Distributed Exfiltration Detection
A secret can leave a model in innocent-looking pieces spread across many AI agents. No single message reveals it — the sum does. DED catches the leak that a per-message tool is blind to.
The leak no single message reveals
Data-loss tools inspect one message at a time: does this message contain a secret? That works when a leak happens in one place. It fails completely when a secret is taken a crumb at a time — one agent reveals one piece, another agent a different piece, each buried in ordinary chatter and individually harmless.
A per-message filter waves them all through, because none is suspicious on its own. Yet the aggregate of the whole swarm, across agents and over time, reconstructs the secret piece by piece. This is not a per-message problem — it is a swarm-graph problem, and it needs a system that reasons over the whole swarm.
How DED sees it
Coverage accumulator
Each protected document is chopped into spans. Every outgoing message marks which spans it touches — even reworded — and DED keeps a running map across all agents and over time. The alarm fires when the union of all conversations has revealed enough of one document. The evidence is in the sum, not the fragment.
The graph signature
Not only how much, but who and how coordinated. The tell-tale of a scattered attack: many different agents each revealing a different, non-overlapping piece of the same document — the pieces assemble like a puzzle. Natural leakage is redundant and random; a systematic attack partitions the secret.
Common-cause control
Many people legitimately asking about the same topic also accumulate coverage. DED separates coverage driven by user prompts (benign) from coverage that emerges on its own (suspicious), and counts only distinctive spans — never boilerplate. That is what keeps a busy, honest swarm from tripping a false alarm.
Per-message data-loss prevention is a crowded, commoditised market. "Detect a secret leaving fragmented across a swarm of agents, where no single conversation would ever reveal it" is not — and only a system that reasons over the swarm graph can do it. That is DED.
Proven on ourselves first
We are DED's first client — we have secrets worth protecting, so we calibrated it on our own real traffic against our own real secrets, on the live system. The result:
In plain words
Imagine a confidential document cut into pieces. One AI agent leaks one piece, another agent a different piece, each hidden inside a normal-looking message. Any ordinary leak-detector lets them all through, because no single message looks wrong. DED instead keeps a running tally of how much of the whole secret the entire fleet of agents has given away, and raises the alarm when many agents are each handing over a different piece of the same document — a puzzle assembling itself. And it does not cry wolf when people are simply discussing a subject: it only reacts when the actual secret is being rebuilt.