Architecture previewPipeline visualizer

Watch your data move through the pipeline.

Pick a scenario. Each stage shows the request as the next layer sees it. By the end, the AI has done its work — and never met the customer.
This demo runs synthetic sample data through the same pipeline shape we ship to pilots.

Sandbox · synthetic data6 stages · 4 isolated networksReal Lucairn pipeline shape

This is an architecture simulation, not a product sign-up path. Lucairn is not a self-serve SaaS — real engagements start with an Assessment. The current launch vertical is ITSM / ServiceNow.

Scenario

Sandbox A ↔ Sandbox B: blocked at the network layerVerified by: Kubernetes NetworkPolicy + iptables rules

Gateway · API key authentication

dsa-edgeedge

Verifies the tenant API key, applies rate limits, and routes the request. The Gateway does not parse request bodies.

Input

reporter: Julia Bergmann

email: [email protected]

device: ThinkPad X1 Carbon (s/n PF3K7N2)

location: Berlin HQ, Floor 3

issue: VPN connection drops after 10 minutes of inactivity. Started since last week's update.

Output

tenant: cust_acme

tier: verified

rate_limit: ok

What this layer saw: API key only. Request body forwarded but not inspected.

latency12ms

networkdsa-edge

Sandbox A · Identity vault

dsa-identityisolated

Stores identity-bearing fields. Returns matched-entity hints to help downstream sanitizer detect fuzzy variants. Never sees AI context or inference results.

Stored

identity_fields: 3 fields

retention: 90d

Returns

known_entities: 3 hints to sanitizer

What this layer saw: identity fields only. Never sees AI context, prompts, or model responses.

latency38ms

networkdsa-identity

ID Bridge · Token service

dsa-bridgebridge

Maps the tenant's customer_id to a purpose-scoped, opaque token. The token has no mathematical relationship to the original ID. Re-linkage requires a separate authorization.

Input

customer_id: cust_acme_004821

purpose: itsm_routing

Output

(generated on run)

What this layer saw: customer_id only. No request content, no identity fields, no AI context.

latency24ms

networkdsa-bridge

PII Sanitizer · 3-layer detection

dsa-identityidentity

Runs NER + phonetics + LLM-ensemble over free-text fields. Replaces direct identifiers with placeholders and emits a redaction manifest.

Input

reporter: Julia Bergmann

email: [email protected]

device: ThinkPad X1 Carbon (s/n PF3K7N2)

location: Berlin HQ, Floor 3

issue: VPN connection drops after 10 minutes of inactivity. Started since last week's update.

Output (sanitized)

(generated on run)

What this layer saw: context field values only. No customer_id, no token, no AI response.

latency184ms

networkdsa-identity

Sandbox B · AI processing

dsa-aiisolated

Renders a prompt from (token + sanitized context), calls the model, returns a structured result tagged to the token. The model never sees identity.

Input

(generated on run)

Model output (preview)

category: network · vpn-stability

priority: P3

confidence: 0.91

resolution: restart-vpn-client + check-firmware

What this layer saw: opaque token + sanitized context. Never sees identity. Cannot reach Sandbox A.

latency612ms

networkdsa-ai

Gateway · DLP outbound scan

dsa-edgeedge

Scans the AI response for leaked PII patterns before it leaves the perimeter. If anything slipped through the sanitizer, it gets caught here.

Input

ai_response: structured JSON, 184 bytes

Output

dlp_status: clean

patterns_checked: 42 regex + 3 NER

redacted: 0 spans

What this layer saw: AI response text only. Pattern-detection on the way out — last line of defense.

latency42ms

networkdsa-edge

Want to see the pipeline on your data?

Real engagements start with an Assessment — we walk through your stack, your data, and the audit obligations you actually face. No self-serve sign-up.

Talk to sales Read how it works