Deniability infrastructure
for AI agents.
When your agent gets prompt-injected and surrenders its context, what leaks is a decoy. Per-tenant key isolation, shape-correct decoys across forty credential types, hash-chained audit log with RFC 3161 timestamps. Built for engineering teams shipping AI agents that hold many users' secrets.
One ciphertext. Two truths. The bytes don't betray which one is real.
Your agent will be prompt-injected. Plan for what leaks.
Behind every consumer-facing AI agent sits a vault of OAuth tokens, API keys, refresh tokens, and credentials for thousands of customers. One well-aimed prompt injection and the agent surrenders whatever sat in memory. Standard secret managers (AWS KMS, HashiCorp Vault, 1Password, Doppler) protect the bytes from outsiders. They have no answer for an authenticated agent that has been talked into reading its own context aloud. deny.sh does, and it sits on top of the secrets manager you already run.
The agent only sees the decoy
Each tenant gets a unique decoy bundle: OpenAI keys, AWS credentials, Stripe secrets, JWTs, recovery phrases, Postgres URIs. Shape-correct, validator-gated, structurally indistinguishable. The real keys live behind a control key the agent was never handed.
One breach, one tenant
Per-tenant key derivation, per-tenant audit log, per-tenant rate limits. A compromised agent leaks one customer's decoys, not the whole fleet. The blast radius matches the threat model.
Hash-chained, RFC 3161 timestamped
Every encrypt, decrypt, and key access lands in a tamper-evident chain with independent TSA receipts. After an incident you prove what actually happened. Your regulator verifies the receipts without trusting us.
Decoy bundles double as silent tripwires. Hash any bundle in the browser, arm it once, and the moment an attacker reads those bytes you get paged through Datadog, PagerDuty, or Slack within roughly five seconds. See the loop.
$999/mo, hands-on onboarding, named SLA. Smaller workload? Agents Starter at $299/mo is the self-serve infrastructure rung. Free SDK below.
Standard encryption only has one answer.
When someone has the bytes (a stolen backup, a seized device, a prompt-injected agent), there's only one plaintext to recover. If they have the right key, it's game over.
deny.sh changes that. The same ciphertext decrypts to different content depending on which key you use. One key gives the real plaintext. Another gives a plausible decoy. No forensic tool can tell which is which because mathematically there's nothing to tell. Both decryptions are valid. The bytes don't betray you. This is the primitive the Agents Infrastructure runs on; it also works fine for a single seed phrase in a browser.
How it works.
Three steps. One ciphertext. Two truths.
You set two passwords once. They never change. Encryption uses both to derive the key and produces a control file alongside the ciphertext. Change the control file (with the same two passwords), change what the ciphertext decrypts to.
Write your own (a low-balance wallet, old notes, anything plausible) or let the realism engine generate one. deny.sh computes a second control file that opens the same ciphertext to the decoy. You hide the real one. The decoy goes somewhere findable.
The encrypted file never changes. If the bytes leak, the first control file an attacker finds is the decoy. They decrypt, they see something plausible, they walk away. No hidden partition. No second header. The mechanical tells (file size, decoy checksums) are closed by construction.
Decoys you couldn't write yourself.
A static decoy pool is a fingerprint. Generate the same fake bitcoin wallet twice and the second one is recognisable. The realism engine generates shape-correct decoys across 40 credential types on demand, runs each candidate through a deterministic validator, and returns only what passes. Different bytes every time.
sk-proj-1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t…
include error famous fantasy parade mountain spatial void stumble loyal shop segment
FR47 3915 7204 8629 1048 57
postgres://admin:x7kQ9mP2rL4vW8nJ@db-prod-01.acme-internal.net:5432/maindb
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzQ1NiIsImlhdCI6MTcxNTAwMDAwMH0…
4532 1872 3456 7891
All six examples are real engine output. Validator-gated. Read the architecture.
You'll know the moment a decoy is touched.
Realistic decoys protect the real data. Tripwires tell you when someone reaches for the decoy. Hash a fake credential locally, register the 32-byte fingerprint with us, and the moment that byte string shows up at a decrypt endpoint anywhere in your tenant we fire a critical audit-chain event and page you through Datadog, PagerDuty, or Slack within ~5 seconds. Only the hash crosses the network; the decoy bytes stay yours.
Fires before the attacker reads anything.
You hash a decoy controlData file (the deniable-encryption fingerprint). We check it before the decrypt runs. Wrong password? Still fires. Right password? Still fires. The match happens on the hash alone, so the alert is independent of whether the attacker has the right key.
Drop the decoy controlData in a README, an internal wiki, an over-privileged S3 prefix, the customer-support inbox. The first time anyone runs /api/decrypt against it, you're paged.
Fires the moment the bytes are recovered.
You hash a decoy plaintext (a fake API key, a fake seed phrase). We check it after a successful decrypt against the recovered plaintext. If the attacker has both passwords, decrypts the ciphertext, and the result hashes to a fingerprint you armed: you're paged inside the 5-second envelope.
