Aeon AI Risk Management

One week of security research, from finding to responsible disclosure.

A static evidence record for security teams, customers, procurement reviewers, and trusted-access programs evaluating Aeon's authorization-first, human-verified defensive research capability.

Questions this page answers

What period does the CyberGuard evidence snapshot cover?
The snapshot covers July 6-12, 2026 and was frozen on July 12. Its counts will not roll forward into later weeks.
What is the difference between 101 findings and 34 disclosure records?
The 101 figure is the validated research-sprint output. The 34 figure counts records submitted or advanced through disclosure channels during the frozen reporting window. They are different denominators.
Can a reviewer verify any outcome independently?
Yes. GHSA-vg83-hcp4-5qcc is a public GitHub advisory for an MCP authorization boundary, with a fix released in DOMShell 2.0.8 and no known CVE at the freeze date.
How does Aeon control advanced cybersecurity capability?
Aeon uses owned labs, public source code, or written Rules of Engagement; human verification; prior-art and scope gates; minimal proof; code-level remediation; stop conditions; and coordinated disclosure.
Are private findings named?
No. Unpatched vendors, private advisory identifiers, exploit details, and embargoed CVEs remain excluded until an authoritative disclosure source publishes them.

Frozen reporting window

The snapshot covers July 6-12, 2026 and was frozen on July 12. Counts will not absorb later findings, status changes, advisories, or CVE assignments.

Validated research output

The research sprint produced 101 human-verified findings across 60 projects, including 4 Critical, 32 High, and 92 access-control findings.

Disclosure activity

Thirty-four records across 33 projects were submitted or advanced through disclosure channels: 25 awaiting triage, 5 confirmed, accepted, or public outcomes, and 4 closed by duplicate or program-scope controls.

Independently verifiable advisory

GHSA-vg83-hcp4-5qcc documents an MCP authorization boundary, was published July 8, 2026, and was fixed in DOMShell 2.0.8. GitHub listed no known CVE at the freeze date.

Trusted-access controls

Research is limited to owned labs, public source code, or written Rules of Engagement, with human verification, prior-art review, minimal proof, stop conditions, code-level fixes, and coordinated publication.

Defensive-use statement

Aeon requests advanced capability only for defensive source review, owned-lab validation, authorized client testing, remediation, and coordinated disclosure, not unrestricted offensive access.

Private evidence boundary

Unpatched vendors, private advisory identifiers, exploit detail, and embargoed CVEs remain excluded until an authoritative source publishes them.

Reviewer contact

Aeon AI Risk Management Corporation can provide a private walkthrough at info@airiskmanagement.ca.