AI agent runtime security platform providing runtime protection for autonomous AI agents, MCP workflows, and coding assistants across enterprise environments.
| Component | Description |
|---|
| Agent Protector | Runtime observability and threat detection for AI agent loops and LLM interactions |
| Endpoint Protector | Enterprise AI registry, shadow AI discovery, and reputation scoring for desktop endpoints |
| CodeInjectionGuard | Runtime scanning of packages, shell commands, and file operations initiated by coding agents |
| Policy Engine | Centralized policy definition and enforcement across all protection layers |
| Telemetry Pipeline | Real-time event streaming, logging, and alerting for security teams |
| Threat Category | OWASP LLM Reference | Protection Layer |
|---|
| Prompt injection | LLM01 | Agent Protector |
| Sensitive information disclosure | LLM02 | Data exfiltration defense, auto-redaction |
| Supply chain vulnerabilities | LLM03 | CodeInjectionGuard package scanning |
| Excessive agency | LLM08 | Agent loop tracing, policy enforcement |
| Unauthorized code execution | LLM06 | CodeInjectionGuard shell monitoring |
| Data exfiltration via tool use | LLM07 | PII/PCI/PHI policy enforcement |
| Shadow AI usage | N/A | Endpoint Protector discovery |
| MCP server compromise | N/A | MCP registry and reputation scoring |
# MDM/JAMF managed deployment for macOS endpoints
# Distributed via MDM profile with configuration payload
# Supports macOS 13+ (Ventura and later)
# Verify agent status after MDM deployment
operant-agent status
# Check endpoint protection is active
operant-agent health-check
# Group Policy or Intune managed deployment
# MSI installer for enterprise distribution
# Supports Windows 10/11 with WSL2 environments
# Verify agent status (PowerShell)
operant-agent.exe status
# Check protection status
operant-agent.exe health-check
# Package-based installation for Linux workstations and servers
# Supports Ubuntu 22.04+, RHEL 9+, Debian 12+
# Verify agent status
operant-agent status
# View current configuration
operant-agent config show
| Feature | Description |
|---|
| Pre-install scanning | Analyzes packages before installation by coding agents |
| Known vulnerability matching | Cross-references against CVE databases in real time |
| Typosquatting detection | Identifies packages with names similar to popular libraries |
| Dependency chain analysis | Evaluates transitive dependencies for hidden risks |
| Reputation scoring | Assigns risk scores based on package age, maintainer history, and download patterns |
| Policy-based blocking | Blocks packages that violate configured security policies |
| Feature | Description |
|---|
| Command interception | Monitors shell commands initiated by AI coding agents |
| Dangerous pattern detection | Flags commands involving rm -rf, curl | bash, chmod 777, etc. |
| Network call tracking | Logs outbound connections initiated by agent-spawned processes |
| Process tree tracing | Maps parent-child relationships for agent-initiated processes |
| Sandboxed execution | Optionally runs agent commands in isolated environments |
| Allowlist/blocklist rules | Configurable rules for permitted and denied command patterns |
| Feature | Description |
|---|
| Sensitive file access monitoring | Detects reads of .env, credentials, SSH keys, and config files |
| Path-based policy enforcement | Restricts file access to defined project directories |
| Content inspection | Scans file contents for secrets before allowing agent access |
| Audit logging | Records all file access events with timestamps and context |
| Feature | Description |
|---|
| Full loop visibility | Traces each iteration of an AI agent’s reasoning and action loop |
| Tool call monitoring | Records every tool invocation with inputs and outputs |
| Token usage tracking | Monitors token consumption per agent session |
| Latency profiling | Measures time spent in each phase of the agent loop |
| Loop depth limits | Configurable maximum iterations to prevent runaway agents |
| Decision point logging | Captures branching decisions and reasoning chains |
| Detection Category | Description |
|---|
| Prompt injection attempts | Identifies injected instructions in user inputs and retrieved content |
| Goal hijacking | Detects when agent behavior deviates from stated objectives |
