Hexagonal Architecture · 12 Modules · Zero Trust

The Complete AI Security Platform

ASTRA BASTION unifies identity, gateway security, trust scoring, agent operations, compliance, risk quantification, resilience testing, and data governance into one modular, enterprise-grade platform.

Request a DemoExplore AI Gateway

234

API Endpoints

12

Security Modules

33

AI Providers

38+

Integrations

132

Dashboard Pages

Modular Architecture

12 Purpose-Built Security Modules

Each module is a bounded context with its own database schema, domain events, and REST API. Deploy all twelve or pick the ones you need.

IAM

Identity & Access Management

Enterprise-grade identity with multi-factor authentication, SSO federation, and non-human identity management for service accounts and API keys.

  • Multi-factor authentication (TOTP, WebAuthn, SMS)
  • SSO federation (SAML 2.0, OIDC, OAuth 2.0)
  • Non-Human Identity (NHI) lifecycle management
  • RBAC + ABAC fine-grained permissions
  • Session management with refresh token rotation

AI Gateway

Secure AI Traffic Control

14-step security pipeline inspecting every LLM request and response. Supports 18+ AI providers with prompt injection detection, PII redaction, and kill switch.

  • 14-step security pipeline (pre + post processing)
  • 18+ AI provider adapters (OpenAI, Anthropic, etc.)
  • 9 prompt injection detection techniques
  • 38 tool call injection pattern signatures
  • Kill switch with scope hierarchy
Learn more

Trust Engine

Continuous Trust Scoring

5-pillar trust scoring from A+ to F, aggregating security posture, compliance adherence, risk exposure, resilience readiness, and AI governance maturity.

  • 5-pillar scoring (Security, Compliance, Risk, Resilience, AI Gov)
  • A+ to F grading with real-time recalculation
  • 6 ACL data adapters for cross-module aggregation
  • Score decay models (linear, exponential, sigmoid, step)
  • Event-driven recalculation with 30s debounce
Learn more

AEGIS

AI Agent Security Operations

Complete agent lifecycle security: MCP Firewall for tool call validation, behavioral monitoring with anomaly detection, inter-agent HMAC authentication, and emergency kill switch.

  • Agent kill switch (instant termination)
  • MCP Firewall with tool name + injection regex
  • Inter-agent HMAC-SHA256 authentication
  • Behavioral monitoring (z-score + IQR anomaly)
  • Memory poisoning detection engine
Learn more

Compliance

Regulatory Framework Management

Automated compliance assessments against EU AI Act, NIST AI RMF, ISO 42001, SOC 2, GDPR, and HIPAA with cross-framework control mapping and evidence collection.

  • EU AI Act assessor (Art. 5-53, 350+ rules)
  • NIST AI RMF (24 subcategories)
  • Cross-framework control mapping (24 mappings)
  • ISO 42001, SOC 2, GDPR, HIPAA support
  • Evidence collection and audit trail
Learn more

Risk

AI Risk Quantification

Quantitative risk analysis using FAIR methodology and Monte Carlo simulations with 10,000 iterations. PERT distributions, VaR/CVaR calculations, and portfolio-level aggregation.

  • FAIR quantitative risk calculator
  • Monte Carlo simulation (10K iterations)
  • PERT distribution modeling
  • VaR and CVaR at 95th/99th percentile
  • Threat modeling with convergence detection

Resilience

Breach & Attack Simulation

Scenario-based resilience testing with blast radius analysis using BFS graph traversal. Chaos engineering injection, RTO/RPO measurement, and automated recovery validation.

  • Breach & attack scenario execution
  • Blast radius analysis (BFS graph traversal)
  • RTO/RPO measurement and tracking
  • Chaos engineering injection service
  • Automated recovery procedure validation

BASTION AI

Intelligent Security Assistant

Built-in AI assistant with streaming chat, RAG pipeline for contextual security intelligence, model routing with failover, and production-grade OpenAI/Anthropic integration.

  • Streaming chat with token-by-token output
  • RAG pipeline (chunking, reranking, assembly)
  • Multi-provider routing with failover
  • Production-grade OpenAI adapter (221 lines)
  • Contextual security intelligence queries

Platform Services

Event Processing & Workflows

OCSF v1.4.0 event normalization across 22 event types into 7 classes. Multi-channel notification dispatch, workflow engine with loop detection, and report generation.

  • OCSF v1.4.0 normalization (22 event types)
  • Multi-channel notifications (email, Slack, webhook)
  • Workflow engine with loop detection
  • Report generation and scheduling
  • Exponential backoff retry with dead-letter queue

Administration

System Health & Configuration

Centralized admin console with real-time health monitoring, tenant onboarding wizard, license management, and system configuration with audit logging.

  • Real-time system health monitoring
  • Guided tenant onboarding wizard
  • License and subscription management
  • System configuration with versioning
  • Complete administrative audit trail

CyberTwins

Digital Twin Topology

Digital twin modeling of your AI infrastructure with graph-based topology visualization, attack path analysis, and continuous security posture assessment.

  • Infrastructure digital twin modeling
  • Graph-based topology visualization
  • Attack path and blast radius analysis
  • Asset discovery and classification
  • Continuous posture assessment

Data Governance

ML-Powered Data Protection

Machine learning data classification detecting 18 sensitive data types (PII, PHI, PCI, credentials). DSAR processing across 7 jurisdictions with full data lineage tracking.

