
Aelix CoreLink · Infrastructure and API gateway
Modernize your core without ripping it out.
Aelix CoreLink wraps your mainframe, connects six instant-payment rails and four Open Banking regimes, and puts a secure, observable API edge in front of it all. Engineered to a sub-50ms p95 latency budget that the build itself enforces.
Aelix Agents · Agentic AI · Now in active build
An agentic layer over the wrap.
CoreLink now includes an agentic layer. Autonomous, tool-using agents that act through CoreLink's governed APIs, handle the routine operations work, and escalate the judgment calls to a human. Every agent is human-in-the-loop by default, runs inside your perimeter, and writes each step to the same immutable audit trail as the rest of the gateway.
Reconciliation Agent.
Investigates breaks and drift between the ledger and source systems, proposes the matching entries, and flags true exceptions for an operator to confirm.
Payment Exception Agent.
Triages failed or held payments, gathers the rail response, and recommends retry, reroute, or refund.
Incident & Failover Agent.
Watches rail and connector health and drafts the failover runbook for an operator to approve.
Agents act only through permissioned, least-privilege APIs. They never post a financial correction, a settlement, or a failover without approval. The reasoning model is a swappable component: run a local model on-prem for full data residency, or a hosted model where policy allows.
Now in active build. The first agents ship as configurable, versioned workflows.
The problem
Your core works. That is exactly why replacing it is the riskiest project on your roadmap.
Your core banking system works. It has worked for decades. That is exactly why replacing it is the riskiest project on your roadmap. A multi-year, all-or-nothing migration where a single bad cutover can take down the ledger that runs the bank.
Meanwhile the world has moved to real time. Customers expect instant payments across every rail in every market. Regulators expect Open Banking access on demand. Partners expect clean, secure APIs. Not batch files and overnight windows.
Most modernization platforms force a false choice: freeze innovation while you migrate, or bolt on fragile point integrations that quietly accumulate into the next legacy problem. CoreLink takes a different path. It wraps what you have, exposes it through a modern gateway, and lets you move workloads outward at your own pace. With no flag day and no rewrite of the system of record.
Available today
Shipped, running code. Evaluate it before a single contract is signed.
Everything in this section is shipped, running code. By default CoreLink runs end to end with zero external credentials, using deterministic simulators and sandboxes in place of live bank networks. So you can evaluate the full product before a single contract is signed.
Wrap, don't replace: mainframe modernization that fails safe
CoreLink ships credential-pluggable connectors for the four protocols that actually carry mainframe traffic.
- IBM MQ. Request/reply queues paired per workflow over Spring JMS.
- CICS Transaction Gateway. Synchronous COBOL transaction invocation via the JCA driver.
- DB2 change data capture. Debezium DB2 to Kafka for near-real-time replication off the core.
- SFTP plus COBOL copybook. Spring Integration polls a drop folder. Copybooks are parsed into structured events.
Every connector runs against a built-in simulator by default and reports its own posture (simulator vs live) through the operator console. Flip an adapter to live by setting its endpoint and credentials in config. No code changes. Critically, a connector marked live but not yet bound to a vendor SDK fails closed. It throws, rather than fabricating a result. You never ship a fake settlement.
Six instant-payment rails, one ISO 20022 model
CoreLink implements adapters for FedNow, TCH RTP, SEPA Instant (RT1/TIPS), Pay.UK FPS, NPCI UPI, and BCB PIX. Each with the right currency, per-payment ceiling, and clearing profile baked in. Every rail builds on a shared ISO 20022 pacs.008 message model, so you get one canonical payment representation across markets instead of six bespoke integrations. Each rail validates amount and currency, generates a network reference, and exercises the same dispatch path live or sandboxed.
Four Open Banking regimes, served to spec
CoreLink exposes third-party-provider endpoints shaped to each regulator's canonical path and payload.
- UK OBIE (AISP accounts and balances, v3.1)
- PSD2 Berlin Group (accounts and balances)
- India Account Aggregator (FIP discovery)
- US CFPB 1033 / FDX v6 (accounts)
Every request resolves an active consent, enforces jurisdiction and scope membership, and returns regulator-shaped data. Consent is checked on the way in, not assumed.
A secure, FAPI-ready API edge
- mTLS partner vhost. Client-certificate verification (ssl_verify_client on) and TLS 1.2/1.3, terminating FAPI-grade partner traffic before it reaches the application.
- RBAC. Role and authority enforcement across operator actions.
- MFA and OIDC/OAuth2 sign-in. For the operator console, alongside password and refresh-token flows.
- Immutable audit trail. Every privileged action is written append-only with actor, email, IP, request ID, and full before/after state, queryable from the console.
Reconciliation and drift detection
CoreLink runs reconciliation passes that compare records and surface every mismatch as a tracked drift record, with run history and per-run drift detail. So divergence between systems is caught and triaged, not discovered in a month-end surprise.
Full observability, out of the box
The infrastructure stack ships Prometheus, Grafana, Loki, and Tempo. Metrics, dashboards, logs, and distributed traces. The API exposes http_server_requests percentiles at /actuator/prometheus, so the latency numbers in your dashboard are the same numbers the gateway actually served.
Talk to us, for real
The new Request a Demo flow is a working lead-capture surface end to end. A public form on the console, server-side validation and rate limiting, persistence to Postgres, and an audit record on every submission. No dead 'Explore' links.
How it works
A wrap layer between your modern channels and your system of record.
CoreLink sits as a wrap layer between your modern channels and your system of record. Inbound API and partner traffic terminate at a hardened gateway. mTLS for FAPI partners, JWT and RBAC for operators. Requests fan out to the right connector: a payment rail adapter that builds an ISO 20022 message and dispatches it, an Open Banking endpoint that enforces consent, or a mainframe adapter that speaks MQ, CICS, DB2 CDC, or SFTP to your core.
