I wrote a version of this post a few months ago. The roadmap I committed to then was wrong in interesting ways. Here’s what actually shipped, what got cut, and what’s on deck for the rest of 2026. For the people in the private beta who keep asking “what’s next?” — and for anyone deciding whether AEGIS is what they thought it was.
Solo founder. Pre-revenue. Two-person team at Axivum. Shipping weekly.
Honest warning: these are my intentions, not promises. I’ve missed my own ship dates before. I’ll miss them again. I’m publishing this anyway because being coy about the roadmap is worse.
What changed since the last roadmap post
The biggest thing: I dropped GRC entirely. Risk register, policy library, evidence vault, compliance frameworks — all of it. The work was real and I’m proud of what I built, but it didn’t earn its scope. Compliance theater isn’t where the leverage is. Removing it sharpened what’s left and let me ship the things below faster.
The second thing: AEGIS stopped being “an analyst workspace” and became an autonomous security agent. The product is the agent now, not a dashboard the agent lives in the corner of. That’s a positioning change, but more importantly it changed what I build.
What I said I’d ship and did
From the previous roadmap, four things actually shipped:
- SIGMA + YARA rule generation. The detection-rules-that-actually-deploy promise. Generator works for the straightforward techniques. Behavioral / correlation-based rules still need work, but the round trip from gap to deployable rule is real.
- EPSS + curated OSINT. CISA KEV, MITRE ATT&CK v16.1, EPSS, SANS ISC, plus five RSS press feeds (CISA, BleepingComputer, Hacker News, Krebs, Dark Reading), refreshed every 10 minutes.
- Report templates. White-label PDF + PPTX. Per-client templates, mix-and-match sections.
- Threat-actor catalog. Live MITRE ATT&CK Groups, ~150 actors, refreshed from the upstream STIX bundle.
What I shipped that wasn’t on the original roadmap
This is the more interesting part. Three big things showed up because the work pulled me there:
Dark-web exposure tracking. HIBP, BreachDirectory, GitHub Code Search across the open web, plus Hudson Rock infostealer / botnet feeds on the Business tier. The agent watches your domain and your stack’s exposure in parallel. New CVE drops — here are the credentials already leaked. New stealer log batch — here’s the one that includes a session token from your VP of finance.
The autonomous tier (T2-AUTO). Five autonomous actions running on a daily cron without asking permission first — drafting incident records from sector-relevant signals, updating threat priorities based on what AEGIS observed, sending weekly digests, the rest. Every action lands in an audit log with a confidence score, every action is reversible. You can pause the whole thing per-tenant with one switch.
Send-on-your-behalf (T3). AEGIS can now actually email a drafted briefing for you. Not “here’s the text, you copy-paste it.” Hard-confirm card with recipient + subject + body preview, then a 5-second undo window after you click Send. The countdown lives on the client — cancel during it and zero network requests fire. This is the line between an advisory tool and an actual operator.
What I cut after starting
Read-only client portal. Last roadmap promised this. Beta users told me — in nicer words — that they’d rather AEGIS get sharper at the agent work than build a second consumer surface. Cut.
Direct vendor advisory feed integrations. Postponed. The curated OSINT plus the threat-actor catalog covers the same ground for the kind of customer AEGIS serves today.
What’s on deck for the rest of 2026
Three things, in order:
1. More T2-AUTO + T3 actions. The autonomous tier is small — 5 actions today. The next batch: auto-bulk-import tools from a CSV, auto-generate exec briefings on a sector-news trigger, auto-export evidence for vendor reviews. Each one is a workflow that beta users have actually asked for, not a guess.
2. The notifications stream gets richer. Three kinds today: KEV hits, coverage drop, sector-relevant campaigns. Adding: peer-benchmark drift, scheduled-report bounce / undeliverable, and an “AEGIS noticed something weird” bucket for the long tail. The dashboard chat surfaces them as “while you were away” bubbles, no extra UI to learn.
3. A small REST API. Still on the list. Read-only. Coverage + KEV + risk-score endpoints. Key auth, no OAuth. Narrow on purpose — if it gets used I’ll expand, if it doesn’t I’ll delete it.
What I’m deliberately not building (still)
AEGIS is not a SIEM. Not an EDR. Not a SOAR. Not an alert-triage tool. Every time I’m tempted to add a log ingestion pipeline or an endpoint agent, I remind myself I’m one person and those are entire companies. AEGIS’s leverage is the work around the SOC — the intelligence, the exposure tracking, the briefing-and-sending — not work inside it.
Also still not building a free tier. 10 paying customers with questions is a great day; 100 free users with questions is a bad one. Better to keep beta access free for a focused cohort than open it up to everyone and dilute attention.
How to try this stuff
Private beta, free, no card. ~50 spots open this month. If you run an SMB security team, you’re a mid-market CISO, or you run an MSSP managing multiple client orgs, request beta access. I read every request personally and reply within a business day. If it’s not a fit yet, I’ll tell you plainly.
If you just want to hear more about how it works (or how it’s built) — support@axivum.io goes straight to me. Always happy to talk shop.
Written while building AEGIS. Reply to the next newsletter or email me directly.