| Privilege escalation | Flags attempts to access resources beyond granted permissions |
| Data exfiltration patterns | Recognizes unauthorized data transfer via tool calls |
| Excessive tool usage | Alerts on abnormal frequency or volume of tool invocations |
| Hallucination-driven actions | Identifies actions based on fabricated information |
| Recursive self-modification | Detects agents attempting to modify their own instructions |
| OWASP Category | Operant Detection |
|---|
| LLM01 Prompt Injection | Input/output scanning, instruction boundary enforcement |
| LLM02 Insecure Output Handling | Output validation before downstream consumption |
| LLM03 Training Data Poisoning | Runtime behavior anomaly detection |
| LLM04 Model Denial of Service | Rate limiting, resource consumption monitoring |
| LLM05 Supply Chain Vulnerabilities | Package and dependency scanning |
| LLM06 Sensitive Info Disclosure | PII/secret detection in agent outputs |
| LLM07 Insecure Plugin Design | MCP server vetting and runtime monitoring |
| LLM08 Excessive Agency | Loop tracing, action scope enforcement |
| LLM09 Overreliance | Confidence scoring and human-in-the-loop triggers |
| LLM10 Model Theft | Access control and session integrity checks |
| Feature | Description |
|---|
| MCP server catalog | Centralized registry of approved MCP servers and tools |
| Version management | Tracks and enforces approved versions of MCP servers |
| Configuration baselines | Defines standard configurations for registered tools |
| Access control | Role-based permissions for MCP server usage |
| Audit trail | Logs all MCP server interactions across the organization |
| Feature | Description |
|---|
| Endpoint scanning | Discovers unauthorized AI tools running on managed endpoints |
| Network traffic analysis | Identifies connections to known AI service APIs |
| Process monitoring | Detects AI-related processes and browser extensions |
| Usage reporting | Generates reports on shadow AI adoption across the organization |
| Risk classification | Categorizes discovered tools by security risk level |
| Feature | Description |
|---|
| Multi-factor scoring | Evaluates tools based on security posture, data handling, and compliance |
| Community signals | Incorporates community trust indicators and vulnerability history |
| Continuous reassessment | Scores update dynamically as new intelligence becomes available |
| Threshold-based enforcement | Blocks tools that fall below configured reputation thresholds |
| Policy Type | Scope |
|---|
| PII detection | Names, emails, phone numbers, addresses, SSNs in agent I/O |
| PCI compliance | Credit card numbers, CVVs, expiration dates in data flows |
| PHI protection | Medical records, health identifiers, insurance IDs |
| Custom patterns | Organization-defined sensitive data patterns via regex |
| Contextual classification | Understands data sensitivity based on surrounding context |
| Feature | Description |
|---|
| Inline redaction | Replaces sensitive data with tokens before agent processing |
| Reversible tokenization | Authorized users can recover original values when needed |
| Format-preserving masking | Maintains data structure while obscuring sensitive values |
| Selective redaction | Policies determine which fields to redact per use case |
| Audit logging | Records all redaction events for compliance reporting |
# Example policy configuration structure
policy:
name: "production-agent-security"
version: "1.0"
scope:
environments: ["production", "staging"]
agent_types: ["coding-assistant", "data-analyst"]
code_injection_guard:
package_scanning:
enabled: true
block_on_cve: true
min_reputation_score: 70
blocked_packages: ["malicious-pkg-example"]
shell_monitoring:
enabled: true
blocked_patterns:
- "curl.*|.*bash"
- "rm -rf /"
- "chmod 777"
allow_network_calls: false
data_protection:
pii_detection: true
pci_detection: true
phi_detection: true
auto_redaction: true
custom_patterns:
- name: "internal-project-id"
regex: "PROJ-[A-Z0-9]{8}"
action: "redact"
agent_limits:
max_loop_iterations: 50
max_tool_calls_per_session: 200
max_tokens_per_session: 100000
require_human_approval:
- "file_delete"
- "network_request"
- "database_write"
| Operation | Description |
|---|
| Policy creation | Define security policies via YAML configuration or management console |
