Aethyr Research

Defense-Grade Security: Building AI Infrastructure for Contested Environments

by R. Demetri Vallejos
securitydefenseblue-teamvaultsuricatawazuhzeekarkimemispddil

"We use TLS and encrypt data at rest."

That's the security story for most AI platforms. It's also the security story for every company that's ever been breached. TLS protects data in transit. Disk encryption protects data at rest. Neither protects you from an adversary who's already inside your network.

Defense-grade security isn't about checking compliance boxes. It's about assuming adversaries are present and building infrastructure that detects, contains, and survives their activity. It's about operating in environments where the network itself is hostile — DDIL (denied, degraded, intermittent, limited) conditions where you can't assume connectivity, can't trust the network path, and can't call home for help.

This is the security model Aethyr was built for.

Envelope Encryption With HashiCorp Vault

Every secret in the Aethyr stack — API keys, database credentials, agent private keys, session tokens — is protected by envelope encryption managed by HashiCorp Vault.

How Envelope Encryption Works

  1. A unique Data Encryption Key (DEK) encrypts the secret
  2. A Key Encryption Key (KEK) in Vault encrypts the DEK
  3. The encrypted secret and encrypted DEK are stored together
  4. The KEK never leaves Vault's memory

To read a secret, the application sends the encrypted DEK to Vault, receives the decrypted DEK, uses it to decrypt the secret, then discards the DEK from memory.

Why This Matters

Key compromise is contained. If an attacker extracts an encrypted secret from storage, they have ciphertext and an encrypted DEK. Without access to Vault (which requires its own authentication, its own audit trail, its own access policies), the secret is unrecoverable.

Key rotation is free. Rotating the KEK in Vault doesn't require re-encrypting every secret. Only the DEK wrappers change. A rotation that would take hours with direct encryption takes seconds with envelope encryption.

Audit is complete. Every key access goes through Vault. Every access is logged. Every log entry records who accessed what key, when, from which IP, using which authentication method. When the security team asks "who accessed the production database credential in the last 30 days," the answer is a Vault query, not a forensic investigation.

The Blue Team Stack

Aethyr ships an optional security monitoring stack designed for environments where adversary presence is assumed. This is the same toolchain that security operations centers use to defend production networks — adapted for AI infrastructure.

Suricata IDS — Intrusion Detection

Suricata monitors network traffic for known attack signatures and anomalous behavior. It runs inline on the network path, inspecting every packet that enters or exits the AI infrastructure.

What it catches:

  • Known exploit payloads targeting AI APIs
  • Command-and-control (C2) beaconing from compromised agents
  • Data exfiltration patterns — large outbound transfers, DNS tunneling, steganographic channels
  • Protocol violations — malformed requests that indicate fuzzing or exploitation attempts

Suricata runs the Emerging Threats ruleset plus custom rules for AI-specific attack patterns. Rules update automatically.

Wazuh EDR — Endpoint Detection and Response

Wazuh monitors every host in the deployment — the machines running agents, the servers hosting LLMs, the nodes in the mesh network.

What it monitors:

  • File integrity — unauthorized changes to agent binaries, configuration files, model weights
  • Process behavior — unexpected child processes, privilege escalation attempts, unusual system calls
  • Log analysis — correlation across application logs, system logs, and authentication logs
  • Vulnerability detection — known CVEs in installed packages, missing patches
  • Compliance — CIS benchmarks, PCI DSS, HIPAA technical controls

Wazuh agents run on every node. The management server correlates events across the deployment and triggers alerts when patterns indicate compromise.

Zeek Protocol Analysis

Zeek (formerly Bro) performs deep protocol analysis on network traffic. Where Suricata matches signatures, Zeek understands conversations.

What it provides:

  • Complete connection logs — every TCP/UDP session with metadata
  • Protocol-specific analysis — HTTP transactions, DNS queries, TLS handshakes, SSH sessions
  • File extraction — carves files from network traffic for analysis
  • Custom scripting — Zeek's scripting language enables detection logic tailored to AI infrastructure patterns

Zeek is particularly valuable for AI systems because it can track the full lifecycle of an agent interaction: the API call, the LLM inference request, the tool invocation, the response — all as a single logical session. Anomaly detection operates on this session-level view, not just individual packets.

