Talos Is Designed
For Enterprise Security

Enterprise-grade private model inference with verifiable security controls, flexible isolation tiers, and specialized AI agents orchestrated to defend, monitor, and operate enterprise systems

Built-In Compliance & Auditability

SOC 2-ready audit trails are created with every agent action
Code never crosses jurisdictional boundaries to ensure data residency compliance
Full action logging in autonomous mode — every decision is traceable
Role-based access controls and approval workflows

One Endpoint Interface

Talos connects to inference you control through a secure endpoint defined by a URL and credentials. Whether reasoning runs on local models on your own hardware or through your own approved cloud, the platform experience and integrations remain unchanged. Daedalus never hosts your inference.

Point Talos at local models or your own cloud — no code changes
Switch or migrate endpoints without disrupting active workflows
Maintain consistent security, auditability, and operational behavior

Talos Platform

→

Inference You Control

Local Models — Your Hardware

Your Cloud — Bedrock / Vertex / Azure

Direct Provider API

Endpoint configuration can be updated without redeploying Talos

Verifiable Audit Logging

All model access, execution activity, and administrative actions are recorded in tamper-resistant audit logs designed for enterprise security review. Logs provide visibility into when processing occurred, which identities were involved, and how environments were accessed—without storing sensitive prompt or response content beyond required operational boundaries.

Immutable Logging

System, user, and administrative events

Customer-Scoped Visibility

Aligned to deployment isolation

Exportable Records

Compliance, forensics, and internal review

Every Action Has a Name Behind It

Attribution and governance are not bolted on. They are how Talos starts every session and signs every delivery — the controls SOC 2, SOX, and FedRAMP auditors ask for first.

Identity bound to every action

Every event names the human responsible by corporate email, or the service account by ID. Sessions require an authenticated identity from your IdP — no anonymous activity, no “system” placeholder.

Revocation in minutes, not weeks

When an employee is disabled in your identity provider, they cannot start new sessions and lose in-flight access within five minutes. Termination propagates without waiting on a manual offboarding queue.

Bot identity separate from the developer

Delivery happens through dedicated bot identities, distinct from a developer’s personal credentials. The developer triggers, the bot signs and pushes, the reviewer approves — three identities, three audit entries for clean segregation of duties.

Admin policy as a hard floor

Isolation, network, approval, and audit requirements are set once by your security team and delivered as signed, versioned policy. Developers cannot weaken them from the command line or local config.

Containment You Can Attest To

Talos models runtime safety on two independent axes, and your organization policy — carried in the encrypted license bundle, not set by individual developers — decides which combinations a user is permitted. Every option runs locally on your own machine; there is no third-party cloud sandbox.

Axis 1 — Containment: where commands run

Isolated sandbox container

Only the project workspace is mounted — SSH keys, cloud credentials, and secrets are never visible to the agent.
Network egress is forced through an allowlisted proxy, or cut off entirely.
Ending the session discards the container with no remnants — a real kill-switch.
The blast radius is the container, not the host, which is what makes autonomous mode safe to offer.

Per-command kernel confinement

For work that runs directly on the host, every shell command is confined at the kernel level.
Enforced by default on macOS, Linux, and Windows.
Read-only by default; workspace-write or full access only when policy allows.
Strictness is set by license policy at the corporate level — never by the developer.

Axis 2 — Autonomy: when a human is interrupted

Interactive · approval at every step

Supervised · approval on destructive actions

Autonomous · policy-bounded, fully logged

Encrypted End-to-End

Talos encrypts every category of data it handles — at rest on every device that touches it, and in flight across every network hop. There is no “we’ll encrypt that next quarter” surface area.

At rest

Audit records

AES-256AES-256 with per-page integrity — covering the main store, write-ahead log, and temp files, with no plaintext leakage path.

Codebase understanding

AES-256The structured understanding Talos builds of your codebase, encrypted in its local cache on every developer machine.

Session state & history

AES-256Local session and conversation state encrypted on the developer machine.

License & policy bundles

AES-256Admin policy, credentials, signing keys, and allowlists sealed in a bundle whose key is derived from your passphrase — Daedalus cannot decrypt it.

Stored secrets

Keychain / HSMAPI keys and tokens held in the OS keychain, or HSM-backed for production signing keys.

In flight

Developer ↔ Portal

Auth, license refresh, and audit sync over TLS 1.2+, with certificate pinning available for high-assurance deployments.

Portal ↔ identity provider

SSO / SAML / OIDC over TLS 1.2+ using standard IdP protocols.

Portal ↔ SIEM export

Audit forwarding over TLS 1.2+, with signed-URL delivery for batch exports.

Frontier egress

TLS 1.2+ to the destination your policy approved, with Talos Shield governing the payload.

Bot identity ↔ git forge

SSH or HTTPS over TLS 1.2+, with commits signed by GPG / SSH / HSM-backed keys.

Air-gapped deployments

No outbound connectivity required — license, policy, and updates arrive by encrypted bundle.

What “Air-Gapped” Actually Means

The question an auditor really asks isn’t “does any traffic leave?” — it’s “does any traffic leave to a destination outside our authorization boundary?” Air-gap is a spectrum of isolation postures, and your admin policy sets which point applies across your organization.

True air-gapFrontier disabled

Zero external connectivity — no route off the network at all. Local models run on your own hardware; license, policy, and knowledge-base updates arrive through a scheduled offline channel.

Sovereign / trusted-endpointApproved-egress

No untrusted connectivity, but a tightly allowlisted path to frontier endpoints you already hold authorization for — your own Bedrock, Vertex AI, or Azure OpenAI. A call to your own cloud is inside your compliance perimeter, not a third party.

Direct providerOutside the boundary

Code reaches Anthropic, OpenAI, or Google directly. This sits outside the authorization boundary and is typically disabled for regulated work — enabled only where policy permits.

Air-gapped means no untrusted external connections. And in every isolated posture, the Daedalus Knowledge Base supplies the version-current engineering authority a frozen, training-cutoff model can’t — so isolation is no longer a productivity penalty.

Security Resources & Trust Center

Security Controls

Review the technical, operational, and administrative safeguards that protect code, data, and infrastructure.

View controls

Compliance Documentation

Access policies, attestations, and supporting materials aligned to regulated enterprise requirements.

View Compliance

Audit & Reports

Obtain independent assessments, architecture artifacts, and validation evidence prepared for security review.

View Resources

Security FAQ

Explore common security, isolation, and compliance questions from enterprise teams.

View FAQ

Talos Is DesignedFor Enterprise Security