Three models. One brain. Trained only on what attackers actually do.
A single general-purpose model is the wrong tradeoff curve for security work — latency, precision and cost pull in different directions, and one set of weights can't sit at all three optima. The lineup splits the work: Lion runs inline at sub-100 ms, Eagle sweeps the repo and ranks candidates, Griffin spends a real reasoning budget proving and disproving each one.
One curve doesn't fit precision, latency, and cost.
Each model occupies a different point on the security tradeoff curve. You don't pay for reasoning you don't need and you don't wait for latency you can't spend.
Sub-100 ms or it's not inline
A model that takes two seconds to think is a model the developer disables. Lion is sized to answer before the editor finishes redrawing — every other choice flows from that constraint.
Wide angles need ranking, not reasoning
Sweeping a repo for taint candidates is a clustering problem, not a chain-of-thought problem. Eagle's head is fine-tuned for ranking dataflow tokens — fast, batched, and cheap enough to run across every package on every commit.
Precision requires reasoning budget
Hypothesising an exploit chain and trying to refute it under sanitiser constraints is genuinely hard. Griffin gets the parameter count, the context window, and the chain-of-thought depth to earn its verdict.
Griffin · Eagle · Lion — one corpus, three speeds.
Griffin
01Deep reasoning · the hypothesis engine.
- ~70B mixture-of-experts head
- Security-augmented tokeniser (CWE-IDs, CVE-IDs, taint-source tags, dataflow operators)
- 128k context window for multi-hop call graphs
- Multi-step chain-of-thought with adversarial disproof pass
- Distillation source for both Eagle and Lion
- Curated CVE bodies and accompanying patch diffs
- Exploit write-ups and public proof-of-concept code
- Vulnerability disclosure threads and security advisory text
- Malware behavioural traces and reverse-engineering notes
- IDA / Ghidra disassembly excerpts with annotations
- Cross-package taint graphs extracted from open-source repos
- MITRE ATT&CK mappings, security RFCs, package registry metadata
Griffin scales smoothly from an 8B distilled head to a 671B-parameter mixture-of-experts. Customers pick the variant whose latency budget and reasoning depth match the workflow — and Safeguard can route between variants automatically based on finding complexity.
| Variant | Parameters | Context window | Latency p95 | Deployment shape | Typical use |
|---|---|---|---|---|---|
| Griffin Lite | 8B | 32k | ~1.2s | IDE-side cloud burst / CLI deep-scan | Fast remediation suggestions on a single finding. |
| Griffin S | 14B | 64k | ~2.8s | Cloud | Mid-depth call-graph reasoning, PR-level reviews. |
| Griffin M | 32B | 128k | ~5.5s | Cloud | Repo-wide reasoning, transitive taint chains. |
| Griffin L | 70B | 128k | ~8s | Dedicated GPU | Multi-hop cross-package exploit hypothesis. Default Safeguard production tier. |
| Griffin Zero | 671B-MoE (sparse, ~37B active) | 256k | ~12s | Multi-GPU cluster / sovereign | Deepest reasoning, supply-chain-scale audits, agentic disclosure workflows. |
Latencies are p95 on representative single-finding workloads. Context windows are usable, not theoretical maxima.
Eagle
02Wide-angle triage · the surface scanner.
- ~13B dense transformer, distilled from Griffin
- Ranking + clustering head fine-tuned for taint-path prioritisation
- Attention biased toward dataflow tokens (sources, sinks, sanitiser ops)
- Batched inference optimised for full-repo sweeps
- Same security-augmented tokeniser as Griffin
- Taint graphs and call-graph slices labelled for reachability
- SAST findings with ground-truth exploitability labels
- Fuzzing corpora and crash-derived input grammars
- Sanitiser configurations from real-world projects
- Package registry metadata with version-pinned advisories
- CWE-class labelled patch sets
Lion
03Inline · the commit-time gut check.