Arkime Full Packet Capture

Arkime (formerly Moloch) captures and indexes every packet on the network. Full PCAP. Searchable. Replayable.

Why full packet capture matters:

  • Forensics. When an incident occurs, you don't reconstruct what happened from logs. You replay the actual network traffic. Every byte, every header, every payload.
  • Threat hunting. Security analysts can search historical traffic for indicators of compromise discovered after the fact. "Did any host contact this IP in the last 90 days?" is a query, not a project.
  • Compliance evidence. Full packet capture provides irrefutable evidence of what data moved where. For data residency compliance, this is definitive.

Arkime indexes packet metadata for fast search while storing full PCAPs for deep inspection. Storage requirements are significant — this is an optional component sized to the deployment's retention requirements.

MISP Threat Intelligence

MISP (Malware Information Sharing Platform) is the threat intelligence hub that feeds indicators of compromise (IOCs) to every other component in the stack.

What it provides:

  • Curated threat feeds — known malicious IPs, domains, file hashes, attack patterns
  • Community intelligence — shared indicators from trusted security communities
  • Custom indicators — organization-specific threat data from your own investigations
  • Automated distribution — new indicators automatically propagate to Suricata rules, Wazuh policies, and Zeek scripts

MISP turns isolated detections into coordinated defense. When a new threat actor targets AI infrastructure, the indicators flow from MISP to every detection tool simultaneously.

How the Stack Works Together

These tools aren't independent. They form a detection-to-response pipeline:

Network Traffic
  ↓
Suricata (signature detection) → Alert
Zeek (protocol analysis) → Behavioral anomaly
Arkime (packet capture) → Forensic evidence
  ↓
Wazuh (host correlation) → Incident context
  ↓
MISP (threat enrichment) → Attribution, related indicators
  ↓
Response: isolate host, revoke credentials, alert SOC

An alert from Suricata triggers a Wazuh investigation of the affected host. Zeek provides the protocol-level context. Arkime provides the packet-level evidence. MISP enriches the indicators with threat intelligence.

The security team gets a complete picture: what happened, on which host, via which network path, matching which known threat, with full packet evidence.

DDIL Readiness

DDIL — Denied, Degraded, Intermittent, Limited — describes network conditions in contested environments. Forward-deployed military units. Remote industrial sites. Underground facilities. Maritime vessels.

Aethyr's security stack operates in DDIL because:

No cloud dependency. Every security tool runs locally. Suricata doesn't need cloud signature updates to function — it ships with a comprehensive ruleset. Wazuh operates without phoning home. Threat intelligence from MISP caches locally and operates from the last sync.

Post-quantum encryption. In a DDIL environment, you can't rotate keys on demand. You can't revoke certificates in real-time. Aethyr's post-quantum cryptography means credentials issued before the deployment went dark remain valid and unforgeable for their entire validity period.

Mesh self-healing. When nodes drop off the network (DDIL "denied"), the Mesh Intelligence protocol detects the absence and redistributes work. Security monitoring continues on surviving nodes. When connectivity resumes, logs and alerts synchronize.

Offline credential verification. Agents verify each other's identity without contacting any external service. The verification library runs locally, using the issuer's public key bundled in the deployment. No DNS. No OCSP. No CRL distribution point.

Who Needs This

Not everyone does. A startup building a customer service chatbot doesn't need full packet capture and intrusion detection.

But some organizations operate in environments where:

  • Adversaries are assumed present (defense, intelligence, critical infrastructure)
  • Data exfiltration has national security implications
  • Compliance requires demonstrable security controls, not just TLS
  • Network connectivity is unreliable or hostile
  • Incident response requires packet-level forensic evidence

For these organizations, "we use TLS and encrypt data at rest" is the beginning of the security conversation, not the end. The Blue Team stack is the rest of the conversation.

Optional, Not Required

The Blue Team stack is an optional deployment configuration. The base Aethyr platform includes:

  • HashiCorp Vault envelope encryption (always on)
  • Post-quantum cryptography for all agent identity and communication
  • 137-privilege PBAC access control
  • Signed audit trails for every operation

The Blue Team stack (Suricata, Wazuh, Zeek, Arkime, MISP) adds network and host monitoring for environments that require it. It deploys alongside the core platform via the same infrastructure-as-code pipeline.

Security should scale to the threat model, not one-size-fits-all.

Aethyr Research — Salt Lake City, UT