Ascend gives you an AI operations department that lives in your tools — which means security can't be an afterthought. Every agent runs sealed in its own hardened container, behind encrypted tunnels, with every action on the record. You get the power without having to be a security engineer.
Hardened by default · Canadian data residency · your credentials never leave your container
Proactive hardening
Hardened before the first attack.
We don't wait for a breach to take security seriously. Every Ascend agent ships with defense-in-depth layered on from day zero — container isolation, input shields, encrypted tunnels, and a full audit trail. The security is already done before your first message.
0containers ever breached
100%per-customer isolation
6kernel security layers
24/7input shield active
DIY RAG Build vs Ascend Agents
Built on the best tools. Hardened by Ascend.
Building an AI agent from open-source components gives you full control — and full responsibility for locking things down. Ascend runs the same powerful stack already hardened out of the box. The isolation, the encryption, the locked-down access: it's already built in. You own your data; the security is done.
Building it yourself DIY RAG
Ascend Agents
Your data stays in your environment
Yes
Yes
You approve what agents can access
Yes
Yes
Hardened Docker isolation on every instance
✗ You harden it yourself
cap-drop ALL, no-new-privileges, non-root
Nothing exposed to the internet
✗ You manage networking
Gateway polling, no inbound ports
Input shield — prompt injection blocked
✗ Build or buy separately
Built-in, block mode, regex + LLM
Canadian data residency (BC regulated)
✗ Figure it out yourself
Bedrock ca-central-1, data stays in Canada
Secrets stripped from all responses
✗ Manual sanitization
Token proxy isolates API keys
Nightly security maintenance
✗ Build a cron system
Dream cycle audits knowledge nightly
Hardened for you, by default
✗ No
Yes — every instance, every time
Defense in depth
Every layer, hardened.
Real security isn't one wall — it's many. Here's what's protecting your agents at every level. Each card has the plain-English version up top and the technical detail underneath — so you and your IT person both get what you need.
Every instance is sealed in its own box
7-layer container isolation
Your agents run in a locked-down Docker container that can't see, touch, or talk to anyone else's. If one instance ever had a problem, it stays its problem.
Under the hood
cap-drop=ALL, no-new-privileges, non-root user (UID 10000)
PID limits + memory / CPU caps per container
Isolated Docker network, ICC disabled — containers cannot see each other
Read-only root filesystem, tmpfs only for temporary data
Nothing is exposed to the internet
Zero-trust networking
There's no public door to your agents. No open ports, no inbound connections. Your agent polls the Ascend gateway for messages — it reaches out, the outside world can't reach in.
Under the hood
Gateway polling mode — agent initiates all connections outbound
UFW firewall: default deny, only ports 22/80/443 open
iptables DOCKER-USER chain blocks Docker from publishing externally
Prompt injection blocked before it reaches the agent
Input shield + clawvisor
Before any message reaches your agent, it passes through two layers of defense: regex-based pattern detection that blocks known injection attacks, and an output filter that catches anything that slips through.
Under the hood
INPUT_SHIELD_MODE=block — injection patterns rejected before LLM call
For regulated professionals in BC — mortgage brokers, realtors, property managers — your data runs on AWS Bedrock in ca-central-1. Not routed through US servers, not processed offshore. BC-compliant by design.
Under the hood
Bedrock ca-central-1 with DeepSeek V3.2 for regulated verticals
BCFSA / RECBC / PIPA data residency requirements met
No data transits outside Canadian borders during processing
Per-customer isolated storage — no shared databases
API keys never touch the agent container
Token proxy + vault
Your API keys and credentials live in the credential vault, completely outside the agent's container. The agent talks to a local token proxy that handles authentication. The agent never sees a key — it couldn't leak one if it tried.
Under the hood
Token proxy (localhost:9800) isolates API authentication from the agent
HMAC key derivation per customer — auto-generated, unique per instance
Bot tokens, API keys, signing secrets auto-stripped from agent responses
Vault runs outside the container — agent has zero filesystem access to credentials
The agent can't write to its own filesystem
Read-only rootfs
Even if an attacker gained control of the agent, there's nothing to write to. The filesystem is mounted read-only at the kernel level. Configuration files, personality (SOUL.md), and skills are all mounted :ro — immutable.
tmpfs mounts for /tmp, sessions, logs — noexec, nosuid
Even if the agent runs arbitrary code, it cannot alter its own configuration
Your knowledge base audits itself every night
Autonomous dream cycle
While you sleep, your agent runs a nightly audit cycle: contradiction detection, freshness checks, memory consolidation. It catches stale information, flags contradictions, and keeps itself sharp — automatically.
Under the hood
Nightly dream cycle at 3:50 AM — contradiction detection + freshness audit
ChromaDB health checks — detects embedding drift and stale chunks
No human maintenance required — the agent maintains its own knowledge base
Every action is on the record
Full audit logging
Anything that changes state gets logged — who did it, what they touched, whether it worked. Nothing happens in the dark. Your dashboard shows every conversation, every action, every outcome.
Under the hood
Every agent action logged: user, action, resource, success/fail
Dashboard-visible — no CLI or log diving required
90-day retention, queryable for review and incident response
Immutable audit log — cannot be modified by the agent
You're always in the loop.
Agents move fast, but you stay in control of the moments that matter. Sensitive actions wait for your sign-off, you approve which tools each agent can use, and everything that happens is written down.
Approvals on the risky stuffSensitive actions pause for your approval. Nothing ships without your say-so.
️
54+ skills, you approve which are activeDecide exactly which tools and integrations each agent can use. Slack yes, Stripe with approval only.
A full audit trailEvery action logged with who, what, when, and the result. Visible in your dashboard. 90-day retention.
Straight talk on what keeps agents in check
No one can promise an AI agent will never be confused by a strange question. So we don't rely on hope. Agents are boxed in by what they're actually allowed to do: tool permissions, read-only filesystems, input shields, approval gates, and isolated containers. If something does go sideways, it's contained, logged, and visible — not loose on your systems.
Secure by default.
Every instance is hardened, isolated, and locked down before you send your first message. You just build.