Aegis

Aegis gives nonprofits a brief, personalized cyber health check that turns technical risk into comprehensible consequences and a clear action plan. It counters AI-powered attacks with specialized AI.

Comment

Inspiration

All of us volunteer with small nonprofits, for example NJ food bank and AYLUS. We kept noticing the same problem: these organizations handle sensitive data like donor records, member contact info, financial details, with almost no privacy or security defenses in place. There's no IT staff, no budget, and lack of cybersecurity literacy. Meanwhile, attackers are increasingly using AI to scale phishing and reconnaissance against exactly these soft targets. We wanted to put that same AI power in defenders' hands and explain it in plain English, so the organizations we care about could actually protect the people who trust them.

What it does

Any staff member can scan their organization's domain to:

  • Find exposed emails, usernames, passwords, and phone numbers in live breach databases
  • Audit DNS email-spoofing protections (SPF/DKIM/DMARC)
  • Grade HTTPS and security headers, and check threat-intelligence blocklists They then get a thorough, AI-generated action plan tailored to both the severity of the risks and their cybersecurity literacy. Aegis also includes a phishing-message classifier, an incident triage recovery guide, a security education hub, and a cryptographically signed, verifiable security badge organizations can share publicly.

How we built it

React + TypeScript + Tailwind on the front end, Node.js/Express on the back end, and Claude AI (Opus 4.8) for risk synthesis and action plans. Breach data comes from live public APIs (LeakCheck), with deterministic fallbacks so every feature works even without an API key. The Express proxy handles domain crawling, breach lookups, and structured AI outputs.

Challenges we ran into

Rate limits: breach APIs aggressively IP-throttled us with 429s that early code mis-read as "clean." We rebuilt the lookup layer to record errors honestly, add backoff, and switch providers when needed. Plain-language AI: getting Claude to scale its explanations to the user's literacy level without dumbing down the actual security guidance. Reliability: making every check degrade gracefully so a demo never breaks on a missing key or slow API.

Accomplishments that we're proud of

We created an end to end, working product. It includes AI-personalized action plans, phishing detection, incident triage, an education hub, and a verifiable cryptographic badge, all running without requiring any paid keys.

What we learned

How to design AI prompts that adapt to the reader, how fragile third-party security APIs are and how to fail safely around them, and how much of "cybersecurity" is really a communication problem. The data exists, but non-technical teams have no way to act on it.

What's next for Aegis

Continuous monitoring with alerts on new breaches, scheduled re-scans, deeper integrations (Google Workspace/Microsoft 365), multi-domain support for larger orgs, and partnerships with nonprofit networks to onboard the organizations that need it most.

Built With

  • css
  • dkim
  • dmarc
  • hsts
  • html
  • javascript
  • mx)-https/tls-certificate-checks-http-security-header-analysis-(csp
Share this project:

Updates