The honest answers.

Vigil is the AI defense platform for humans. It sits between you and every AI provider you use, intercepting actions before they execute, recording every interaction to a tamper-evident audit chain, and giving you a single button to revoke every AI agent across every provider when something goes wrong.

It is not observability. It is not a wrapper. It is independent defense infrastructure that no AI provider can offer because they cannot audit themselves.

Three things providers structurally cannot do. First, see across providers. Your financial AI on one provider speaks to your health AI on another. Only an independent layer sees the full exchange. Second, hold actions before execution. Providers optimize for autonomy and engagement. A defense layer that pauses high-risk actions for approval works against their business model. Third, revoke trust. Once a provider issues a token or context, they cannot atomically pull it back across an entire ecosystem. Vigil can.

Sub-10 millisecond p99 on the policy path. Detection runs in parallel with the provider call, not sequentially. Streaming responses pass through at provider-native latency. The only time you see hold-time is when the Execution Gate intercepts a Tier 2 or Tier 3 action for your approval. Everything else is invisible.

macOS today. Browser extension in beta. iOS approval app for Repair tier and above shipping in Q2 2026. Windows in beta. Mobile and SDK surfaces follow in Q2 and Q3 2026. The same Rust engine runs across all of them so coverage is consistent.

Download the Mac app, sign in, install the certificate when prompted. The certificate is what allows Vigil to inspect TLS traffic locally. The whole flow takes under three minutes. No browser configuration, no manual proxy setup.

No. Vigil runs underneath. You keep using ChatGPT, Claude, Gemini, your IDE assistant, and any agent you have built the same way you do today. Vigil is invisible until something happens. When something does, you see it.

Shield. Prevent and audit. Every interaction intercepted, decomposed, risk-scored, logged. Policy violations blocked before execution.

Repair. Correct and rollback. Execution Gate holds high-risk actions for approval. Automated rollback where providers allow. Court-admissible evidence packages via VOAF.

Sentinel. Defend and deter. 24/7 behavioral monitoring. Adversary fingerprinting in reverse. Honeypot endpoints.

Warden. Hunt and reclaim. Cross-user threat intelligence. When one user is attacked, the network is pre-defended. Available read-only on Sentinel tier, full access on Sovereign.

Three-layer emergency revocation. Layer 1: instant local lockdown, sub-second. Layer 2: OAuth and API key cascade across every connected provider in parallel. Layer 3: network trust revocation with 1-hour cert expiry and dead-man switch if Vigil goes offline. Included on every tier from Shield up.

The pre-execution hold for high-risk actions. When your AI is about to execute something material, sending money, signing a contract, deleting data, the Execution Gate intercepts the downstream API call and holds it for 30 to 300 seconds. You get a push notification. You approve or reject. Vigil enforces the decision. Pre-execution snapshots make rollback deterministic where the provider supports it. Available on Repair tier and above.

Yes. That is the structural moat. Vigil sits in a position no single provider can replicate. OpenAI, Anthropic, Google Gemini, Groq are supported at launch. Any provider with an OpenAI-compatible API works immediately. Cross-provider event correlation is core to detection.

The detection ensemble runs locally on your Mac. Four models on the inline path: Isolation Forest, LSTM behavioral, Bayesian, Multi-Window CUSUM. They evaluate intent and risk, not content. The decision is made on-device in under 10 milliseconds. The risk score, action type, and policy outcome are logged. Content is never extracted or sent anywhere outside your local Vault.

Vigil Open Audit Format. A hash-chained, cryptographically sealed audit record format that survives forensic review. Every AI action generates a VOAF entry. Each entry is linked to the previous via SHA-256, so tampering is detectable. VOAF is filed with NIST as an open standard. The vigil-verify CLI for validating VOAF records is open source. Court-admissible evidence packages export from VOAF.

Locally. The Vault lives on your Mac, encrypted with a key tied to your device. Vigil’s cloud holds only the metadata required to run the service: account info, license state, anonymized telemetry on system health. Conversations, prompts, audit content, behavioral patterns, never leave your device. This is not a marketing promise. It is the architecture.

The local Vigil engine inspects requests and responses to run detection. That is unavoidable for an inline defense layer. The point is what happens next. The content is processed in memory, scored, sealed into your local Vault, and discarded. Nothing is sent to Vigil’s cloud. Nothing is used for training. Nothing is shared with providers beyond the original intended call.

Prompts and responses stay on your device. The Vault is encrypted at rest with a key only you hold. If we get subpoenaed, we cannot produce your conversation history because we do not have it. Enterprise tier supports self-hosted deployment for organizations that need this guarantee in writing.

