Government & Defense
Deployment Results & Procurement
Compliance alignment and procurement information for federal program offices and technical evaluation boards.
Deployed Results
Proven in DoD Production Environments
Five production applications in DoD healthcare assessed through end-to-end agentic remediation pipelines. All CAT I, CAT II, and CAT III findings resolved to zero across all applications.
| Application | CAT I | CAT II | CAT III | CAT IV | Total |
|---|---|---|---|---|---|
| DHA Application 1 | 0 | 0 | 0 | 0 | 0 |
| DHA Application 2 | 0 | 0 | 0 | 0 | 0 |
| DHA Application 3 | 0 | 0 | 0 | 0 | 0 |
| DHA Application 4 | 0 | 0 | 0 | 1 | 1 |
| DHA Application 5 | 0 | 0 | 0 | 7 | 7 |
All applications assessed on Iron Bank RHEL 9 base images. Results validated through end-to-end pipeline runs with rebuild and runtime verification.
Methodology adopted by DHA Cyber Command (Defense Health Agency) for rollout across all programs under DHA direction.
SAST Posture
93.2 Composite Score on Production Codebase
Composite score derived from weighted coverage across NIST SP 800-53, OWASP Top 10, CWE/SANS Top 25, and DISA STIG rule sets. Scoring methodology accounts for severity distribution and false-positive suppression rates.
Validated across 20+ full pipeline runs with 14-tool input including Semgrep, SonarQube, Checkmarx, and Fortify rule equivalents.
AMI Hardening
STIG Compliance Up to 99.5% Automated
Automated AMI hardening against DISA STIGs across 6 OS platforms: Amazon Linux 2/2023, RHEL 8/9, and Windows Server 2019/2022. PowerSTIG + DSC for Windows, OpenSCAP + deterministic remediation for Linux. All via SSM.
99.5%
Windows Server 2022
PowerSTIG + DSC
99.5%
Windows Server 2019
PowerSTIG + DSC
84%
Amazon Linux 2
DISA STIG profile
85%
Amazon Linux 2023
CAT I 91%
81%
RHEL 8
DISA STIG profile
74%
RHEL 9
DISA STIG profile
Windows Server 2022 + 2019: 99.5% via PowerSTIG + DSC. Amazon Linux 2: 84%. Amazon Linux 2023: 85%. RHEL 8: 81%. RHEL 9: 74%. Produces hardened AMI, compliance reports, DISA STIG Viewer checklists (.ckl), and immutable audit trail. All instance access via SSM Session Manager — no SSH or RDP required.
FedRAMP High / IL4-IL5 Milestone
Validated on Llama 4 Maverick — AWS Bedrock GovCloud
The full 9-agent AMI hardening pipeline runs end-to-end on Bedrock/Llama 4 Maverick in 882 seconds with zero agent failures and all 15 required artifacts (verification report, STIG checklist, hardening log, CVE scan diffs, hardened AMI ID, compliance report). No Sonnet fallback. No provider-specific workarounds.
Every scanning, remediation, and reporting step is a deterministic tool_sequence backed by native Python helpers — OpenAI, Claude, Gemini, and Bedrock/Maverick produce byte-identical artifacts on the determinstic steps. Provider choice is a cost + latency decision, not a capability decision.
SSP Generator
Deterministic FedRAMP SSP Generation
System Security Plan generation with zero LLM inference in compliance documents. All content deterministic — sourced from the Compliance Data Layer.
5
Agent Pipeline
End-to-end SSP generation
3
FedRAMP Baselines
Low / Moderate / High
0
LLM Inference
In compliance documents
5-Agent Pipeline
Compliance Builder, SSP Generator, Appendix Generator, SSP Reviewer, and Artifact Compiler. NIST 800-53 control mappings, CSP control inheritance, and FedRAMP baseline alignment (Low/Moderate/High).
Compliance Data Layer
Single source of truth (compliance-state.json) ensures cross-document consistency. All document content is deterministic — LLM is used only for gap review, never for compliance document generation.
Compliance
Framework Alignment
Architectural design targets — not independent certifications.
NIST SP 800-53
Audit and accountability controls (AU family). Hash-chained JSONL logging, immutable artifact bundles, and multi-channel human-in-the-loop escalation (CLI, dashboard, email, Slack, SMS, Teams) with channel attribution tracking provide traceability for every AI action and human decision.
NIST SP 800-190
Application container security. Image provenance, vulnerability scanning, runtime isolation, and registry hardening aligned with container-specific guidance.
DoD Container Hardening Guide v1.2
Iron Bank STIG base images from registry1.dso.mil, non-root execution, isolated Python venv, read-only root filesystem, no-new-privileges, and layer optimization. Glyphon's own containers are hardened using its CVE resolution pipeline.
DISA STIGs (AMI + Container)
Automated STIG compliance scanning and remediation across 6 OS platforms. Windows Server 2022/2019: 99.5% via PowerSTIG + DSC. Amazon Linux 2: 84%. Amazon Linux 2023: 85%. RHEL 8: 81%. RHEL 9: 74%. All via SSM — no SSH or RDP.
