Aether AI
Your surface

Monitoring tiers

The status set that decides how closely Aether AI watches each asset, from passive change monitoring to active exploitability validation.

Every asset Aether AI discovers carries a status. That status is not a label for its own sake. It decides how much work Aether AI does on the asset, how closely it watches, and what it costs. Moving an asset up the set turns on deeper analysis; moving it back down stops that work again. This is how you point attention (and spend) at the surface that matters, rather than treating everything the same.

The status set

An asset is always in exactly one of five statuses. This is a closed set. Aether AI does not use any status outside it.

  • Discovered: Aether AI has found the asset from your seeds but has not confirmed it as yours to watch. It sits in the queue for a decision.
  • Confirmed: the asset is acknowledged as part of your surface. It is tracked, but no active or passive analysis runs against it yet.
  • Monitor: passive monitoring is on. Aether AI keeps an eye on the asset and alerts you when it changes, without touching it in any intrusive way.
  • Monitor Plus: everything Monitor does, plus active exploitability validation on top. This is where Aether AI starts checking what a commodity attacker could actually reach.
  • Ignored: the asset is set aside. Aether AI keeps a record of it but does no ongoing work against it.

The two statuses that drive real analysis are Monitor and Monitor Plus. They are also the two that meter cost, because they are the two where Aether AI is spending effort on the asset.

Monitor: passive monitoring

At the Monitor tier, Aether AI watches an asset passively. It does not try to exploit anything. It builds and maintains a factual picture of the asset and tells you when that picture moves.

Two forms of passive enrichment run here:

  • Port Analysis takes an open-ports inventory of the asset via a port sweep, so you know what is listening.
  • Technology Detection fingerprints the technologies and versions the asset is running.

Both of these alert on change. If a new port opens, or a technology or version shifts, that is a signal worth seeing, and Aether AI surfaces it. Both also feed the validation layer above, so the deeper work in Monitor Plus starts from an accurate, current view of the asset rather than a stale one.

Monitor Plus: active exploitability validation

Monitor Plus is Monitor with the Conventional Attack Surface capability layered on top. Passive monitoring keeps running underneath; on top of it, Aether AI continuously and non-destructively validates what a commodity adversary using generally available tooling could exploit on the asset.

This is validation, not exploitation. It checks; it does not brute force, change state, or exfiltrate data. Findings from this work split into two bands: things that are directly exploitable, and weaknesses that would ease an attack without being exploitable on their own. When a re-validation no longer observes a finding, Aether AI auto-resolves it, so the picture stays honest over time.

Monitor Plus is the commodity baseline for an asset. It is deliberately not the ceiling: the frontier-level work, where autonomous offensive agents chain weaknesses and defeat authentication, is a separate capability that runs against explicitly authorised scope, not something a tier switch turns on.

Monitor vs Monitor Plus in one line

Monitor answers "what is this asset, and has it changed?" through passive port and technology analysis with change alerts. Monitor Plus answers, on top of that, "what could a commodity attacker actually reach here?" through continuous, non-destructive exploitability validation. Monitor Plus is the more expensive tier because it does the deeper work.

Monitoring an identity

Not every asset is a host. People are part of your attack surface too, because an attacker who cannot break your infrastructure will often go after the humans attached to it. A person asset has no ports and no running software, so Monitor and Monitor Plus mean something different for an identity than they do for a host. The tiers keep their spirit, watch versus go deeper, but the substance is intelligence about the person rather than a scan of a machine.

Monitor watches what an adversary already holds about the person. This is exposure that exists whether or not the person did anything wrong, because it was leaked, traded or dumped somewhere else. Aether AI watches for compromised credentials tied to the identity, recovered from infostealer and stealer-log intelligence, and for the person turning up in breach data and on dark-web forums. When any of it surfaces it becomes a finding on that identity, the same way a host finding attaches to a host.

Monitor Plus assesses what an adversary could weaponise about the person. This is the deeper layer that looks past what has already leaked to the exposure an attacker would build an attack from. It covers supply-chain risk tied to the person, high-risk developer practices such as secrets committed to public repositories or careless handling of code and dependencies, and high-risk information exposed on the person's public online accounts, the kind of detail an adversary uses for targeting, impersonation and social engineering.

The split mirrors the host model. Monitor answers "what does an attacker already know about this person?" Monitor Plus answers, on top of that, "what could an attacker do with this person?" And as with hosts, the deeper tier is the more expensive one, because it does the deeper work.

Identities are watched, never scanned

Aether AI never points a scanner or an exploit check at a person. Identity monitoring is entirely intelligence-driven: it watches what already exists about the person in the wider world and assesses how an adversary could use it. The active, exploit-oriented validation stays on hosts.

Downgrading, and what it costs

Because the tiers meter cost per asset, the status you set is a direct decision about spend. Monitor and Monitor Plus are the priced tiers; Discovered, Confirmed and Ignored do no ongoing analysis and so carry none of that per-asset cost.

Downgrading an asset stops the deeper work immediately. Drop an asset from Monitor Plus to Monitor and the active exploitability validation stops while passive monitoring continues. Drop it further and the passive work stops too. There is no penalty to reaching for a higher tier on the assets that warrant it and staying passive, or set aside, on the ones that do not. That is the point of the tiers: you decide where the effort goes.

What you do with it

In practice you promote the assets you care about and leave the rest. A newly discovered asset that is genuinely yours moves to Confirmed, then to Monitor once you want change alerts on it, then to Monitor Plus when you want to know what a commodity attacker could reach. Anything that is noise, or out of scope, goes to Ignored and stops consuming attention. Because tiers meter cost, this is also how you keep spend aligned with the surface that actually matters to you.

On this page