Pair it with the realism engine. Generate a sample agent bundle, click Arm This Bundle on /agents, register every fake credential as a plaintext tripwire in one round-trip. Zero infra to wire up.
# hash the decoy plaintext locally; only the hash crosses the network
HASH=$(printf '%s' "$DECOY_VALUE" | sha256sum | cut -d' ' -f1)
curl -X POST https://deny.sh/v1/decoy-tripwires \
-H "Authorization: Bearer $DENY_CONSUMER_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"tripwire_hash\":\"$HASH\",\"tripwire_kind\":\"plaintext\",\"label\":\"stripe-prod decoy\"}"Tripwires start on Pro ($199/mo, 10k cap); bulk-arm at customer-DB scale on Agents Infrastructure ($999/mo, 1M cap). Full spec on the Agents Infrastructure pillar; bulk recipe at /agents/arm-at-scale; dashboard at /dashboard/decoy-alerts.
Six questions your security team will ask.
Every encryption tool sells the maths. The conversation a procurement team actually has is about audit evidence, inheritance, billing safety, key control, integration time, and verifiable posture. We have an answer that's live for each one.
01 · live
Prove what happened, without trusting us.
Tamper-evident hash chain over every operation. RFC 3161 timestamps from an independent TSA. Your regulator verifies the receipts. We cannot fake them after the fact.
02 · live
Pass encrypted assets to a nominee.
Custodian-grade flow: verification, escalation, release. Built for crypto custody, family-office handover, and high-net-worth estate planning. Every transition writes into the audit chain.
03 · live
No surprise bills, no silently burned keys.
Per-tier daily caps. Email alerts at 80, 95, and 100 percent. Quota events join the audit chain. You see the spend before it lands.
04 · live
Hold the keys in your own AWS account.
Server-stored ciphertext wrapped under your AWS KMS CMK. Revoke us and your data goes dark. We literally cannot decrypt it.
05 · live
Wire into your stack in an afternoon.
Copy-paste adapters for eight agent frameworks (Vercel AI SDK, LangChain, OpenAI Responses, CrewAI, LlamaIndex, AutoGen, Pydantic AI, n8n) plus native MCP. SAML SSO and signed webhooks for Datadog, PagerDuty, Slack. Arm decoys as tripwires from the dashboard.
06 · live
Procurement-ready evidence on day one.
Public SOC 2 and ISO 27001 controls map. Live status page. Honest roadmap blog. Every claim links to verifiable evidence.
Every answer above is live in production. See the Trust Center or the controls map for the full evidence pack.
Install once. Five surfaces.
One primitive. One wire format. One threat model. Pick the surface that fits the workload.
# ~3 KB minified · one runtime dep (hash-wasm) · types included
Same wire format across all five. Same threat model. Encrypt in the browser, decrypt from the CLI. Encrypt from an agent via MCP, decrypt from your phone via Telegram. The bytes don't care which surface produced them.
Prefer an app to an SDK? See the deny.sh toolkit: Encrypt Anything, Seed Phrase Protector, Vault, Secret Photos →
Shipping into Vercel AI SDK, LangChain, OpenAI Responses, CrewAI, LlamaIndex, AutoGen, Pydantic AI, or n8n? Clone deny-integrations: runnable adapter repo, every example typechecked in CI. Browse the integration pages →
One ciphertext. Two plaintexts. In your browser.
No account, no install. Encrypt a real message with a real password and a decoy, decrypt both, see for yourself.
A primitive, not a product line.
Deniability isn't a feature. It's a category of infrastructure: a cryptographic primitive, an operational runtime, and a verifiable trust posture. We build all three.
Plausible by construction
One ciphertext, two passwords, two truths. SDK in TypeScript, Rust, Go, and Python. Apache 2.0. Free for any use, proprietary or open. The wedge.
Audit before you trust
Hosted API with per-tenant key isolation, hash-chained audit log with RFC 3161 trusted timestamps (365-day retention), MCP server, and named SLA. The pillar AI agent platforms and custody products run on. Paid.
Ship it five ways
Published threat model, formal construction proof, reproducible builds, signed releases, RFC 9116 disclosure pipeline. Independent audit on the roadmap.
Who this is for.
Same wire format, same threat model, same construction. The surface you reach for depends on who you are.
-
01 / hobbyist
Protecting your own bytes.
Your seed phrase. A document. A photo. A backup that might end up on a stolen laptop or a breached cloud drive. Open /encrypt, set two passwords, write a decoy message, done. You get one ciphertext and two control files (one real, one decoy). Free, browser-based, no account.
-
02 / builder
Shipping it inside your product.
Adding deniable storage to something you're building. SDK in TypeScript, Rust, Go, and Python. Apache 2.0, zero copyleft, drop-in. Pick a language,
npm install deny-sh, ship. -
03 / platform operator
Running an AI agent platform.
Serving paying customers who store secrets in agents that get prompt-injected. Per-tenant key isolation, per-tenant audit log, MCP server, named SLA. Agents Infrastructure tier, $999/mo. Agent docs.
-
04 / enterprise
On the balance sheet.
