VaultGuardian Documentation
Documentation for VaultGuardian — Observer (AI log security) and VaultDEC-1 (hardware egress control)
VaultGuardian builds two complementary security products. Observer watches your logs and catches intrusions before they spread. VaultDEC-1 physically severs the network connection when data tries to leave.
Two products. One mission.
Observer
AI-powered log security. Detects attacks in container logs and host events, captures HTTP response evidence, and verifies whether attacks actually succeeded. Single Go binary, AGPL-3.0.
VaultDEC-1
Deterministic Egress Controller. An inline Layer 2 bridge that detects and severs data exfiltration in milliseconds. Hardware appliance, no cloud, no decryption, just physics.
How they work together
| Product | Layer | Job | State |
|---|---|---|---|
| Observer | Software | Catch the intrusion that precedes exfiltration | Private beta, approaching v1.0 |
| VaultDEC-1 | Hardware | Stop the exfiltration if Observer misses it | Firmware v1 shipping, v2 in development |
Most tools tell you something probably happened, a week late. VaultGuardian's philosophy is the opposite: deterministic response first, AI only where determinism can't reach, evidence before escalation.
Start here
Install Observer
One command on any Linux server — bare metal, Docker, or Docker Swarm.
Observer Pipeline
The 5-layer classification pipeline: Policy → Seeds → Pattern Store → LLM → Evidence.
VaultDEC-1 Setup
Hardware installation and initial configuration of the Layer 2 bridge.
What Observer Catches
Policy engine events, seed patterns, and LLM-classified novel attacks.