| Policy assignment | Assign policies to teams, projects, or individual endpoints |
| Policy versioning | Track policy changes with version history and rollback capability |
| Policy inheritance | Child policies inherit and can override parent policy settings |
| Policy simulation | Test policy impact in dry-run mode before enforcement |
| Conflict resolution | Automatic resolution when multiple policies apply to the same scope |
| Integration | Description |
|---|
| SSO providers | SAML 2.0 and OIDC integration for enterprise identity providers |
| RBAC enforcement | Role-based access control for agent capabilities and data access |
| ABAC support | Attribute-based policies for fine-grained access decisions |
| Service identity | Machine identity verification for agent-to-service communication |
| Session management | Secure session handling with configurable timeout and renewal |
| MFA enforcement | Multi-factor authentication for sensitive agent operations |
| Feature | Description |
|---|
| User-scoped policies | Different security policies based on user role and clearance |
| Team-based controls | Apply policies at the team or department level |
| Temporal access | Time-bound permissions for agent capabilities |
| Contextual authorization | Access decisions based on location, device, and risk score |
| Event Category | Examples |
|---|
| Security events | Injection attempts, policy violations, blocked actions |
| Agent activity | Loop iterations, tool calls, token consumption |
| Endpoint events | Shadow AI discovery, reputation changes, agent installations |
| Data events | PII detections, redaction actions, exfiltration attempts |
| System events | Agent health, configuration changes, policy updates |
| Target | Description |
|---|
| SIEM platforms | Stream events to Splunk, Sentinel, Chronicle, and other SIEMs |
| SOAR workflows | Trigger automated response playbooks on critical detections |
| Webhook endpoints | Real-time notifications to custom endpoints |
| Dashboard | Built-in visualization for security posture and agent activity |
| API access | REST API for programmatic access to telemetry data |
# Example alerting configuration
alerts:
- name: "critical-injection-detected"
condition: "event.type == 'prompt_injection' AND event.severity >= 'high'"
channels: ["slack", "pagerduty"]
throttle: "5m"
- name: "data-exfiltration-attempt"
condition: "event.type == 'data_exfiltration' AND event.blocked == true"
channels: ["siem", "email"]
throttle: "1m"
- name: "shadow-ai-discovered"
condition: "event.type == 'shadow_ai_discovery'"
channels: ["slack"]
throttle: "1h"
| Integration | Description |
|---|
| MCP server monitoring | Runtime visibility into MCP server tool calls and data flows |
| Coding agent support | Protection for Claude Code, Cursor, Windsurf, and similar agents |
| IDE extensions | Integration with VS Code, JetBrains, and other development environments |
| CI/CD pipelines | Security scanning within automated build and deployment workflows |
| API gateways | Inspection of AI agent traffic at the API gateway layer |
| Control | Description |
|---|
| Tool allowlisting | Restrict which MCP tools agents can invoke |
| Input validation | Validate tool inputs against defined schemas before execution |
| Output inspection | Scan tool outputs for sensitive data before returning to agents |
| Rate limiting | Enforce per-tool and per-session rate limits |
| Approval workflows | Require human approval for high-risk tool invocations |
| Audit logging | Complete record of all MCP interactions for compliance |
| Practice | Description |
|---|
| Start with monitoring mode | Deploy in observe-only mode before enabling enforcement |
| Layer defense policies | Combine CodeInjectionGuard, Agent Protector, and data policies |
| Integrate with existing SIEM | Route all security events to your central logging platform |
| Review shadow AI reports weekly | Stay ahead of unauthorized AI tool adoption |
| Update reputation databases | Keep MCP and package reputation data current |
| Test policies in simulation | Use dry-run mode to validate policy changes before production |
| Define escalation paths | Map detection severity levels to response procedures |
| Maintain tool allowlists | Regularly review and update approved MCP servers and tools |
