Everything · The complete inventory

Everything you get. On one page.

This is the line-item list of every model, scanner, feed, surface, deployment shape, integration, compliance pack, and operational deliverable included in a Safeguard engagement. Read top to bottom, or jump to the section you need to staple onto a procurement form.

Models

Scanners

Enrichment feeds

Compliance frameworks

Models · 7 variants

Models you can call.

Five Griffin variants for reasoning, Eagle for ranking, Lion for inline. Pick by complexity score or let the auto-router pick for you.

Variant	Parameters	Deployment shapes	Best for
Griffin Lite	8B	Shared cloud · Dedicated · VPC · Air-gapped	Inline IDE reasoning, CI gate quick passes, edge inference.
Griffin S	14B	Shared cloud · Dedicated · VPC · Air-gapped	Repo-wide sweeps with reachability ranking, PR review depth.
Griffin M	32B	Shared cloud · Dedicated · VPC	Multi-finding correlation, cross-package taint chains up to twelve hops.
Griffin L	70B	Dedicated · VPC · Sovereign	Exploit-hypothesis generation, sanitiser-aware patch synthesis.
Griffin Zero	671B (MoE)	Dedicated · VPC · Sovereign	The hardest reasoning: novel taint chains, audit-grade disproofs.
Eagle	13B	Shared cloud · Dedicated · VPC · Air-gapped	Reachability ranking, candidate-path retrieval, cluster dedup.
Lion	1B	On-device (CPU/GPU) · Air-gapped	Sub-100 ms inline sink, secret, and sanitiser checks.

All models share the security-only corpus

CVE write-ups, exploit research, patched diffs, advisory text, taint graphs, MITRE ATT&CK procedures, labelled SAST findings. Not general web crawl, not StackOverflow without a security frame.

Aegis attention powers every Griffin variant

Sliding-window plus landmark attention with retrieval gates that pre-rank call-graph chunks before attention runs. Long context that actually holds at its advertised window.

Scanners · 11 engines, one verdict

Eleven scanners, deduped into one verdict.

Best-in-class scanners run in parallel; Eagle ranks and dedupes; Griffin reasons on the survivors. You see one finding per real issue, not eleven copies.

Grype

OS and language package CVE matching against curated vuln DB.

Trivy

Containers, IaC, filesystems, and Git repos in one engine.

License scanner

SPDX-aligned license detection with policy-grade obligations.

Gitleaks

Secret detection across history, branches, and pre-commit hooks.

OSV scanner

Open Source Vulnerability database matched by purl coordinates.

GHSA

GitHub Security Advisory feed, ecosystem-aware version ranges.

OpenSSF Scorecard

Project health signals: maintenance, signed releases, branch protection.

Hipcheck

Supplier and maintainer trust signal scoring at the repo level.

SonarQube integration

Code-quality and security rule packs piped into the same verdict.

Malicious-package detection

Typosquats, dependency confusion, post-install hook anomalies.

SCC

Source code counter for project size, language mix, and SLOC.

+ Cross-scanner dedup

Eagle collapses near-duplicate findings across scanners, with provenance preserved. One verdict per real issue, full audit trail attached.

Enrichment feeds · 7 sources

Every finding, enriched in line.

Severity is necessary, not sufficient. Exploitability, exploited-in-the-wild status, advisory metadata, and reputation come pre-attached so you triage on real risk.

NVD

National Vulnerability Database: CVE record of truth, CVSS, CPE mapping.

OSV

Open Source Vulnerability schema, ecosystem-precise version ranges by purl.

EPSS

Exploit Prediction Scoring System: 30-day probability a CVE is exploited in the wild.

KEV

CISA Known Exploited Vulnerabilities catalogue: the hard prioritisation signal.

GitHub Advisory

GHSA stream with ecosystem-aware severity and patch-version metadata.

VirusTotal

Artifact reputation and multi-engine hash verdict for binary intel.

VulnCheck

Curated exploit intel, ransomware association, and threat actor mapping.

SBOM + provenance

Bill of materials, cryptographically signed.

Two SBOM formats, plus end-to-end provenance attestation. Both are signed; both export cleanly for the regulator.

CycloneDX 1.6 export

Full bill of materials with component identity, dependency relationships, license, and vuln annotations. Signed.

SPDX 2.3 export

ISO/IEC 5962-aligned SBOM for procurement, regulator, and auditor workflows. Signed.

in-toto + sigstore

Provenance attestations for build steps, scan runs, and patch applications. Verifiable chain-of-custody.

Surfaces · 9 entry points

Nine ways to touch the platform.

Every surface reads the same policy, writes to the same audit log, and shares the same SBOMs. Pick where your team already lives.

Models-as-a-Service

Griffin, Eagle, Lion behind a single versioned REST API. Auto-router by complexity.

Desktop App

Native Mac, Windows, Linux. Local scans, CI-equivalent gate, drift watcher.

Safeguard Code

Local AI coding agent that knows your SBOM, policy, and reachability graph.

