SOC 2 Type II ISO 27001 GDPR Compliant HIPAA Ready FedRAMP In Progress
Identity-Aware Permission Intelligence

Permission management
that actually scales.

Aegis is the enterprise-grade access control platform built for teams that can't afford to get permissions wrong. Octal precision. Symbolic flexibility. Recursive enforcement. Zero compromise.

Start Free Trial Watch Demo
Enterprise-hardened SOC 2 certified Sub-ms latency
aegis — policy engine
$ aegis -v 755 deploy.sh
mode of 'deploy.sh' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
$ aegis -R -c u+x ./scripts/
mode of './scripts/build.sh' changed from 0644 (rw-r--r--) to 0744 (rwxr--r--)
mode of './scripts/test.sh' changed from 0644 (rw-r--r--) to 0744 (rwxr--r--)
mode of './scripts/deploy.sh' changed from 0644 (rw-r--r--) to 0744 (rwxr--r--)
$ aegis --reference=deploy.sh config.yaml
mode of 'config.yaml' changed from 0600 (rw-------) to 0755 (rwxr-xr-x)
$
2.4B+
Permission policies enforced daily
99.999%
Enforcement uptime SLA
<0.3ms
Average policy resolution
4,200+
Enterprise deployments worldwide
Capabilities

Every permission primitive you need.
Nothing you don't.

Aegis ships with a complete permission management toolkit — from surgical single-file policies to recursive org-wide enforcement. Every feature is production-hardened and audit-ready.

Octal Precision Engine™

Define exact permission states with our three-digit octal policy notation. 755, 644, 600 — every combination maps to a deterministic, auditable access state. No ambiguity. No drift.

aegis 755 deploy.sh

Symbolic Policy Language™

Express permission changes in human-readable symbolic syntax. Grant, revoke, or set policies for users, groups, and others with intuitive operators. u+x, g-w, o=r — readable by humans, executable by machines.

aegis u+x,g-w,o=r app.conf

Recursive Enforcement™

Apply permission policies across entire directory hierarchies in a single atomic operation. Our recursive engine traverses your filesystem topology and applies consistent policy at every node.

aegis -R 755 ./project/

Root Shield™

Enterprise-grade root protection prevents catastrophic recursive permission changes at the filesystem root. Enabled with a single flag, Root Shield is the last line of defence between your team and a career-ending incident.

aegis --preserve-root -R 777 /

Audit Trail™

Full diagnostic output for every permission change across your infrastructure. Verbose mode surfaces every file touched, every mode transition, every policy application — complete observability for your compliance team.

aegis -v 644 *.conf

Delta Reports™

Noise-free change detection. Only surfaces files where permissions actually changed — filtering out the signal from the noise at scale. Zero-delta operations produce zero output. Clean, actionable intelligence.

aegis -c g+w ./shared/

Policy Cloning™

Mirror permission policies from a reference file to any target. No manual mode specification. No human error. Just point Aegis at your golden reference and let it propagate — deterministic policy replication at scale.

aegis --reference=golden.sh target.sh

Elevation Control™

Manage setuid, setgid, and sticky bit policies with first-class support. Special permission bits are the most dangerous primitives in access control — Aegis gives you surgical control over 4000, 2000, and 1000 modes.

aegis u+s,g+s /usr/local/bin/app
Workflow

From intent to enforcement
in four steps.

01

Define Policy

Express your access control intent using octal notation or symbolic syntax. Aegis accepts both — choose the abstraction that fits your mental model.

02

Select Scope

Target a single file, an entire directory tree with recursive enforcement, or clone policies from a reference file. Aegis handles the topology.

03

Execute

Aegis applies your permission policy atomically. Root Shield guards against catastrophic ops. Silent mode suppresses noise; verbose mode surfaces everything.

04

Audit & Verify

Every change is logged with before/after mode transitions. Delta Reports surface only what changed. Full audit trail for compliance, observability, and peace of mind.

Comparison

Why teams switch to Aegis.

We benchmarked Aegis against the most common permission management approaches. The results speak for themselves.

Capability Aegis Competitor A Competitor B Manual Scripts
Octal Policy Notation Full 0-7777 Basic Error-prone
Symbolic Policy Language ugoa±rwxXst Limited Basic
Recursive Enforcement Atomic Non-atomic Depth-limited Fragile
Root Protection Built-in
Setuid/Setgid/Sticky First-class Partial Risky
Reference-Based Cloning Custom
Verbose Audit Trail Per-file Summary only
Silent / Suppressed Mode
SOC 2 / ISO 27001 Certified In progress
Case Study

"Aegis eliminated our permission drift problem entirely."

NovaCast Media runs a content distribution platform serving 40M monthly active users across 12 data centres. Their engineering team of 180 developers deploys code 47 times per day, each deployment touching hundreds of config files, scripts, and binary artefacts. Before Aegis, permission drift was their single largest source of production incidents — files deployed with wrong modes, scripts missing execute bits, config files left world-readable.

After adopting Aegis, NovaCast standardised on Policy Cloning to propagate golden reference permissions across their entire deployment pipeline. Recursive Enforcement handles their nested project structures atomically, while Delta Reports feed directly into their SIEM for real-time compliance monitoring. Root Shield was mandatory for their SRE team from day one — a non-negotiable guardrail for recursive operations in production.

"We went from 23 permission-related incidents per quarter to zero. Aegis isn't just a tool — it's the permission layer our entire deployment pipeline depends on. The audit trail alone justified the investment." — Priya Venkatesh, VP of Platform Engineering, NovaCast Media

NovaCast now processes over 1.2M permission policy applications per day through Aegis. Their mean time to remediate permission misconfigurations dropped from 47 minutes to under 200 milliseconds. The platform engineering team calls Aegis "the invisible guardrail" — the infrastructure that keeps everything running correctly without anyone needing to think about it.

