The Evidence Engine
One scan. 12 frameworks. 45 signed, machine-readable report formats. Traffic-light pass / warn / fail readiness against FedRAMP, DORA, ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST CSF, and CMMC — from your own code, on your own machine.
npx @raknor/aegis scan ./your-project
AEGIS_PRODUCT_KEY=your-key npx @raknor/aegis scan ./your-project --all
Autonomous Cyber Reasoning
Most security tools find vulnerabilities. AEGIS finds them, proves they're exploitable, generates the patch, verifies the patch preserves behavior, and produces signed evidence at every step. Seven governed agent stages, one command, full provenance chain.
Governance
AEGIS doesn’t run as one process; it runs as seven, each operating under its own consequence-tier authorization. A T3 exploit-proof attempt cannot execute without sandbox containment. A T4 deployment cannot proceed without human approval. The system cannot escalate its own authority — every tier transition produces a hash-chained provenance entry that auditors can independently verify.
Free Compliance Diagnostic
The free npx scan runs the full Rust engine — tree-sitter AST parsing, cross-file taint analysis, call graph construction — and produces a readiness indicator for nine compliance frameworks. Pass / warn / fail status, percentage toward each baseline, and the gap that's blocking it. Capped at 50 findings.
The free scan covers nine frameworks at the traffic-light level. A product key unlocks the full 12-framework unified mapping, including FedRAMP 20x, DoD SRG, SEC/FINRA, and EU AI Act — plus unlimited findings and the full 45 report format set (OSCAL packages, DORA pillar mapping, FedRAMP ConMon, SBOM, evidence bundles).
Language Support
Not regex. Not heuristics. Full abstract syntax tree parsing via tree-sitter, with inter-procedural call graph construction and cross-file taint analysis.
Scanning Capabilities
Every scanner produces findings in a normalized format. SARIF 2.1.0 output is standard. Cross-file taint analysis traces data flow across module boundaries. 43 analysis modules across the six scanner types, with six graph modules providing call-graph and taint reachability.
What's Right, Not Just What's Wrong
Every SAST tool on the market tells you what’s broken. FedRAMP, SOC 2, and ISO 27001 also require evidence of what’s implemented — what controls are present, what policies are enforced, what security architecture is in place. That evidence doesn’t exist in a vulnerability report.
AEGIS detects implemented security controls directly from your codebase. 68 detection patterns across 12 NIST 800-53 control families. Each detection produces an OSCAL control implementation statement — the exact artifact auditors and 3PAOs consume.
| Control Family | What AEGIS Detects |
|---|---|
| Access Control (AC) | RBAC decorators, auth middleware, session management, MFA |
| Audit & Accountability (AU) | Logging frameworks, audit trail writes, CloudTrail integration |
| Configuration Management (CM) | IaC, config validation, change tracking, version pinning |
| Identification & Auth (IA) | Password hashing (bcrypt/argon2), token validation, MFA flows |
| System & Comms Protection (SC) | TLS configuration, AES-256, input sanitization, CORS |
| System & Info Integrity (SI) | Input validation, malware detection, patch management |
Plus 6 additional families: Security Assessment (CA), Incident Response (IR), Media Protection (MP), Planning (PL), Risk Assessment (RA), and System Acquisition (SA).
Code scans cover technical controls. Organizational controls — access policies, incident response procedures, training requirements — live in ISMS documents. AEGIS ingests your ISMS markdown and maps 19 policy sections to 101 NIST controls, producing OSCAL statements for procedural evidence that code analysis can’t reach.
The merge logic prefers code evidence (automated, verifiable) and supplements with ISMS evidence for procedural controls. Controls covered by both sources receive a “defense-in-depth” designation — stronger evidence for auditors.
A Veracode scan tells you about 47 vulnerabilities. It says nothing about whether you have RBAC, whether your audit logging works, or whether your encryption meets NIST standards. You still need a human to manually inventory implemented controls for every FedRAMP assessment. AEGIS produces both reports in one pass. What’s broken and what’s working. The vulnerability findings feed remediation. The capability findings feed compliance evidence. Together they feed Arena certification.
Compliance Mapping
Every finding maps to controls across all twelve frameworks simultaneously. Context-aware risk adjustment factors reachability, exposure, and compensating controls into the final score.
Reachability is computed by the call graph and taint analysis, not assumed. A finding in dead code carries a 0.3x multiplier; a finding in vendor dependencies carries 0.0x. The customer sees severity scored against what’s actually reachable in their topology, not against worst-case configuration.
Output Formats
No other scanning tool produces OSCAL, DORA pillar mapping, VEX, and CycloneDX SBOM from a single pass over the same provenance chain. Every report is signed, timestamped, and independently verifiable. Group them by who reads them:
Cryptographic Trust
Not just a scan report. A verifiable evidence chain. Every pipeline action produces a hash-chained provenance entry with algorithm-agile cryptography. SLSA-compatible export.
