware version ranges.
Project health signals: maintenance, signed releases, branch protection.
Supplier and maintainer trust signal scoring at the repo level.
Code-quality and security rule packs piped into the same verdict.
Typosquats, dependency confusion, post-install hook anomalies.
Source code counter for project size, language mix, and SLOC.
Eagle collapses near-duplicate findings across scanners, with provenance preserved. One verdict per real issue, full audit trail attached.
Severity is necessary, not sufficient. Exploitability, exploited-in-the-wild status, advisory metadata, and reputation come pre-attached so you triage on real risk.
National Vulnerability Database: CVE record of truth, CVSS, CPE mapping.
Open Source Vulnerability schema, ecosystem-precise version ranges by purl.
Exploit Prediction Scoring System: 30-day probability a CVE is exploited in the wild.
CISA Known Exploited Vulnerabilities catalogue: the hard prioritisation signal.
GHSA stream with ecosystem-aware severity and patch-version metadata.
Artifact reputation and multi-engine hash verdict for binary intel.
Curated exploit intel, ransomware association, and threat actor mapping.
Two SBOM formats, plus end-to-end provenance attestation. Both are signed; both export cleanly for the regulator.
Full bill of materials with component identity, dependency relationships, license, and vuln annotations. Signed.
ISO/IEC 5962-aligned SBOM for procurement, regulator, and auditor workflows. Signed.
Provenance attestations for build steps, scan runs, and patch applications. Verifiable chain-of-custody.
Every surface reads the same policy, writes to the same audit log, and shares the same SBOMs. Pick where your team already lives.
Griffin, Eagle, Lino behind a single versioned REST API. Auto-router by complexity.
Native Mac, Windows, Linux. Local scans, CI-equivalent gate, drift watcher.
Local AI coding agent that knows your SBOM, policy, and reachability graph.
VS Code, JetBrains family, Cursor. Lino inline at sub-100 ms p95.
scan, sbom, fix, policy. Static binary or npm. Air-gappable.
Model Context Protocol with capability scoping and egress guardrails.
Web console for trend, SLA, exception, and regulator export.
Curated integrations, SBOM bundles, compliance packs, workflow library.
Typed SDKs (TypeScript, Python, Go) plus signed delivery webhooks.
The platform is the same; the trust boundary is yours to choose.
Multi-tenant inference plane, fastest onboarding. Per-tenant prompt and KV-cache isolation.
Single-tenant inference on isolated hardware. SHA-pinned weight attestation, deterministic latency.
Customer-controlled VPC, BYO-KMS. Inference plane lives inside your network boundary.
No egress, on-prem GPU, offline vuln DB bundles, signed audit-log export.
In-country residency, regulator-attested key custody, signed roadmap commitments.
Pre-mapped Safeguard capability-to-control bindings, refreshed on every framework revision. Bring your auditor; we have the spreadsheet.
First-party connectors maintained by Safeguard, not a third-party marketplace plugin. Bi-directional where it makes sense, one-way where it does not.
Not just software. The operating commitments that come stapled to the contract.
99.5% to 99.95% availability for the API, portal, and MCP surfaces, depending on tier. Credits attached.
Direct access to Safeguard engineering on the on-call rotation. No vendor support tier sits between you and the people who wrote the code.
Monthly SLA reports with raw uptime, latency, and incident timelines. Quarterly business reviews on posture and roadmap.
Append-only audit log exported in JSON plus CycloneDX evidence form. Signed and verifiable for regulator submission.
Enablement curriculum for your sales, support, and security engineering teams. Updated each model release.
Quarterly roadmap brief under NDA: upcoming variants, scanner additions, compliance packs, deployment shapes.
The artefacts your security, legal, procurement, and audit teams need. Versioned, signed, and available from the resource hub.
Per-surface technical datasheets with API contracts, limits, and integration patterns.
Per-model card: training corpus class, eval suites, intended use, known limits.
Architecture whitepapers for Aegis attention, the disproof pass, and trace distillation.
Control-by-control mapping from Safeguard capabilities to each framework's clauses.
Our own platform SBOMs in CycloneDX and SPDX, signed. Eat-our-own-dogfood transparency.
Starter OPA policy bundles and CSAF/CycloneDX VEX templates for your exception workflow.
We are single-purpose by design. Here is what a Safeguard engagement deliberately does not cover.
Models, scanners, feeds, surfaces, deployments, integrations, compliance packs, operational and documentation deliverables. All in one contract. Book a walk-through.