- ~1B parameters, distilled from Griffin via security-task distillation
- INT8 quantised weights, runs locally with no network egress
- Optimised for sub-100 ms inline latency on a developer laptop
- Same security-augmented tokeniser; pruned to inline-relevant vocab
- Ships in the IDE extension, CLI, and pre-commit hook
- Distillation traces from Griffin on common sink + sanitiser pairs
- Hand-labelled inline patterns for unsafe deserialisation, command injection, SSRF, path traversal, prompt injection
- Sanitiser-aware negative examples to suppress noise
- Public-only training; no customer code, ever
Complexity picks the parameter count.
Every finding gets a complexity score; the score chooses the Griffin variant. You do not pay for 671B reasoning on a one-hop sink, and you do not waste a 70B verdict on a multi-hop chain you actually need to prove.
Eagle assigns each candidate a complexity score from the call graph: depth, sanitiser ambiguity, cross-package edges, sink severity.
Cheap, in-package candidates route to Griffin Lite. Mid-depth PR work routes to S or M. Multi-hop cross-package paths route to L. Sovereign or classified workloads get Zero.
The chosen variant runs the hypothesise → cite → disprove → patch trace. The trace ships with the finding so reviewers can audit which variant produced what.
Cheap candidates go to Lite. Multi-hop cross-package paths route to M or L. Sovereign and classified deployments with the longest budget reach Zero.
Architecture details, not marketing copy.
Mixture-of-experts routing in Zero
Zero uses 8 experts with top-2 routing per token, activating roughly 5.5% of the 671B parameter count per forward pass. Routing is learned, security-task-aware, and biased toward sink-handling experts when the input embedding looks like a taint sink.
Security-augmented tokeniser
Around 28k extra tokens cover CWE / CVE identifiers, taint operators, package coordinates, and attack-pattern shorthand. Names like preg_replace, ObjectInputStream and pkg:npm/lodash do not shatter into byte-pair noise — their embedding-space neighbours are other vulnerable patterns.
Long context, retrieval-augmented
Sliding-window attention plus landmark tokens gives a 256k usable window on Zero. The call-graph chunker retrieves the slice of the program that matters for a given finding and pages it in around the hypothesis, so context is full but coherent.
Structured reasoning trace
Every Griffin call emits a four-stage trace: hypothesise the exploit, cite the path in the call graph, propose a disproof, propose a patch. The trace is the finding — reviewers see the chain, not a single label, and can reject at any stage.
Security-domain RLHF
Preference data is labelled by senior offensive-security engineers, not generic annotation vendors. The reward model penalises plausible-sounding hallucinations on CWE classification and treats unverified reachability claims as failures.
Distillation source for the lineup
Griffin (any size) is the teacher for Eagle and Lion. Their behaviour stays consistent with Griffin's reasoning on the same finding — they are smaller, faster heads of the same brain, not a different model trained to imitate.
Where each tier actually runs.
The lineup is the same brain at four isolation levels. Pick the shape that matches your data-residency and trust boundary; the variants stay consistent.
Shared cloud
Multi-tenant inference, fastest onboarding, per-tenant isolation at the prompt and KV cache layer. Best for teams trialling the lineup.
Dedicated cluster
Single-tenant inference on isolated VPC hardware. No cross-tenant traffic, deterministic latency, full SHA-pinned weight attestation.
VPC-isolated
Customer-controlled VPC, bring-your-own-key encryption, no cross-tenant traffic. Inference plane sits inside your network perimeter.
Sovereign / air-gapped
STQC-ready, no internet egress, on-prem GPU, full audit-log export. Suits regulated, classified, and sovereign deployments.
Commit to queue, one pipeline.
Inline sink + sanitiser check on the developer's machine.
Cross-package taint paths ranked across the codebase.
Deep reasoning posits an exploit chain + CWE class.
Second pass tries to refute; survivors land in your queue.
Every survivor lands in your queue with the taint path, hypothesised trigger, disproof attempt log, and a ranked evidence bundle.
Why the corpus matters more than the parameter count.
Refusal rates drop when the corpus knows you're a defender.