Regulated organisation, custody platform, or security product where deniability needs to land in your audit trail. Self-host or private deployment, bring your own KMS, structured audit events for SOC 2 / ISO 27001. From $25K/year.
Every tool below encrypts well. Only one can lie about what's encrypted.
| deny.sh | VeraCrypt | PGP | BitLocker | |
|---|---|---|---|---|
| Plausible deniability | ✓ | Partial | ✗ | ✗ |
| Cryptographic deniability | ✓ | ✗ | ✗ | ✗ |
| Multiple decoys from one file | ✓ | ✗ | ✗ | ✗ |
| AI-generated decoys (shape-correct, validator-gated) | ✓ | ✗ | ✗ | ✗ |
| Decoy tripwires (alerts on decoy decrypt) | ✓ | ✗ | ✗ | ✗ |
| No hidden partition needed | ✓ | ✗ | ✓ | ✓ |
| Works on single files | ✓ | Volumes | ✓ | Drives |
| API / SDK | ✓ | ✗ | CLI | ✗ |
| Tamper-evident audit trail (RFC 3161) | ✓ | ✗ | ✗ | ✗ |
| Inheritance / dead man's switch | ✓ | ✗ | ✗ | ✗ |
| Customer-controlled BYOK (AWS KMS) | ✓ | ✗ | ✗ | ✗ |
Hidden volumes are detectable by disk usage analysis. deny.sh has no volumes, no partitions, no structural tell. Full comparison.
Four trust anchors. All published. All checkable.
AES-256-CTR, Argon2id, and XOR composition. Standard primitives, open construction, no magic. A deniability product gets held to a higher bar, so we publish all four layers.
What we defend against.
What we partially defend against. What we do not defend against at all. Plain English, no equivocation.
Read /threat-model →Five-step algorithm.
Named primitives at every step (SHA-256, Argon2id, AES-256-CTR, XOR). Deniability proof sketch. KAT byte-compat across four SDKs.
Read /security →48h acknowledgement.
Coordinated disclosure. GPG key on keys.openpgp.org. RFC 9116 signed security.txt. Safe harbor for good-faith research.
Signed everything.
Signed git tags. npm / crates / PyPI / Go-module integrity. SRI on every served asset, with a machine-readable manifest at /.well-known/integrity.json.
UK operator. Cyber Essentials Certified (IASME, May 2026). Trust Center · Controls map · Status · How to verify deny.sh.
Built for teams that protect data at rest.
Custody platforms, exchanges, and security products. The same primitive that protects an individual key protects an institution's vault.
Apache 2.0 SDK, commercial app layer
Embed the SDK in any product, proprietary or open, with no copyleft surface. Application-layer (vault, dispatcher, dashboard) is dual-licensed AGPL or commercial.
On-prem or VPC, full audit trail
Run deny.sh inside your own infrastructure. Customer-controlled BYOK encryption under your AWS KMS CMK. Tamper-evident audit chain with RFC 3161 signed receipts. SAML SSO for workforce identity. Every claim mapped to SOC 2 + ISO 27001 in the public controls map.
Dedicated SLA, named escalation
99.9% uptime SLA, 30-min P1 response, named security and engineering escalation paths. UK / EU / US business-hours coverage with on-call escalation.
Agents Infrastructure at the top. Self-serve below.
One ladder. Engineering teams shipping AI agents at the top. Individual developers and consumer tools underneath. CLI and browser tools free forever.
For engineering teams shipping AI agents with secrets in context.
The hosted runtime that puts decoys in front of every prompt-injected leak. Per-tenant key isolation, scoped audit log, signed webhooks, BYOK under your AWS KMS CMK. Same construction as the free SDK; multi-tenant operational discipline on top.
- 1M API calls / month
- Per-tenant key isolation
- Per-tenant audit log
- RFC 3161 timestamps
- SAML SSO, signed webhooks
- BYOK (AWS KMS)
- MCP server (7 hosted tools)
- Named SLA + escalation
Self-serve API tiers
- 500 API calls/month
- Full encrypt, decrypt, deny
- Realism engine: 10 decoys/day
- Vault storage (25 items)
- Dead man's switch (1)
- Community support
- 10,000 API calls/month
- Full encrypt, decrypt, deny
- Realism engine: 100 decoys/day
- Vault storage (1,000 items)
- Dead man's switch (5)
- Audit log + email support
- 100,000 API calls/month
- Full encrypt, decrypt, deny
- Realism engine: 1,000 decoys/day
- Vault storage (10,000 items)
- Dead man's switch (20)
- Priority support + SLA
Between Pro and Agents Infrastructure.
250K API calls, 25K decoys/day, 365-day audit retention, Inheritance Family bundled. Self-serve via Stripe, email support. No hands-on onboarding, no named SLA. For one or two agents in production before you need the $999/mo tier.
Full pricing details · Enterprise licensing · Crypto inheritance
Plan for the agent leak, not after it.
Engineering team shipping AI agents? Get hands-on onboarding for the Agents Infrastructure plan. Building something smaller? Try the free SDK, no account needed.
What leaks is the decoy.