DoD Image Creation Guide v2.6 + DISA Container Platform SRG
Image build pipeline compliance with Dockerfile best practices, multi-stage builds, and vulnerability-free base layers. Container platform alignment including network policies, secrets management, and resource constraints.
DoD CNCF Kubernetes Reference Design
Architecture alignment with DoD reference design for cloud-native deployments, including service mesh, observability, and policy enforcement.
IV&V Readiness + CUI Marking (DoDI 5200.48)
Every Glyphon source file carries an explicit CUI (Controlled Unclassified Information) marker per DoD Instruction 5200.48 and 32 CFR Part 2002. Idempotent marking applier + central policy doc keep 157+ files traceable. Requirements Traceability Matrix (RTM) maps every shipped capability from requirement → design decision → implementation → test case → E2E validation evidence for independent verification. Seven CI gates enforce code quality on every PR — Python (ruff + mypy + bandit + pytest) and TypeScript (eslint + tsc + vitest) — across both the orchestration engine and the web dashboard frontend.
Deployment
Cloud to Edge: Run Anywhere
Cloud (IL2)
OpenAI, Anthropic, Google, AWS Bedrock. Full provider selection with lowest per-run cost. Ideal for unclassified development and CI/CD integration.
Containerized
Three container tiers: local HTTPS, production slim, and Iron Bank STIG-hardened (UBI9, non-root, read-only rootfs). Web dashboard, visual editor, and template gallery. CDK stack for AWS Fargate.
GovCloud (IL4)
AWS Bedrock GovCloud with Llama 4 Maverick — FedRAMP High authorized managed inference, validated end-to-end on the full AMI hardening pipeline. Same playbooks and agents, classified infrastructure. Grafana Federal Cloud for observability.
Air-Gapped (IL5)
Data never leaves the enclave. Run local models via self-hosted Bedrock endpoints or on-prem inference. Open Telemetry traces to Grafana (FedRAMP High + DoD IL5). Deterministic tool_sequence pipelines produce identical artifacts whether the model is SaaS or on-prem — no external SaaS dependency.
Edge / Tactical
Run on NVIDIA DGX Spark, RTX GPUs, or AMD AI Max at the tactical edge. Same playbooks, disconnected operations. Designed for forward-deployed and DDIL environments.
Workstation
Develop and test playbooks on any workstation — macOS, Linux, or Windows. Rapid iteration with the same CLI used in production. No special hardware required.
Deterministic agents (scanners, parsers, validators) run as native Python — no LLM calls, no token cost.
All deployment models use FIPS-capable Iron Bank base images with identical playbook definitions.
Engineering
Built to Be Audited
Every pipeline run produces a complete artifact bundle: hash-chained audit log, agent conversation transcripts, scan results (before and after), file diffs, cost accounting, and a structured summary report. All artifacts are self-contained — no external service dependencies for post-run analysis.
Glyphon's own deployment containers are built on STIG-hardened Iron Bank base images from registry1.dso.mil — then further vulnerability-scanned and hardened using Glyphon's CVE resolution pipeline. The platform secures itself.
The Visual Playbook Editor enables rapid pipeline development without writing YAML by hand — drag agents from a palette, connect them to define execution order, configure settings, and deploy. Program offices can adapt existing templates or build custom pipelines for their specific compliance requirements.
Trivy Verifier
trivy_verifier
Dockerfile Reviewer
dockerfile_reviewer
Base Image Upgrader
base_image_upgrader
Dependency Mapper
dependency_mapper
Resolver Critical-High
resolver_critical_high
Visual Playbook Editor — design DAG pipelines with fan-out parallelism, configure edge conditions, and export runnable playbooks
Observability
Trace Every AI Action
Open Telemetry + Grafana
Purpose-built for government and air-gap deployments. Pipeline traces flow through the Open Telemetry Collector to Grafana Tempo, with metrics in Prometheus and visualization in Grafana. Self-hosted — no data leaves the enclave.
Langfuse
SaaS or self-hosted LLM observability platform. Semantic trace hierarchy with typed observations — agents, tools, LLM generations, verification gates. Auto-scored pipeline metrics: CVE resolution rate, agent efficiency, and per-run cost tracking.
Every pipeline run produces a complete trace: agent spans with tool call events, LLM request metrics, verification gate results, and pipeline-level scores. Zero overhead when disabled — the NoOp backend adds no imports, no I/O, no latency.
Full Pipeline Observability
Every agent run, tool call, and LLM request traced end-to-end. Auto-scored pipeline metrics surface cost, efficiency, and resolution rate.
Langfuse trace view — per-agent cost breakdown, prompt cache savings, turn efficiency, and verification gates
Procurement
Past performance references available upon request.
Schedule a Briefing
Glyphon™ is available for capability briefings, technical demonstrations, and pilot programs.
Schedule a Briefing