General-purpose models are trained to flinch at the word 'exploit'. Ours are weighted on disclosures, write-ups, and patch diffs — the literature of defenders — so a question about a deserialisation gadget gets answered, not refused.
The tokeniser speaks security.
CWE-IDs, CVE-IDs, taint-source tags, and dataflow operators are first-class tokens, not stochastic fragments. Sink names like preg_replace and ObjectInputStream don't shatter into byte-pair noise. Embedding-space neighbours are other vulnerable patterns, not unrelated English.
No contamination from marketing copy or unframed code.
General code corpora are dense with patterns that look secure to a model trained on README files and tutorials but ship CVEs in production. We deliberately exclude product copywriting, StackOverflow snippets without a security frame, and any code lifted without disclosure context.
RLHF rubric written by security engineers.
Reward modelling is graded against a rubric that penalises plausible-sounding hallucinations on CWE classification, rewards explicit reachability reasoning, and treats unverified claims as failures. The rubric is owned by the security team, not a generic annotation vendor.
Closing the loop with the engine.
Every finding the deterministic taint engine surfaces becomes a structured brief the model sees in inference. The model doesn't have to guess at reachability — it inherits it. That hybrid is what keeps the false-positive rate honest.
What's NOT in the corpus
The exclusion list is contractual, not aspirational. Every item below is audited at ingest.
- No customer code — ever, at any tier.
- No general web crawl or social media text.
- No PII, secrets, or scraped credentials.
- No closed-source proprietary disassembly.
- No LLM-generated synthetic security text.
- No product copywriting or vendor marketing.
- No StackOverflow snippets without a security frame.
What IS in the corpus
Defender-frame data, deduplicated and labelled. The ingest manifest is reviewable under NDA.
- CVE descriptions plus patches with linked diffs.
- Exploit write-ups and POCs, curated and deduplicated.
- Vendor advisory texts (CERT, MITRE, vendor PSIRT).
- Static-analysis findings with ground-truth labels.
- Taint graphs extracted from open-source repos.
- MITRE ATT&CK technique descriptions and procedure examples.
- Fuzzing corpora and crash triage notes.
- Package-registry metadata and malware behavioural traces.
- IDA / Ghidra disassembly excerpts, security-tagged.
- Vulnerability disclosure threads, with consent.
- Security RFCs and standards (NIST, ENISA, OWASP).
Guarantees in writing.
Tenant-level commitments
- Customer code never enters training — contractual, audited, and per-tenant attested.
- Per-tenant inference isolation; no cross-tenant prompt or KV cache reuse.
- Full model + dataset attestation available under NDA, including SHA-pinned weights.
- Opt-out for any analytics signal contributing to evaluation telemetry.
- Export-controlled deployments available for federal customers (FedRAMP HIGH / IL5 path).
- Coordinated disclosure with upstream maintainers stays opt-in per finding.
Numbers next to the alternatives.
Same internal eval suite, run against a leading general-purpose model and a representative pure-LLM bug hunter. Lower is better for FPR, latency, and refusal; higher is better for resistance and recall.
| Stack | False positive rate | Adversarial prompt resistance | Cross-package taint path recall | Latency p95 (inline) | Refusal rate on security Q&A |
|---|---|---|---|---|---|
| General-purpose LLM (zero-shot) | 62% | 41% | 18% | 1.8 s | 34% |
| Pure-LLM bug hunter (Mythos-class) | 54% | 63% | 37% | 2.4 s | 11% |
| Safeguard Griffin Lite (8B) | 19% | 91% | 78% | 1.2 s | 3% |
| Safeguard Lineup (Lion + Eagle + Griffin) | 6% | 98% | 94% | 80 ms | <1% |
| Safeguard Griffin L (70B) | 4% | 98% | 96% | 8.0 s | <1% |
| Safeguard Griffin Zero (671B-MoE) | 2% | 99% | 98% | 12.0 s | <0.5% |
Run the lineup against your code.
Lion at your commit, Eagle across your repo, Griffin proving the survivors. See the candidates your scanner never surfaced.