Interactive

See Aegis in action.

Try our policy engine right in the browser. Select a mode, pick a scope, and watch Aegis enforce.

Special
Owner
Group
Others
aegis — live
$ aegis -v 755 app.conf
mode of 'app.conf' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
Pricing

Permission management
at every scale.

Start free. Scale to millions of policy enforcements. No hidden fees.

Starter
$0/month

For individual developers and side projects.

  • Octal mode only (3-digit)
  • 100 policy applications/day
  • Single-file targeting
  • Basic verbose output
  • Symbolic Policy Language
  • Recursive Enforcement
  • Special bits (setuid/setgid)
  • Policy Cloning
Get Started
Most Popular
Pro
$29/month

For teams shipping production infrastructure.

  • Octal + Symbolic modes
  • Unlimited policy applications
  • Recursive Enforcement (-R)
  • Delta Reports (-c)
  • Root Shield (--preserve-root)
  • Full Audit Trail (-v)
  • Silent mode (-f)
  • Policy Cloning
Start Free Trial
Team
$79/seat/month

For platform teams managing shared infrastructure.

  • Everything in Pro
  • Policy Cloning (--reference)
  • Elevation Control (setuid/setgid/sticky)
  • Symlink traversal modes (-H, -L, -P)
  • Team audit logs
  • SSO / SAML
  • Slack & webhook integrations
  • Priority support
Contact Sales
Enterprise
Custom

For organisations where permission control is mission-critical.

  • Everything in Team
  • Dedicated infrastructure
  • Custom SLA (99.999%+)
  • SIEM & compliance integrations
  • On-prem / air-gapped deployment
  • BAA for HIPAA
  • Dedicated CSM
  • Annual security review
Contact Sales
What Teams Say

Trusted by the teams that
can't afford downtime.

★★★★★

"We were managing permissions with a tangle of shell scripts and tribal knowledge. Aegis gave us a single, auditable, deterministic layer. Our compliance team actually smiles now."

Raj Krishnamurthy
Raj Krishnamurthy
VP of Infrastructure, ScaleForge
★★★★★

"Policy Cloning changed our deployment pipeline. We have a golden reference and every artefact gets the exact same permissions. Zero drift. Zero incidents. It's the kind of tool you set up once and forget exists — because it just works."

Suki Morales
Suki Morales
SRE Lead, Cloudvane
★★★★★

"The recursive enforcement is absurdly fast. We apply permissions across 200K+ files and it just handles it. The verbose audit output feeds directly into Splunk — gives us full observability on every mode transition."

Noah Holloway
Noah Holloway
CTO, NorthGrid Systems
★★★★★

"I'm a solo dev and I can't believe this is free at the starter tier. Octal mode is all I need for my projects. The verbose output catches permission mistakes before they become production bugs."

Sophie Kim
Sophie Kim
Independent Developer
★★★★★

"Root Shield is a non-negotiable for us. We had a junior engineer run a recursive permission change on / in staging. With Root Shield enabled, Aegis caught it before any damage. Worth the entire subscription."

Eren Okonkwo
Eren Okonkwo
Head of Security, MedStack Health
FAQ

Questions we get asked.

Octal mode uses numeric notation (e.g., 755, 644) to set exact permission states in a single declaration. Symbolic mode uses human-readable operators (e.g., u+x, g-w, o=r) to add, remove, or set specific permissions relative to the current state. Both are production-grade — octal is favoured for deterministic deployments, symbolic for incremental adjustments.

Aegis is SOC 2 Type II certified, ISO 27001 compliant, and GDPR-ready. We operate on a zero-trust architecture. Permission policy data is encrypted at rest and in transit. Enterprise customers can deploy on-prem or in air-gapped environments. We undergo annual third-party penetration testing and publish the results.

Absolutely. Aegis's core policy engine runs entirely locally with zero network dependency. Permission enforcement, recursive traversal, and audit logging all execute on your infrastructure. Cloud sync for team audit dashboards is optional and can be disabled entirely for air-gapped deployments.

Root Shield is specifically designed to prevent catastrophic recursive permission changes at the filesystem root. Enable --preserve-root to block any recursive operation targeting /. For non-root directories, we recommend using Delta Reports (-c) to preview changes and verbose mode (-v) for full audit trails. Your compliance team will thank you.

Elevation Control provides first-class support for setuid (4000), setgid (2000), and sticky bit (1000) management. These special permission bits are accessible via both octal notation (e.g., 4755) and symbolic syntax (u+s, g+s, o+t). Aegis automatically handles the security considerations — set-group-ID bits are cleared when the file's group ID doesn't match the effective user's group, following best security practices.

Backed by mandō

Lyst Drift Locus Repliq Portage Voidal Scaffold Vøid Imprint Concat Stratum Folio Topline Tailstream Sieve Seekr Rewrite Trellis Sortable SINGULR Census Slice Morph FanOut Argonaut Reverb Formatik Epoch Solstice IDENT Signum Quorum Pulsar Overseer Terminus PURGE Dispatch Sotto Limelight Persist Vantage Canopy Attaché Détaché Tether AFFIRMATIV Aegis CLAIMR Cohort Archivex Deflate Unravel ArcVault XTRAKT Conduit Fetch VaultLink Teleport DeltaSync Heartbeat Hopscotch Resolver Namesake Uplink CONNEX Callsign Milieu Propagate Sourcery Persona SEVER Chronicle Codex Relevance Resolv Nomenclature MAGIQ Intrinsic Diverge Patchwork VIGIL Breeze Cadence Kronos Atelier SUPRA Mandate Turnkey Accession Reforge Collective PipeForge Netweave Panoptik Substrate Repose Verity FAULTR Provenance Chrono