Active research · 2026

Toward AI systems that are secure, frugal, and governable as they evolve.

Vigilio is an independent AI research lab. We study the control plane of agentic systems — and turn that research into specialised software organisations can deploy: secure agent infrastructure, on-premise LLM governance, adversarial evaluation, and cost-bounded memory. The work we take on is the work a general-purpose model can't do on its own.

Experience
20 years · security, systems & ML
Track record
Acquired by Proofpoint · 2 U.S. patents
Deployment
Self-hosted · data stays in your perimeter
Focus
Agentic security · evaluation · governance
Research Areas

Three threads of work, one underlying question:
how do we keep increasingly autonomous AI systems safe, efficient, and answerable?

RA · 01

Agentic AI Security Control

Threat Modeling Adversarial ML Tool-use Containment

Today's agentic systems combine LLM reasoning, tool use, persistent memory, and multi-agent delegation — a surface area that traditional AppSec was never designed to cover. Our work formalises control objectives for agent runtimes: blast-radius bounds for tool-calls, integrity guarantees on memory, and attestation across agent-to-agent hand-offs.

Current investigations include defenses against prompt-injection chains via RAG, model inversion in fine-tuned domain models, data poisoning in continual-learning pipelines, and evasion attacks on inference platforms (vLLM, Hugging Face, Slurm-scheduled jobs).

RA · 02

Experience-Driven Token Economy

Memory Architectures Inference Cost Continual Learning

LLM cost today scales with context length; intelligence does not. We study how to replace recomputation with accumulated experience: structured episodic memory, distilled procedural skills, and verifiable retrieval that lets an agent answer a recurring class of questions without re-paying for the reasoning each time.

The goal is a measurable reduction in tokens-per-decision on production workloads, without sacrificing factuality — a prerequisite for any agentic system that must run continuously inside an enterprise budget.

RA · 03

Meta-Control of AI System Evolution

Governance Self-Modifying Systems Alignment

Modern AI stacks rewrite themselves: weights are updated, prompts are rewritten by other prompts, agents spawn agents. Single-layer policy is insufficient. We are developing a meta-control approach that treats the AI system itself as the object of governance — explicit invariants on the trajectory of change, with audit trails that survive across model swaps and platform migrations.

The framing draws on classical control theory, software supply-chain integrity, and threat modeling adapted for systems whose own behaviour is the deployment artefact.

Capabilities

The work a general-purpose model can't do alone.

Frontier models are extraordinary — and generic. The problems organisations pay to solve are specific: data that can't leave the building, latency budgets measured in microseconds, and safety claims that have to be proven by someone with no incentive to inflate them. We build the specialised systems that close that gap, and we own them end to end.

CAP · 01

Secure Agentic Infrastructure

Inline Gateway Tool-use Containment C++20 · Envoy

A control plane that sits in the data path of your agents — bounding blast radius on tool-calls, holding integrity guarantees on memory, and attesting agent-to-agent hand-offs. Engineered as an inline gateway, not a prompt wrapper.

Why not
off-the-shelf

Enforcement has to be deterministic, sub-millisecond, and live inside your perimeter. A model API can advise on policy; it can't guarantee what an agent is permitted to touch.

CAP · 02

On-Premise LLM Governance & DLP

Data Residency Policy → Rules Audit · Rollback

Translate AI threat models into enforceable, auditable policy across distributed inference nodes — natural-language authoring, one-operation multi-node deployment, immutable audit logs, and per-node rollback. Data never crosses your boundary.

Why not
off-the-shelf

When compliance forbids sending data to an external API at all, a hosted model is a non-starter. Governance has to run where the data already lives.

CAP · 03

Adversarial Evaluation & Assurance

Red-teaming Multi-turn Attacks Provenance

Independent, reproducible adversarial testing of frontier and self-hosted models — prompt-injection chains, multi-turn jailbreaks, model inversion, and distillation provenance — delivered with methodology you can audit and rerun.

Why not
off-the-shelf

A model can't certify its own safety. Assurance needs an adversary on the outside, running the tests a vendor has no incentive to run on itself.

CAP · 04

Cost-Bounded Memory Systems

Episodic Memory Verifiable Retrieval Tokens-per-Decision

Engineered memory that lets an agent answer a recurring class of questions without re-paying for the reasoning each time — structured episodic memory, distilled procedural skills, and retrieval whose results you can verify.