IDE Extension

VS Code, JetBrains family, Cursor. Lion inline at sub-100 ms p95.

CLI

scan, sbom, fix, policy. Static binary or npm. Air-gappable.

MCP Server

Model Context Protocol with capability scoping and egress guardrails.

Portal & Dashboard

Web console for trend, SLA, exception, and regulator export.

Marketplace

Curated integrations, SBOM bundles, compliance packs, workflow library.

Webhooks & SDK

Typed SDKs (TypeScript, Python, Go) plus signed delivery webhooks.

Deployment shapes · 5 options

Run it at every isolation level.

The platform is the same; the trust boundary is yours to choose.

Shared cloud

Multi-tenant inference plane, fastest onboarding. Per-tenant prompt and KV-cache isolation.

Dedicated cluster

Single-tenant inference on isolated hardware. SHA-pinned weight attestation, deterministic latency.

VPC-isolated

Customer-controlled VPC, BYO-KMS. Inference plane lives inside your network boundary.

Air-gapped

No egress, on-prem GPU, offline vuln DB bundles, signed audit-log export.

Sovereign

In-country residency, regulator-attested key custody, signed roadmap commitments.

Compliance packs · pre-mapped

Control mappings, already done.

Pre-mapped Safeguard capability-to-control bindings, refreshed on every framework revision. Bring your auditor; we have the spreadsheet.

SOC 2 Type II (audit in progress)

ISO/IEC 27001:2022

FedRAMP HIGH-ready

CMMC L2/L3

NIST SP 800-161

NIST SP 800-218 (SSDF)

EO 14028

NIS2

DORA

DPDP Act

GDPR

HIPAA

STQC-ready

Customer-specific framework on request

Integrations · 6 categories

Wired into the tools you already run.

First-party connectors maintained by Safeguard, not a third-party marketplace plugin. Bi-directional where it makes sense, one-way where it does not.

Source / SCM

GitHub
GitLab
Bitbucket
Azure DevOps
Gerrit

CI / CD

GitHub Actions
GitLab CI
Jenkins
CircleCI
Buildkite
Tekton
Argo CD

Issue trackers + comms

Jira
ServiceNow
Linear
Slack
Microsoft Teams
PagerDuty
Opsgenie

Observability / SIEM

Splunk
Datadog
Elastic
Grafana
Sumo Logic
Sentry

Identity

Okta
Azure AD / Entra
Google Workspace
Ping
OneLogin
SAML / OIDC + SCIM

Cloud / Runtime

AWS
Azure
GCP
Kubernetes
Docker
OPA admission controllers

Operational deliverables

What we operate for you.

Not just software. The operating commitments that come stapled to the contract.

Application-layer SLA

99.5% to 99.95% availability for the API, portal, and MCP surfaces, depending on tier. Credits attached.

L2 / L3 support

Direct access to Safeguard engineering on the on-call rotation. No vendor support tier sits between you and the people who wrote the code.

SLA reports + QBRs

Monthly SLA reports with raw uptime, latency, and incident timelines. Quarterly business reviews on posture and roadmap.

Signed audit-log export

Append-only audit log exported in JSON plus CycloneDX evidence form. Signed and verifiable for regulator submission.

Training programmes

Enablement curriculum for your sales, support, and security engineering teams. Updated each model release.

Roadmap visibility under NDA

Quarterly roadmap brief under NDA: upcoming variants, scanner additions, compliance packs, deployment shapes.

Documentation deliverables

Paper for everyone who asks.

The artefacts your security, legal, procurement, and audit teams need. Versioned, signed, and available from the resource hub.

Datasheets

Per-surface technical datasheets with API contracts, limits, and integration patterns.

Model cards

Per-model card: training corpus class, eval suites, intended use, known limits.

Whitepapers

Architecture whitepapers for Aegis attention, the disproof pass, and trace distillation.

Compliance attestation mappings

Control-by-control mapping from Safeguard capabilities to each framework's clauses.

Signed Safeguard SBOMs

Our own platform SBOMs in CycloneDX and SPDX, signed. Eat-our-own-dogfood transparency.

Policy + VEX templates

Starter OPA policy bundles and CSAF/CycloneDX VEX templates for your exception workflow.

What's not included

Honest about what we are not.

We are single-purpose by design. Here is what a Safeguard engagement deliberately does not cover.

Out of scope, on purpose

General-purpose code generation outside a security context. Safeguard Code reasons about supply chain; it will not write a marketing site or a Pokédex.
Image, video, voice, or chat-companion generation. The platform is single-purpose by design.
End-user customer support chat. We ship to your security and engineering teams, not your customer service desk.
MDM / EDR endpoint posture. We sit upstream of those tools and federate findings to them, but we are not their replacement.

Everything above. One engagement.

Models, scanners, feeds, surfaces, deployments, integrations, compliance packs, operational and documentation deliverables. All in one contract. Book a walk-through.