A single general-purpose model is the wrong tradeoff curve for security work — latency, precision and cost pull in different directions, and one set of weights can't sit at all three optima. The lineup splits the work: Lino runs inline at sub-100 ms, Eagle sweeps the repo and ranks candidates, Griffin spends a real reasoning budget proving and disproving each one.
Each model occupies a different point on the security tradeoff curve. You don't pay for reasoning you don't need and you don't wait for latency you can't spend.
A model that takes two seconds to think is a model the developer disables. Lino is sized to answer before the editor finishes redrawing — every other choice flows from that constraint.
Sweeping a repo for taint candidates is a clustering problem, not a chain-of-thought problem. Eagle's head is fine-tuned for ranking dataflow tokens — fast, batched, and cheap enough to run across every package on every commit.
Hypothesising an exploit chain and trying to refute it under sanitiser constraints is genuinely hard. Griffin gets the parameter count, the context window, and the chain-of-thought depth to earn its verdict.
Deep reasoning · the hypothesis engine.
Griffin scales smoothly from an 8B distilled head to a 671B-parameter mixture-of-experts. Customers pick the variant whose latency budget and reasoning depth match the workflow — and Safeguard can route between variants automatically based on finding complexity.
| Variant | Parameters | Context window | Latency p95 | Deployment shape | Typical use |
|---|---|---|---|---|---|
| Griffin Lite | 8B | 32k | ~1.2s | IDE-side cloud burst / CLI deep-scan | Fast remediation suggestions on a single finding. |
| Griffin S | 14B | 64k | ~2.8s | Cloud | Mid-depth call-graph reasoning, PR-level reviews. |
| Griffin M | 32B | 128k | ~5.5s | Cloud | Repo-wide reasoning, transitive taint chains. |
| Griffin L | 70B | 128k | ~8s | Dedicated GPU | Multi-hop cross-package exploit hypothesis. Default Safeguard production tier. |
| Griffin Zero | 671B-MoE (sparse, ~37B active) | 256k | ~12s | Multi-GPU cluster / sovereign | Deepest reasoning, supply-chain-scale audits, agentic disclosure workflows. |
Latencies are p95 on representative single-finding workloads. Context windows are usable, not theoretical maxima.
Wide-angle triage · the surface scanner.
Inline · the commit-time gut check.
Every finding gets a complexity score; the score chooses the Griffin variant. You do not pay for 671B reasoning on a one-hop sink, and you do not waste a 70B verdict on a multi-hop chain you actually need to prove.
Eagle assigns each candidate a complexity score from the call graph: depth, sanitiser ambiguity, cross-package edges, sink severity.
Cheap, in-package candidates route to Griffin Lite. Mid-depth PR work routes to S or M. Multi-hop cross-package paths route to L. Sovereign or classified workloads get Zero.
The chosen variant runs the hypothesise → cite → disprove → patch trace. The trace ships with the finding so reviewers can audit which variant produced what.
Cheap candidates go to Lite. Multi-hop cross-package paths route to M or L. Sovereign and classified deployments with the longest budget reach Zero.
Zero uses 8 experts with top-2 routing per token, activating roughly 5.5% of the 671B parameter count per forward pass. Routing is learned, security-task-aware, and biased toward sink-handling experts when the input embedding looks like a taint sink.
Around 28k extra tokens cover CWE / CVE identifiers, taint operators, package coordinates, and attack-pattern shorthand. Names like preg_replace, ObjectInputStream and pkg:npm/lodash do not shatter into byte-pair noise — their embedding-space neighbours are other vulnerable patterns.
Sliding-window attention plus landmark tokens gives a 256k usable window on Zero. The call-graph chunker retrieves the slice of the program that matters for a given finding and pages it in around the hypothesis, so context is full but coherent.
Every Griffin call emits a four-stage trace: hypothesise the exploit, cite the path in the call graph, propose a disproof, propose a patch. The trace is the finding — reviewers see the chain, not a single label, and can reject at any stage.
Preference data is labelled by senior offensive-security engineers, not generic annotation vendors. The reward model penalises plausible-sounding hallucinations on CWE classification and treats unverified reachability claims as failures.
Griffin (any size) is the teacher for Eagle and Lino. Their behaviour stays consistent with Griffin's reasoning on the same finding — they are smaller, faster heads of the same brain, not a different model trained to imitate.
The lineup is the same brain at four isolation levels. Pick the shape that matches your data-residency and trust boundary; the variants stay consistent.
Multi-tenant inference, fastest onboarding, per-tenant isolation at the prompt and KV cache layer. Best for teams trialling the lineup.
Single-tenant inference on isolated VPC hardware. No cross-tenant traffic, deterministic latency, full SHA-pinned weight attestation.
Customer-controlled VPC, bring-your-own-key encryption, no cross-tenant traffic. Inference plane sits inside your network perimeter.
STQC-ready, no internet egress, on-prem GPU, full audit-log export. Suits regulated, classified, and sovereign deployments.
Inline sink + sanitiser check on the developer's machine.
Cross-package taint paths ranked across the codebase.
Deep reasoning posits an exploit chain + CWE class.
Second pass tries to refute; survivors land in your queue.
Every survivor lands in your queue with the taint path, hypothesised trigger, disproof attempt log, and a ranked evidence bundle.
General-purpose models are trained to flinch at the word 'exploit'. Ours are weighted on disclosures, write-ups, and patch diffs — the literature of defenders — so a question about a deserialisation gadget gets answered, not refused.
CWE-IDs, CVE-IDs, taint-source tags, and dataflow operators are first-class tokens, not stochastic fragments. Sink names like preg_replace and ObjectInputStream don't shatter into byte-pair noise. Embedding-space neighbours are other vulnerable patterns, not unrelated English.
General code corpora are dense with patterns that look secure to a model trained on README files and tutorials but ship CVEs in production. We deliberately exclude product copywriting, StackOverflow snippets without a security frame, and any code lifted without disclosure context.
Reward modelling is graded against a rubric that penalises plausible-sounding hallucinations on CWE classification, rewards explicit reachability reasoning, and treats unverified claims as failures. The rubric is owned by the security team, not a generic annotation vendor.
Every finding the deterministic taint engine surfaces becomes a structured brief the model sees in inference. The model doesn't have to guess at reachability — it inherits it. That hybrid is what keeps the false-positive rate honest.
The exclusion list is contractual, not aspirational. Every item below is audited at ingest.
Defender-frame data, deduplicated and labelled. The ingest manifest is reviewable under NDA.
Same internal eval suite, run against a leading general-purpose model and a representative pure-LLM bug hunter. Lower is better for FPR, latency, and refusal; higher is better for resistance and recall.
| Stack | False positive rate | Adversarial prompt resistance | Cross-package taint path recall | Latency p95 (inline) | Refusal rate on security Q&A |
|---|---|---|---|---|---|
| General-purpose LLM (zero-shot) | 62% | 41% | 18% | 1.8 s | 34% |
| Pure-LLM bug hunter (Mythos-class) | 54% | 63% | 37% | 2.4 s | 11% |
| Safeguard Griffin Lite (8B) | 19% | 91% | 78% | 1.2 s | 3% |
| Safeguard Lineup (Lino + Eagle + Griffin) | 6% | 98% | 94% | 80 ms | <1% |
| Safeguard Griffin L (70B) | 4% | 98% | 96% | 8.0 s | <1% |
| Safeguard Griffin Zero (671B-MoE) | 2% | 99% | 98% | 12.0 s | <0.5% |
Lino at your commit, Eagle across your repo, Griffin proving the survivors. See the candidates your scanner never surfaced.