Licensing Tiers
The Rust engine — AST parsing, taint analysis, call graph, the seven-stage pipeline — is the same in every tier. Higher tiers unlock additional output formats, framework coverage, and operational features. Not a more capable analyzer.
| Capability | Community | Pro | Premium | Enterprise |
|---|---|---|---|---|
| Full Rust engine (AST, taint, call graph) | ✓ | ✓ | ✓ | ✓ |
| Seven-stage architecture (T1–T2 active; T3–T4 at Pro+) | ✓ | ✓ | ✓ | ✓ |
| Consequence-tier gating + provenance | ✓ | ✓ | ✓ | ✓ |
| SARIF 2.1.0 + HTML + JSON output | ✓ | ✓ | ✓ | ✓ |
| Framework readiness traffic lights (9) | ✓ | ✓ | ✓ | ✓ |
| Finding cap | 50 | Unlimited | Unlimited | Unlimited |
| Pro | ||||
| Auto-fix (14 CWEs) + patch suggestions | — | ✓ | ✓ | ✓ |
| Trend analysis (before/after comparison) | — | ✓ | ✓ | ✓ |
| Tech debt, bounded context, env divergence | — | ✓ | ✓ | ✓ |
| STRIDE threat model, WAF rules (3 formats) | — | ✓ | ✓ | ✓ |
| DAST probes, canary injection, resource leaks | — | ✓ | ✓ | ✓ |
| Premium | ||||
| M&A due diligence report | — | — | ✓ | ✓ |
| White-label / partner branding | — | — | ✓ | ✓ |
| FedRAMP Continuous Monitoring packages | — | — | ✓ | ✓ |
| Governed code transformation engine | — | — | ✓ | ✓ |
| Enterprise | ||||
| OSCAL 1.1.2 (SSP, AR, POA&M, component def) | — | — | — | ✓ |
| DORA Pillar I–V, ISO 27001, NIST CSF 2.0 | — | — | — | ✓ |
| VEX, SBOM (CycloneDX + SPDX), scoring | — | — | — | ✓ |
| 12-framework compliance mapping + gap analysis | — | — | — | ✓ |
| Evidence bundle + Arena submission | — | — | — | ✓ |
| Infrastructure discovery, ShieldWatch | — | — | — | ✓ |
The engine is constant. The gate is on output. A product key unlocks formats, coverage, and operational features — it does not enable a different scanner.
How It Works
AEGIS is the entry point. Stage 0 is free and runs locally. Stages 1 and 2 unlock when you need audit-grade evidence or third-party certification.
npx @raknor/aegis scan ./your-project — full Rust engine (AST, taint, call graph), severity histogram, first 50 findings, and traffic-light readiness against 9 frameworks. Same binary as Pro and Enterprise. Runs locally. No signup. No upload.For Channel Partners
AEGIS rebrands. Partners deploy the same engine under their own company name, logo, colors, and product name. Your prospects never need to know what AEGIS is — they see your brand and get a diagnostic from their own code.
When a prospect runs a white-labeled scan, the structured output (framework percentages, severity counts, missing capabilities) is exportable to the partner's CRM as structured fields. This is not a PDF attachment — it is lead qualification data that pre-scopes the engagement.
Under the Hood — for engineers
1.5M LOC in 40 seconds for a full analysis pass. File scanning throughput peaks at 6.7M LOC in 5 seconds. Delta scans (--changed-only) complete in under one second. The Rust engine runs entirely locally — no source code leaves the machine, no LLM is invoked in the analysis pipeline. The engine is deterministic: same input produces the same output, byte-for-byte, including provenance hashes.
Every stage runs under consequence-tier gating (T1 reversible read → T4 external side effect). Each action produces a hash-chained provenance entry. The chain is append-only and independently verifiable.
Validated
Not hypothetical capabilities. Measured results against industry-standard test suites and production codebases.
| NIST Juliet Test Suite | 105K test files · 12.6M LOC · 119 CWE categories | Zero categories missed |
| OSCAL schema validation | NIST v1.1.2 — SSP, Assessment Results, POA&M | All 3 pass |
| Cross-framework consistency | Same findings across 12 framework mappings | Verified |
| Production codebase scan | 921 files, all evidence packages generated | 28 findings |
| Round-trip invariant test | Generated invariants fed back into security review | New CWE-78 found |
Cybersecurity Certification Failures
AEGIS findings feed directly into the Raknor certification decision. The following cybersecurity conditions result in certification denial regardless of governance score:
Cybersecurity findings are deterministic. A system with a reachable critical vulnerability cannot be Raknor certified, regardless of its governance behavior score.
Full Rust engine. AST, taint analysis, call graph. 50-finding cap. Traffic-light readiness against 9 frameworks.
Runs locally. Nothing leaves your machine. A product key unlocks unlimited findings + 45 report formats.
npx @raknor/aegis scan ./your-projectAEGIS_PRODUCT_KEY=your-key npx @raknor/aegis scan ./your-project --all