Because every connector is credential-pluggable, the same build runs in evaluation (simulators and sandboxes), in staging, and in production. The only difference is configuration. Change-data-capture and an event spine let you progressively move read traffic off the mainframe without touching the ledger underneath. You modernize outward, workload by workload, while the core keeps doing its job.
Proof
Mechanisms you can verify. Numbers framed with conditions.
Sub-50ms p95 latency. An engineered, continuously measured budget.
CoreLink ships a benchmark harness that drives the real hot-path endpoints, records p50/p95/p99 and throughput, and fails the build if p95 exceeds 50ms. It is a budget the pipeline enforces, not a number on a slide. Absolute results depend on your deployment, and the harness records the conditions alongside them.
Throughput, measured not asserted.
The same harness reports sustained requests-per-second so capacity is evidenced under stated conditions rather than claimed.
Server-side and client-side numbers agree.
The harness scrapes the same Prometheus percentiles your Grafana dashboards plot, so the report and the dashboard tell one story.
Zero-credential evaluation.
The full product runs end to end on simulators and sandboxes. You can benchmark and trial it before provisioning a single live network.
On the roadmap
Designed, configured, and waiting on the credentials that only a live engagement can provide.
These capabilities are designed, configured, and waiting on the credentials, deployments, or audits that only a live engagement can provide. The code is production-ready and fails closed until they land.
Live payment-rail certification.
Network membership and conformance with FRB (FedNow), TCH, EBA Clearing, Pay.UK, NPCI, and BCB. The live dispatch override-point and per-rail config are already in place.
Live mainframe sessions.
Binding MQ, CICS TG, DB2 CDC, and SFTP to your queue managers, regions, and keypairs. The live extension points and env-driven config are shipped. They activate with your endpoints.
Published 99.99% availability SLA.
CoreLink is designed for 99.99% availability. A measured uptime record requires a live deployment plus an external monitor over time. Today's status figure is explicitly flagged as process-uptime-only, never an SLA guarantee.
SOC 2 Type II and ISO 27001.
The controls (RBAC, MFA, immutable audit, consent, data-subject handling) are in place. Formal certification is in progress and depends on an external auditor and observation window.
Security and compliance
SOC 2-aligned and GDPR-ready from the ground up.
CoreLink is built SOC 2-aligned and GDPR-ready from the ground up.
Encryption in transit.
TLS 1.2/1.3 and mTLS client-certificate verification on the partner edge.
Identity and access.
RBAC, MFA, and OIDC/OAuth2 single sign-on.
Immutable, append-only audit.
Of every privileged action with full before/after capture.
Consent-enforced data access.
Across all four Open Banking regimes, with jurisdiction and scope checks on every request.
Fail-closed connectors.
That refuse to fabricate results when a live integration is not fully bound.
GDPR-readiness is defensible by design today. SOC 2 Type II and ISO 27001 certifications are in progress (see the roadmap). We describe our posture as SOC 2-aligned until the audit completes, and we will not claim otherwise.
See it for yourself
Request your enterprise demo.
See CoreLink wrap a simulated core, dispatch across six rails, serve four Open Banking regimes, and hold its sub-50ms p95 budget. Live, on your call.
Frequently asked
Questions teams ask in the second meeting.
Do we have to replace our core banking system?
No. CoreLink is explicitly a wrap-don't-replace layer. It sits in front of your existing core and speaks to it over IBM MQ, CICS Transaction Gateway, DB2 change data capture, or SFTP/copybook. Your system of record stays the system of record. You modernize outward at your own pace, with no flag-day cutover.
The simulators are great for evaluation. How do live connections actually work?
Every rail and mainframe connector is credential-pluggable. You set the endpoint and credentials in config (or mount a prod YAML / env vars), enable the connector, and it switches from sandbox/simulator to live with no code changes. Live network certification and live mainframe sessions are the parts that require your network memberships and bank credentials. Those are clearly scoped as roadmap items, and the connectors fail closed until they are bound, so nothing is ever faked in production.
Is the sub-50ms latency a real number or marketing?
It is an engineered budget the build enforces. CoreLink ships a benchmark harness that exercises the real hot-path endpoints and fails the pipeline if p95 crosses 50ms, and it captures the same Prometheus percentiles your Grafana dashboards show. Absolute figures depend on your deployment and load, and the harness records those conditions alongside the results. We do not quote a latency number without the conditions attached.
Are you SOC 2 and ISO 27001 certified?
We are SOC 2-aligned and GDPR-ready today. RBAC, MFA, immutable audit, consent enforcement, and data-subject handling are all in place. Formal SOC 2 Type II and ISO 27001 certification is in progress and depends on an external auditor and observation window. We will not claim a certificate we do not yet hold.
How do we observe and operate CoreLink in production?
The platform ships a full observability stack. Prometheus, Grafana, Loki, and Tempo for metrics, dashboards, logs, and traces. The operator console surfaces real connector posture (which rails and mainframe protocols are live vs simulated), gateway health, reconciliation runs and drift, and the full audit trail. You always know exactly what is live and what is not.
Need this tailored to your environment?
Every Aelix product can be configured, extended, or built bespoke for your industry, data sources, and compliance constraints. Talk to our engineers about what would change.
Configurable workflows
Adapt rules, thresholds, and approval flows to match your operational policies.
Custom data integrations
Connect to your specific ERP, MES, SCADA, CRM, or proprietary systems.
Bespoke modules
Build product extensions tailored to your industry, region, or compliance needs.