Three products. One security-first DNA.
AEGIBIT is a platform, not a feature list. Each product solves a specific operational problem, multi-branch expense capture, AI-infrastructure security, desktop voice control, but they all inherit the same hardened substrate. The configuration files are listed below.
The products
Two shipped. One free download. All today.
PayMint
Multi-branch expense capture.
30-second voucher capture (photo + geo-tag + timestamp at the branch). Same-day visibility across every branch HQ used to wait 5–9 days for. Tally-ready exports. DPDP-ready.
Visit PayMintMCP Shield
Security for the Model Context Protocol.
Open-source scanner + runtime for MCP servers. Catches tool poisoning, prompt injection, hidden-Unicode steganography, secret exposure, unsafe stdio launches.
Visit MCP ShieldAira
Voice control for your desktop.
Wake by voice, opens apps, drafts messages, schedules reminders, acts on your tools. Hindi, Bengali, English, four more Indian languages. Voice biometric. Local-first.
Visit AiraShared substrate
Five primitives every AEGIBIT product inherits.
Cybersecurity-first means each product launches with the same hardened defaults instead of bolting them on quarterly. The proof for each item is a file you can read.
Hardened response headers
Explicit Content Security Policy, HSTS + includeSubDomains, Permissions-Policy denying camera/mic/geo/payment/sensors, COOP same-origin-allow-popups, applied to every request from every AEGIBIT product.
↳ proof: next.config.ts
Per-IP rate limiting
Upstash Redis-backed limiter with in-memory fallback. Counters survive serverless cold-start scatter. Fail-open posture so a vendor outage never locks out legitimate visitors.
↳ proof: src/lib/rate-limiter.ts
Cookie-only admin auth
Iron-session encrypted httpOnly cookies. scrypt-hashed admin credentials with explicit memory bounds. No bearer tokens leak into client bundles, ever.
↳ proof: src/lib/auth.ts
Append-only audit trail
Every automation action lands in an insert-only Postgres table with full payload and identity. No UPDATE or DELETE path in application code. Designed for the auditor before the auditor was hired.
↳ proof: supabase/schema.sql agent_actions
Visitor data minimization (DPDP-aware)
Lead-capture forms store only what's necessary. Behavior score and UTM cohort are segment-level, never per-user fingerprinted. EU visitors get data export / deletion via contact@aegibit.com.
↳ proof: src/lib/validators.ts · src/lib/cohorts.ts
The complete security posture, including responsible disclosure and compliance status, lives on /security.
What we are not yet
No certification badges we have not earned.
AEGIBIT does not currently hold SOC 2 Type II certification (in progress), ISO 27001, HIPAA, RBI Cybersecurity Framework, or SEBI CSCRF. We will not display a badge before the auditor issues the report.
We do not have pre-built integrations with Slack, Jira, ServiceNow, Splunk, PagerDuty, or GitHub. When a specific integration becomes important to a buyer, it ships as a focused engineering slice, not a marketing claim.
For a roadmap discussion, what AEGIBIT is building next and which buyers shape the priority queue, the AEGIBIT team responds at contact@aegibit.com.
See the platform live.
Book a 12-minute PayMint demo. We walk the architecture and the product together, configuration files open, no slideware.