Why not
off-the-shelf

A longer context window recomputes everything and bills you for it. Continuous operation inside a fixed budget needs memory that is built, not rented.

Every engagement ends in a defined deliverable: a running system, its documentation, and an audit trail you can hand to a reviewer.
Lab

From theory to
operational control.

On-premise LLM security governance, from policy authoring to multi-node deployment — built for enterprises where data never leaves the perimeter.

The Vigilio DLP Policy Studio is capability 02, shipped — our first public reference implementation. It translates AI threat models into enforceable, auditable rules across distributed inference nodes, without requiring data to touch an external API. Explore the live interface below.

Policy Authoring

Natural-language rule input with structured YAML output. Conflict detection before deployment.

Policy Authoring UI
Multi-Node Deploy

Push governance rules to distributed proxy nodes in one operation. Per-node rollback with full git-style history.

Multi-Node Deploy UI
Audit & Compliance

Immutable audit log with prompt hashes, user attribution, and node-level action records. Export-ready for ISMS review.

Audit & Compliance UI
Open Live UI GitHub repo releasing soon
Approach

Research practice over product roadmap.

We work in the gap between security research and ML systems engineering — a place where empirical evidence is rare and deadlines are hostile to rigour. A small set of commitments governs how we work — these three, specifically.

P · 01

Threat models before tooling.

Every artefact begins with an explicit, falsifiable threat model. We do not endorse defenses we cannot break ourselves first.

P · 02

Independence over scale.

Findings are published without vendor pressure. When work touches a specific platform, we say so.

P · 03

Every layer, end to end.

Architecture matters because attackers compose primitives across layers. Our reviews follow data, models, and identity from training corpus to inference response.

Track Record

Shipped systems, disclosures, and prior art.

Apr · 2026 Build Vigilio DLP Policy Studio — reference implementation of an on-premise LLM security control plane: policy authoring, multi-node deployment, audit log, and rollback. UI prototype live; open-source release in progress. Feb · 2026 Disclosure Empirical signals that Alibaba Qwen3-Coder-Next was distilled from Anthropic Claude — methodology, prompts, and reproduction notes. 2025 — Working Paper Adversarial evaluation across frontier LLMs (Claude, Gemini, GPT, Grok, DeepSeek R1, Qwen3-Coder on Ollama) under chain-of-thought and adversarial prompting. 2014 — Systems A low-latency, auto-orchestrating execution architecture for massive task processing (>100K LOC, in-house). 2013 Patent U.S. Patent 8,555,269 — System and method for malware detection. Issued Oct 3, 2013. 2010 Patent U.S. Patent 7,779,399 — System and method for security analysis of source code. Issued Aug 17, 2010. 2009 — 2012 Product HackAlert™ — the first cloud malware-detection SaaS, taken to market across Taiwan, the U.S., and Europe. Built at Armorize, later acquired by Proofpoint.
The Lab

Heritage you can verify — not a list of credentials.

Vigilio's work is grounded in two decades spanning security architecture, low-latency systems engineering, and applied machine learning — the same combination behind HackAlert™, the first cloud malware-detection SaaS, which was taken to market across three continents and ended in an acquisition by Proofpoint. That lineage is also visible in foundational patents on malware detection and source-code security analysis, and in research ties to UC Berkeley EECS and the founding of OWASP Taiwan.

We keep the lab small and senior on purpose: the people who design a system are the people who build it, break it, and ship it. Because the work is engineered rather than prompted, it survives a model swap or a platform migration intact.

The thesis is simple. General-purpose models are becoming a commodity; the durable advantage sits in the specialised systems built around them — the ones that respect a data boundary, hold a latency budget, and can be audited. That is the work we take on.

Provenance & Standards
Armorize → Proofpoint (acquisition) U.S. Patents ×2 — malware & source-code security UC Berkeley EECS — Visiting Scholar Founding Vice Chair, OWASP Taiwan First cloud malware-detection SaaS (HackAlert™)
Contact

Bring us the problem a generic model can't solve.

For custom system builds, enterprise engagements, technical reviews, adversarial evaluation, advisory work, or responsible-disclosure conversations — reach out. We take on only what we can ship, and we'll tell you quickly whether a project is a fit.

Open contact form transform[at]vigilio.ai