The company can be subpoenaed for the records we hold. We hold account and billing information. We do not hold your conversation history, your prompts, your AI responses, or your behavioral baseline. Those live in your local Vault, encrypted with keys we do not have access to. A subpoena gets your account record. It does not get your AI history.

Trigger the Kill Switch from any other device. Layer 1 is local and depends on the device itself, but Layers 2 and 3 fire from your Vigil account: cascading OAuth revocation across every provider, network trust revocation with cert expiry. Your AI agents stop executing. The Vault on the stolen machine is encrypted at rest with a key tied to your account password and hardware key (Sentinel and above), so a thief cannot read its contents without your credentials.

No. Not by Vigil, not by anyone Vigil contracts with. The architectural reason this is true: your data does not leave your device, so there is nothing to train on. The exception is the Warden network on Sentinel and Sovereign tiers, where anonymized attack signatures are contributed to a collective intelligence feed. Attack signatures are derived patterns, not your content. You can opt out.

A local, encrypted, tamper-evident archive of every AI conversation, decision, and authorization on your device. Built on VOAF. Searchable from day one with text search. Vector search and semantic recall ship in Q2 2026 on Sentinel and above.

AES-256 at rest. Keys derived from your account password and, on Sentinel and above, optionally bound to a hardware key like a YubiKey. Nothing in the Vault is readable without your credentials. We do not hold a backup key. We cannot recover Vault contents if you lose your password.

A model trained on your own AI history, running on your device. QLoRA fine-tune on a 7B base via Apple MLX. It writes in your voice, reasons in your style, and knows your context without sending it anywhere. Triggered after roughly six months of accumulated Vault data. Available in early access on Sentinel tier. The doctrine: Claude knows the world, the Personal Model knows you.

This actually happens. When Claude revoked a customer’s context recently, every conversation, every preference, every decision the AI had learned was gone in a keystroke. The Vault makes that impossible. Your history is yours. No provider can delete it. Even if OpenAI deprecates a model or Anthropic revokes access, your Personal Model and your Vault still work.

A compromised AI agent can move real money, send real messages, delete real data. The cost of one Tier 3 incident exceeds the lifetime price of Sovereign. Feature-list pricing would anchor against software SaaS at $10 to $30 per month. That anchor is wrong. Vigil is priced against what it protects.

Yes. Shield $15, Repair $27, Sentinel $45 per month. Sovereign is monthly-only at $99. Annual gets you the same coverage at 17 to 28 percent off depending on tier.

Shield at $15 per month or $129 per year is the entry point. A limited free tier is on the roadmap for distribution reach, but we are deliberately keeping the baseline paid. Free security tools teach users that security is worth nothing. We are not doing that.

Upgrade instantly with prorated billing. Downgrade at the end of the current billing period. No refunds on annual plans. Developer plan changes are prorated daily.

30-day money-back guarantee on first purchase, monthly or annual. After that, monthly plans cancel at the end of the cycle without refund. Annual plans do not refund the unused portion. If something has gone wrong on our end, email us. We solve it.

All major cards via Stripe. Wire transfer for Enterprise contracts. Cryptocurrency on request for Sovereign and Enterprise tiers.

50 percent off Shield and Repair for verified students and registered non-profits. Email us with proof of status.

Consumer plans cover AI on your devices. Developer plans cover AI in the cloud. Agents you deploy on Replit, LangGraph, your own VPS, or any cloud platform get the same engine via a one-line URL change. baseURL: "https://gateway.runvigil.ai/v1/openai" with your Vigil key, and your agents are protected.

OpenAI, Anthropic, Google Gemini, Groq at launch. Any provider with an OpenAI-compatible API works immediately. Enterprise contracts can request additional provider support, typical lead time two weeks.

Under 40 milliseconds p95 for standard requests. Detection runs in parallel with the provider call, not sequentially. Gate-triggered holds add the approval wait time only for Tier 2 or Tier 3 actions. Everything else streams through at provider-native latency.

Yes. The Developer plan is an inline cloud proxy and has to inspect requests and responses to run detection. Content is processed in memory, sealed into your project’s audit log via VOAF, and not retained otherwise. Not used for training. Not shared with providers beyond the original intended upstream call. Enterprise tier supports self-hosted Developer deployment where traffic never leaves your VPC.

Circuit breaker mode. On outage, configured projects can pass through to the provider directly. You lose defense on those requests. You do not lose availability. Outage events are VOAF-logged with a flag so your audit trail remains honest about coverage gaps.

They are observability layers. They log, cache, and rate-limit. Vigil is a defense layer. It detects, enforces, and revokes. The two are complementary. You can use Cloudflare for caching and Vigil for defense without conflict.