  • ML classification (18 data types: PII, PHI, PCI)
  • DSAR processing (7 jurisdictions incl. India)
  • Data lineage with graph traversal
  • Retention policy enforcement
  • Aadhaar, PAN, and credential detection

Under the Hood

Hexagonal Architecture

Clean separation of domain logic from infrastructure. Ports and adapters ensure every module is testable, replaceable, and independently deployable.

DomainPure Business LogicEntities · Value Objects · EventsInbound PortsUse CasesOutbound PortsRepositoriesREST AdaptersFastAPI ControllersDB AdaptersPostgreSQL + RedisEvent Bus · Redis Streams · CloudEvents v1.0 · 137 Domain Events

Presentation

Next.js 15, React 19, 132 dashboard pages

API Layer

FastAPI, 234 REST endpoints, RFC 7807 errors

Application

CQRS commands/queries, Result<T> monad

Domain

DDD entities, value objects, 137 domain events

Infrastructure

PostgreSQL 17, Redis 7, Neo4j, Elasticsearch

Domain-Driven Design

12 bounded contexts with aggregate roots, entities, and value objects. Clean domain events for cross-module communication.

CQRS Pattern

Selective command-query separation for Gateway, Trust Engine, and CyberTwins. Optimized read and write paths.

Result Monad

Result<T, DomainError> throughout. No exceptions for business logic. RFC 7807 Problem Details at the API boundary.

Row-Level Security

PostgreSQL RLS on every table. Tenant isolation enforced at the database layer, not just application code.

Enterprise Integrations

38+ Integrations

Connect ASTRA BASTION to your existing security stack. Native integrations across SIEM, SOAR, cloud security, identity, DevOps, communications, and observability platforms.

SIEM

8 integrations

SplunkMicrosoft SentinelIBM QRadarElastic SIEMGoogle ChronicleSumo LogicLogRhythmExabeam

SOAR

5 integrations

Palo Alto XSOARSplunk SOARIBM ResilientSwimlaneTines

Cloud Security

5 integrations

AWS Security HubAzure DefenderGoogle SCCPrisma CloudWiz

Identity Providers

8 integrations

OktaAzure AD / Entra IDAuth0Ping IdentityOneLoginCyberArkHashiCorp VaultAWS IAM

DevOps

5 integrations

GitHubGitLabJiraServiceNowPagerDuty

Communications

4 integrations

SlackMicrosoft TeamsEmail (SMTP)Webhook

Observability

3 integrations

DatadogGrafanaNew Relic

33

AI Provider Types

US, China, APAC, self-hosted

38+

Enterprise Connectors

SIEM, SOAR, cloud, identity

OCSF

Event Formats

v1.4.0, 22 event types

4

Notification Channels

Slack, Teams, email, webhook

Universal AI Coverage

33 AI Providers Supported

From OpenAI and Anthropic to DeepSeek, Qwen, and self-hosted models. Every request routed through the 14-step security pipeline.

US / Western

12

OpenAI

Anthropic

Google Gemini

Meta Llama

Mistral

Cohere

AI21 Labs

Perplexity

xAI Grok

Inflection

Stability AI

Hugging Face

China / APAC

10

DeepSeek

Qwen (Alibaba)

Baidu ERNIE

Zhipu GLM

Moonshot (Kimi)

01.AI (Yi)

Baichuan

SenseTime

iFlytek Spark

Minimax

Cloud Platforms

3

AWS Bedrock

Azure OpenAI

Google Vertex AI

Self-Hosted

5

Ollama

vLLM

TGI

LM Studio

Custom (OpenAI-compatible)

Defense in Depth

Security at Every Layer

Prompt Injection Detection

9 heuristic techniques including Unicode normalization, emoji stripping, RTL override detection, homoglyph analysis, Base64 decoding, and nested encoding detection.

PII / PHI Redaction

ML-powered classification detects 18 sensitive data types including Aadhaar, PAN, SSN, credit cards, and medical identifiers before they reach AI models.

Tool Call Validation

38 injection pattern signatures covering SSRF, command injection, path traversal, SQL injection, and template injection in MCP tool parameters.

Rate Limiting

Redis sliding-window rate limiter with per-tenant, per-user, and per-provider quotas. Burst allowance with automatic recovery.

Kill Switch

Hierarchical scope control: global, tenant, provider, model, or individual agent. Instant shutdown with audit trail and automatic notification.

Full Audit Trail

Every request and response logged with OCSF normalization. Complete chain of custody from ingress to model response and back.

Regulatory Coverage

Built for Compliance

EU AI Act

Art. 5-53

NIST AI RMF

24 subcats

ISO 42001

AI Management

SOC 2

Assessment ready

GDPR

Gap analysis

HIPAA

PHI controls

Start Securing Your AI

12 modules. 234 API endpoints. 38+ integrations. One platform. Deploy on-premise or in the cloud with full tenant isolation and zero-trust security from day one.

Start Securing Your AIView Pricing
Enterprise-Grade SecurityMulti-Tenant IsolationOn-Premise AvailableZero Trust Architecture6 Compliance Frameworks