eBPF kernel enforcement and hardware-anchored identity are the foundation. Natural language is the interface. Three products serve three different buyers — and feed each other.
AI agent governance with cryptographic proof. Behavioral attestation chains, kernel-level policy enforcement, one-click compliance exports your auditor can verify with openssl.
See who's watching you. Real-time surveillance graph, tracker blocking, corporate ownership chains, exposure scoring, and the Dark Mirror — a dossier of what they know about you.
Distributed shadow BGP dataset. Prefix hijack detection, jurisdiction mapping, route path history — cryptographically signed by hardware-anchored nodes across the network.
Every Personal user is a sensor node. Their anonymized data feeds the Intelligence dataset. The dataset makes Enterprise more valuable. The flywheel compounds.
The internet was built on trusted declarations: "I am who I say I am." "My traffic goes where I say it goes." Every one of those assumptions is broken. TunnelMind replaces declarations with cryptographic proof — at the layer below the OS, before anything can lie.
The MCP server is the control plane for all three products. Bound exclusively to the WireGuard interface — only reachable from inside the authenticated tunnel. A local LLM (Ollama + Mistral 7B) runs on-node. No data ever leaves for inference. Air-gapped intelligence.
You don't write eBPF rules. You don't edit YAML. You don't query BPF maps. You talk.
e4a91c.... eBPF policy_map updated — 847 prefixes enforced. Effective immediately.f7b301...11 MCP tools expose every capability across all three products: tunnelmind_status, tunnelmind_block, tunnelmind_allow, tunnelmind_policy_set, tunnelmind_attest, tunnelmind_graph_query, tunnelmind_agent_audit, tunnelmind_node_list, tunnelmind_bgp_query, tunnelmind_identity_verify, tunnelmind_cost_of_me. The LLM decides which tools to call. You just ask.
AI agents are ungoverned endpoints. They make autonomous network requests, can be hijacked via prompt injection mid-session, and leave no auditable trace. A certificate proves who started — it proves nothing about who's driving at mile 3.
TunnelMind Enterprise doesn't certify agents. It attests their behavior.
A CISO asks: "Show me every packet my AI agents sent to a Chinese-controlled ASN in the last 30 days, prove cryptographically that none contained PII, and generate a signed report for my auditor."
TunnelMind answers in under 10 seconds with hardware-anchored proof. That capability does not exist anywhere in the market.
One click → signed ZIP verifiable with openssl and jq. No TunnelMind software required.
| File | Contents |
|---|---|
| events.json | All events in range (NDJSON, machine-readable) |
| violations.json | VIOLATION and CRITICAL events only |
| verify.sh | Hash integrity, Ed25519 sigs, chain linkage — self-contained |
| signing_key.pem | Ed25519 public key for verification |
| Rule | Verdict | Trigger |
|---|---|---|
| CRED-CRITICAL | BLOCK | Credentials → suspicious destination |
| AGENT-GOV-BLOCK | BLOCK | Agent → government-attributed infra |
| EU-PII-BLOCK | BLOCK | PII to data broker — GDPR Art. 5 |
| CN-PII-BLOCK | BLOCK | PII/financial → China jurisdiction |
| AGENT-SOURCECODE-AUDIT | AUDIT | Agent source code → external |
| SURVEILLANCE-WARN | WARN | Traffic to surveillance actor |
| DEFAULT-ALLOW | ALLOW | No rule matched |
Every tracker, data broker, and fingerprinting script is identified, attributed to its corporate parent, mapped to its jurisdiction, and assigned a dollar value. You see everything. Then you block what you want — in plain English.
Your complete surveillance dossier — exactly as an advertiser sees you. Estimated age, income bracket, health indicators, political leanings, purchase intent. Generated from your telemetry and LLM inference. Shareable. The viral hook: "I sent my data to 847 companies last month."
Every node — Enterprise or Personal — passively observes BGP routing from its vantage point. Observations are signed by hardware identity and aggregated into a dataset that answers questions no commercial dataset can. The dataset compounds with every deployed node. It cannot be replicated without the sensor network. This is the long-term moat.
The internet is splitting. China's Great Firewall, Russia's RuNet, the EU's data sovereignty mandates, emerging regulations in India and Brazil — the assumption of a single global internet is already dead. What remains is a set of incompatible regulatory zones with conflicting rules about where data can go, who can see it, and what happens when those rules are violated.
Every multinational is going to need jurisdiction-aware routing. Not as a feature. As infrastructure. Traffic to an EU customer can't touch a US server that falls under FISA 702. Traffic from a Chinese subsidiary can't transit an ASN controlled by a sanctioned entity. A packet's path through the internet is now a compliance question — and today, nobody can answer it with proof.
The problem is getting worse, not better. BGP doesn't know about jurisdictions. IP addresses don't carry citizenship. Routers don't read regulations. The gap between what the law demands and what the network can prove is widening every year. The fines are measured in tens of millions. The reputational damage is immeasurable.
TunnelMind is building the infrastructure to navigate this. All three products converge on this problem:
A multinational's DPO asks: "Prove that no EU citizen PII transited a non-adequate jurisdiction in the last quarter. Sign the proof cryptographically. Generate a report my regulator will accept."
The Shadow BGP dataset maps every prefix to a jurisdiction. The eBPF enforcement layer ensures packets obey the jurisdiction graph. The attestation chain proves it happened. The compliance export packages the proof. The LLM translates the question into the query.
That's not three products. That's one answer assembled from three products that each do their job.
The moat compounds on two axes: The Shadow BGP dataset gets more accurate with every deployed node. The jurisdiction policy graph gets smarter with every regulatory change the LLM ingests. Both improve automatically over time. A competitor starting today would need years of deployed sensors and accumulated routing intelligence to match what TunnelMind's network has already observed.
| Exclusion | Rationale |
|---|---|
| Agent identity certificates | Can't prove what happens after prompt injection. Behavior attestation scales. Identity doesn't. |
| Profile poisoning | Contradicts observation-only thesis. Degrades telemetry. Legal exposure. |
| BGP route injection | Read-only observer. Never modifies routes. Trust and legal boundary. |
| Cloud LLM inference | Local only (Ollama + Mistral). No data leaves the node. Air-gapped. |
| Standard | Application |
|---|---|
| IEEE 802.1AR-2018 | LDevID certificate structure. 24hr TTL. Hardware-anchored identity. |
| TCG TPM 2.0 §18.4 | TPM2_Quote for PCR attestation. |
| GSMA SGP.02 | eUICC/iSIM EID — Tier 0 on-die identity. |
| NIST SP 800-207 | Zero Trust Architecture enforcement. |
| RFC 4271 / 8210 | BGP-4 observation. RPKI validation via RTR. |
| NIST FIPS 186-5 | Ed25519 signatures on attestation events. |
| NIST PQC ML-KEM | Post-quantum key exchange readiness. |
| GDPR Art. 5, 9, Ch. V | Cross-border data enforcement. |