Runtime Security for Autonomous AI Agents

Transparent inline security layer — intercept, scan, and enforce policy on every LLM call, MCP tool call, A2A interaction, and RAG query. No agent code changes.

Deploy Now Explore Architecture
25+
Threat Categories
4
Security Layers
~0ms
Base Latency
0
Cloud Data Sent
100%
Self-Hosted
The Problem
New Attack Surface,
Old Security Tools

Autonomous agents with broad capabilities create threats traditional tools cannot address.

Prompt Injection

  • Direct instruction override in user messages
  • Hidden payloads in documents & emails
  • Multi-turn distributed sequences

Jailbreaks

  • DAN / developer mode / unrestricted mode
  • Character roleplay to bypass safety
  • "Educational purposes" framing

Data Exfiltration

  • System prompt extraction requests
  • Cross-session data leakage
  • Training data & PII extraction

Tool Abuse

  • SSRF via cloud metadata endpoints
  • Path traversal & command injection
  • SQL injection in database tools

Supply Chain

  • Poisoned MCP tool descriptions
  • Compromised Agent Cards (A2A)
  • Typosquatted package references

Indirect Injection

  • Poisoned web pages & search results
  • Injected RAG document chunks
  • Malicious API response payloads
Architecture
4-Layer Sequential Runtime

All four layers must pass. A block at any layer stops the request immediately.

01Layer
Regex + Normalizer
~0 ms

NFKC Unicode normalization, zero-width character strip, confusable substitution (Cyrillic/Greek → ASCII), HTML entity decode, recursive Base64 sub-scanning. Catches known attack variants at near-zero latency.

02Layer
Semantic Judge
~800 ms · Opt-in

LLM-powered second opinion for ambiguous Layer 1 findings. Reduces false positives on legitimate content (security docs, research) and catches novel evasion. Configurable LLM endpoint, purely additive.

03Layer
Policy Engine
~1 ms

Per-tool, per-agent allow/deny/escalate rules. Constitution-compiled rules from plain-English policy. Deny-by-default toggle for strict allowlist mode.

04Layer
Structural Invariants
HARDCODED

Always blocks: SSH keys, AWS creds, .env files, /etc/passwd, cloud metadata (169.254.169.254, GCP/Azure IMDS), audit log deletion. No config, rule, or operator can disable this layer.

Protection Surface
Protocol-Level Interception

Transparent proxies wrap each protocol's unique attack surface. Zero agent code changes.

MCP Proxy — stdio

Local process wrapping
  • Scans tool listings for injection in descriptions
  • Scans all tool call arguments before forwarding
  • Scans tool results before returning to agent
  • Returns MCP-protocol-compliant errors on block
  • Per-app identity via GRVATA_APP_ID

MCP Proxy — HTTP

Remote Streamable HTTP transport
  • Listens on local port, forwards to upstream
  • Centralized team deployment (single proxy)
  • Configurable connection pooling & keep-alive
  • HTTP 403 with JSON threat details on block
  • Upstream max sockets for high throughput

A2A Agent Proxy

Agent-to-Agent protocol
  • Scans Agent Cards for poisoned skill descriptions
  • Detects task redirect to attacker-controlled URLs
  • Blocks orchestrator impersonation attempts
  • Prevents SSRF via agent URL fields
  • Returns JSON-RPC error on block

LLM API Gateway

OpenAI-compatible proxy
  • Change one base_url — full 4-layer scanning
  • Input: all messages scanned before forwarding
  • Output: responses scanned before returning
  • Streaming: tokens scanned, fail-fast on threat
  • Session tracking via X-Grvata-Session-Id

RAG Shield

Vector store retrieval
  • Scans every document chunk before context injection
  • Catches indirect injection through knowledge bases
  • Works with any vector store or retrieval pipeline

CodeGuard

AI-generated code
  • Scans code before execution, commit, or delivery
  • Detects malicious patterns in generated code
  • Prevents backdoor and payload insertion
Features
Complete Security Toolkit
All Features Detection Protection Analysis Control

Semantic Judge

LLM-powered analysis for ambiguous findings. Reduces false positives.

Policy Engine

Per-tool allow/deny rules.

Escalation Queue

Human review for findings.

Session Tracking

Cross-message analysis.

Context Window

Full conversation analysis.

Streaming Scan

Real-time token scanning.

Data Redaction

Strips PII/secrets.

Admission Control

Pre-flight validation.

Red Team Suite

Simulate attacks & validate defenses before deployment.

Agent Sandbox

Isolated testing env.

NOVA Rules DSL

Custom detection rules.

Tool Sequences

Chain analysis.

Spotlighting

Content boundaries.

Kill Switch

Terminate rogue agents.

MAD Taxonomy

Behavior classification.

Deny-by-Default

Strict allowlist mode.

Fail-Open

Never false block.

Provider-Agnostic

Any OpenAI-compatible API.

Defense in Depth

4 complementary layers.

Bypass-Resistant

Unicode normalization.

AI Red Teaming
Test Before They Test You

Built-in red team capabilities to proactively find weaknesses in your AI agents before adversaries do.

Method 01

Automated Attack Generation

Generates prompt injection payloads tailored to your agent's system prompt and tool set.

Prompt Injection Jailbreak Encoding
Method 02

Multi-Turn Simulation

Chains attacks across multiple conversation turns to test cross-message detection.

Context Attacks Trust Building
Method 03

Tool Abuse Testing

Probes each MCP tool with malicious argument combinations and dangerous chains.

SSRF Injection Traversal
Method 04

Evasion & Bypass

Applies Unicode homoglyphs, zero-width insertions, and obfuscation techniques.

Unicode Base64 Normalization

ATLAS-Mapped Results

Every attack maps to MITRE ATLAS techniques with coverage matrix.

Gap Analysis

Identifies gaps between policy config and attack surface exposed.

Sandbox Isolation

Safe execution environment — no real tools or data accessed.

Regression Testing

Save scenarios as test suites and verify defenses post-changes.

Rule Validation

Automatically validates custom NOVA rules against payloads.

Safe Execution

Run against production-configured agents with zero risk.

Attack Vectors Tested
Prompt Injection Jailbreak Indirect Injection Tool Injection Goal Hijacking Exfiltration SSRF Path Traversal Cmd Injection SQL Injection Card Poisoning Unicode Bypass Multi-Turn Base64 Payload

Secure Your AI Agents
Before Production

Self-hosted. No code changes. No data leaves your network.

Get Started Full Documentation