The protocol specifications, TAP, VARP, VOAF, are open. The vigil-verify CLI that validates VOAF audit records is open source. The Developer plan proxy itself is a hosted service. Enterprise tier includes the self-hosted deployment option with source-available licensing.

The product is designed to require no SDK. One URL change to use the Vigil-prefixed endpoint and you are protected. SDKs for TypeScript, Python, and Rust are in development for advanced workflows like custom policy injection and richer dashboard integration.

Yes, on Enterprise tier. The Vigil engine deploys inside your VPC. Source-available licensing. Traffic never leaves your perimeter. Updates pulled on your schedule.

SOC 2 Type II audit in progress. Type I report available now. Enterprise contracts include the SOC 2 scope as part of the agreement. The architecture itself, local-first, hash-chained audit, deterministic enforcement, was designed against SOC 2 controls from the start.

Yes on Team and Enterprise tiers. Okta, Azure AD, Google Workspace via SAML 2.0. SCIM provisioning for user lifecycle automation.

Splunk, Datadog, Sumo Logic, generic Syslog and webhook export on Team tier. Enterprise contracts include custom SIEM integrations on request. VOAF records export in your SIEM’s native format with full chain integrity preserved.

99.9 percent uptime on Team. 99.95 percent with custom incident response terms on Enterprise. Status page at status.runvigil.ai with real-time component health.

Yes. Enterprise contracts cover custom volume tiers, custom SLA terms, dedicated success manager, vertical-specific policy libraries (financial services, healthcare, legal), and B2B2C licensing for embedding Vigil in your own product. Email enterprise@vigilsec.ai.

Forty-plus AI threat vectors mapped on the Threats page. Categories: financial drain, identity cascade, relationship and reputation harm, health manipulation, legal traps, privacy harvesting, slow behavioral manipulation, and structural model failures. Each vector has detection logic in the Rust engine.

Three things in parallel. The Execution Gate holds any related downstream actions. A push notification fires to your phone. A pre-execution snapshot captures the state for forensic review. You decide: approve, reject, or trigger Kill Switch. Vigil enforces. The whole chain is sealed in the Vault as a VOAF evidence package.

Three formats. VOAF JSON for machine processing and SIEM ingestion. VOAF-M for ML training pipelines. Markdown for human-readable conversation reconstruction. Hash-chain integrity preserved across all formats. Independent verification via the open-source vigil-verify CLI.

VOAF is designed to be. Hash-chained sealing produces a tamper-evident record. The chain is independently verifiable without trusting Vigil. The format is filed with NIST as an open standard. Whether a specific log is admitted in a specific jurisdiction depends on the court and the case, but the technical foundation is built for it.

Our taxonomy of forty-plus AI threat vectors organized by category, severity, and detection mechanism. Available on the Threats page. Mendeleev left gaps in his periodic table for elements not yet discovered. Ours leaves space for vectors not yet catalogued.

Vigil AI Security, Inc. Delaware C-Corp with operations in Singapore. Founded 2026. Founder and CEO Dipendra Jain (previously built Pivotal AI, acquired). Co-founders Marek Dawidowicz (CMO, formerly APAC Marketing Director at YouTube/Google) and Tobias Berger (Head of BD, formerly Google and Expedia). Engineering team in Singapore.

Four structural reasons. Cross-provider AI traffic has no observer. Providers cannot self-audit without harming engagement. Inspection at the model layer kills benchmark performance. The pre-2008 banking system showed what happens when the audited entity is also the auditor. Defense must come from outside.

Three open standards. TAP (Trusted Agent Protocol) for verifiable agent identity and behavioral fingerprinting. VARP (Vigil Agent Revocation Protocol) for the three-layer Kill Switch. VOAF (Vigil Open Audit Format) for hash-chained audit records. All three filed with NIST. Adoption outside Vigil makes us the default implementation. Precedents: SSL, FICO, DigiCert.

Yes. NIST RFI submission filed March 2026, docket NIST-2025-0035, tracking number mmk-190r-hvap. Vigil’s architecture proposed as reference implementation. Regulatory positioning locked before EU AI Act enforcement. Active discussions with Singapore EDB and IMDA.

Two provisional patents filed. VIGIL-2026-001 covers the Execution Gate. VIGIL-2026-002 covers the two-surface detection pipeline. Foundational IP protecting architecture providers cannot replicate.

Glasswing is a coalition. AWS, Apple, Google, Microsoft, NVIDIA, JPMorgan, Palo Alto, CrowdStrike. $100 million in credits. It validates that AI defense is a civilization-scale category. Vigil is the independent layer none of those participants can structurally provide. We are complementary to Glasswing, not competitive. The threat intelligence Vigil generates from cross-provider visibility is the kind of data Glasswing participants cannot collect themselves.