Twelve applications. One spine.
STACK Vault is the unified portal for the whole suite — identity, data pipelines, agents, compliance, deception, and forensics — sharing one identity, one policy plane, one telemetry stream across cloud, on-prem, and air-gapped.
Four planes every app shares
Suites become tangles when apps integrate point-to-point. STACK Vault forces every app onto a common backbone.
Identity Plane
One IdP (Keycloak or WorkOS) issues tokens to humans, services, agents, and CI. Every app verifies the same signature.
Event Plane
NATS JetStream / Redpanda carries every security signal between apps. Beacon publishes; Triage, Forensics, and Compli subscribe.
Policy Plane
OPA / Cedar evaluates every authorization decision in one service. Versioned, diffable, auditable.
Telemetry Plane
OpenTelemetry from every app lands in STACK Beacon — we run STACK Vault on STACK Vault.
The always-on services that other apps build on
Six foundational services. Every other app reads from them or writes to them.
STACK Vault
Identity & access for humans, services, and agents. Just-in-time secrets, zero standing privilege.
STACK Triage
Alert-noise reduction and SOC enrichment. Cross-source correlation, SLO-driven escalation.
STACK Insight
Data governance and DLP for prompts, embeddings, training corpora, and agent memory.
STACK Mesh
Multi-provider LLM gateway. Cost-aware, sensitivity-aware routing. On-prem GPU endpoints first-class.
STACK Verify
Continuous RAG evaluation: retrieval precision, citation faithfulness, drift detection.
STACK Guardrail
Output safety in version-controlled YAML. PII redaction, topic boundaries, code-output controls.
Targeted applications for specific threats
Six standalone products. Buy one or all — each works alone, and they multiply on the shared spine.
STACK Shield
Runtime prompt-injection defense for production LLMs. 99.7% block rate, 22ms overhead.
STACK Beacon
Security data pipeline. Route, normalize, optimize logs across SIEMs and lakes. You own the data layer.
STACK Conductor
Agent governance for hosted & on-prem agents. Capability boundaries, loop detection, tool-call audit.
STACK Forensics
LLM output verification and hallucination root-cause. Citation validation, claim grounding, drift clustering.
STACK Compli
Continuous compliance: NIST AI RMF, ISO 42001, EU AI Act, SOC 2, HIPAA mapped to live evidence.
STACK Compass
Identity, policy, and risk navigation across your AI stack. Operator view for who can do what, where, and why.
STACK Decoy
Decoy agents, trap embeddings, honey credentials, document bait. High-confidence threat intel.
When you want a senior hand on the wheel
Software does the work; a senior driver makes sure the work gets done. STACK Pilot is the contact-sales vCISO engagement that runs your compliance program inside Compli + Compass — from scoping call to signed attestation — then hands back a program that runs itself.
STACK Pilot — vCISO
Fixed-scope vCISO engagement. Named senior security leader plus Compli + Compass, scoped to your company size, target framework, and timeline. SOC 2, ISO 27001, ISO 42001, EU AI Act, FedRAMP, HIPAA, PCI, NIST AI RMF, DORA, HITRUST.
What ships
Framework scoping, gap-to-target roadmap in Compass, controls catalog and evidence wired in Compli, weekly cadence, audit prep, assessor liaison, and a handoff that holds. Optional fractional retainer after attestation.
How it's priced
Fixed fee against a defined SOW — no hourly meters. Three scoping axes: company size, framework(s) in scope, timeline pressure. Platform fees included for the duration; locked subscription pricing if you continue.
Three deployment tiers, one codebase
Same containers. Same APIs. Same evidence. Just different control planes.
Cloud VPC
BYOC into AWS, Azure, GCP, OCI. Your VPC, your storage. We run the control plane next door over PrivateLink.
On-Prem
K3s or Docker Compose footprint. Runs on a single 32-core box for SMB, or HA clusters for the bank. No outbound required.
Air-Gapped
SCIF-ready bundle on offline media. Reconciles policy and pulls signed updates over a one-way diode. FedRAMP High path.
Eight more apps under design
Each driven by a measurable gap competitors don't credibly cover. Click for the proof-of-value brief.
STACK Anchor — Immutable Backup Posture
Cryptographically attested, air-gapped snapshot streams with restore-time integrity proofs. POV: survives the backup-chain attack that 76% of ransomware groups now run first.
Q3 2026STACK Pulse — Real-Time Perimeter Delta
Continuous diff of exposed VPC surface. Port opens, route changes, peering, ACL drifts — replay any prior state. POV: CSPM scans every 6h; perimeter changes every 6 minutes.
Q3 2026STACK Sentry — Blast-Radius Simulator
Daily adversary simulation: given every IAM role, pod, and key, what does an attacker actually reach today? POV: the stolen Jenkins token reaches prod RDS in 2 hops — you didn't know yesterday.
Q4 2026STACK Cipher — Egress Context Engine
Distinguish “Salesforce API” from “AI agent calling unknown SaaS” at the egress hop. POV: catches the 14 silent egress channels your DLP misses because they're encrypted SNI.
Q4 2026STACK Replay — Investigation Time-Travel
Backfill and replay any pipeline window into a sandbox SIEM without rehydration. POV: 8-minute breach reconstruction vs. 8-day rehydration cycle.
Q1 2027STACK Lattice — Workload Identity Attestation
Sigstore + in-toto + eBPF cryptographic proof that each running pod matches its signed SBOM. POV: tamper detected at kernel layer, not at next scan window.
Q1 2027STACK Lineage — Training Data Provenance
Auditable chain from raw log to feature to model weight. EU AI Act Annex IV generated on demand. POV: auditor signs in 1 day; old workflow took 8 weeks.
Q2 2027STACK Whisper — IDE/AI Insider Telemetry
Source-IDE and AI-coding-assistant activity tied to identity. POV: “your devs' AI tools read 12,000 lines from the restricted-data repo last month.”
Q2 2027