|
| 1 | +--- |
| 2 | +title: Agent Security Tooling Landscape — April 2026 |
| 3 | +description: A neutral overview of the agent security, policy enforcement, and governance space as of April 2026. |
| 4 | +--- |
| 5 | + |
| 6 | +_Published 2026-04-16_ |
| 7 | + |
| 8 | +We've been mapping the agent security space since March 26, 2026, while building Agent Receipts. This post is our working view of the landscape as of April 2026 — the tools, the architectural approaches, the primitives that are converging, and the gaps that remain. |
| 9 | + |
| 10 | +## Executive Summary |
| 11 | + |
| 12 | +The agent security space has rapidly matured. Every major architectural approach — MCP proxying, egress firewalling, kernel-level enforcement, application-level policy engines, and enterprise gateways — now has at least one serious implementation. Microsoft's entry (Agent Governance Toolkit, April 2026) is the most comprehensive single project, covering policy, identity, compliance, and SRE across five language SDKs. |
| 13 | + |
| 14 | +The space segments into four layers: |
| 15 | + |
| 16 | +| Layer | What it does | Key players | |
| 17 | +|---|---|---| |
| 18 | +| **MCP Gateways** (commercial) | Managed proxy for MCP traffic with auth, audit, rate limiting | MintMCP, Peta, TrueFoundry, Lasso, Gravitee, Traefik Hub | |
| 19 | +| **Agent Firewalls** (open-source) | Intercept + scan agent traffic (MCP and/or HTTP) | Pipelock, mcp-firewall (ressl), Agent Wall, mcp-firewall (dzervas) | |
| 20 | +| **Kernel-Level Enforcement** | OS-level syscall interception, sandboxing | agentsh / Canyon Road, Anthropic sandbox-runtime | |
| 21 | +| **Governance Frameworks** | Application-level policy engine, identity, compliance | Microsoft AGT, GitHub Agentic Workflows | |
| 22 | + |
| 23 | +```mermaid |
| 24 | +graph TD |
| 25 | + K[Kernel enforcement — agentsh] |
| 26 | + E[Egress proxy — Pipelock] |
| 27 | + G[MCP gateway — MintMCP / Peta] |
| 28 | + F[Governance framework — Microsoft AGT] |
| 29 | + AR["Agent Receipts — independent audit layer (spans all channels)"] |
| 30 | + K & E & G & F --> AR |
| 31 | +``` |
| 32 | + |
| 33 | +--- |
| 34 | + |
| 35 | +## Detailed Comparison: Open-Source Agent Security Tools |
| 36 | + |
| 37 | +These are the tools most relevant to an individual builder or small team entering the space. |
| 38 | + |
| 39 | +| | **Microsoft AGT** | **Pipelock** | **mcp-firewall (ressl)** | **agentsh (Canyon Road)** | **Agent Wall** | **mcp-firewall (dzervas)** | |
| 40 | +|---|---|---|---|---|---|---| |
| 41 | +| **Released** | Apr 2026 | Jan 2026 | Feb 2026 | 2025–2026 | Feb 2026 | 2026 | |
| 42 | +| **Language** | Python (primary), TS, .NET, Rust, Go SDKs | Go | Python | Go + system-level | Node.js | Rust | |
| 43 | +| **License** | MIT | Apache 2.0 | AGPL-3.0 (commercial available) | Source-available (commercial) | MIT | MIT | |
| 44 | +| **Approach** | Application middleware | Egress proxy + MCP proxy | MCP stdio proxy + SDK library | Kernel enforcement (Landlock, FUSE, ptrace, seccomp) | MCP stdio proxy | Claude Code pre-tool-use hook | |
| 45 | +| **MCP proxy** | No (framework adapters) | Yes (stdio) | Yes (stdio) | No (syscall-level) | Yes (stdio) | No (hook-based) | |
| 46 | +| **HTTP/egress proxy** | No | Yes (7-layer scanner) | No | Yes (network proxy) | No | No | |
| 47 | +| **Shell/command control** | No | No | No | Yes (shell shim, ptrace) | No | No | |
| 48 | +| **File I/O control** | No | Integrity monitoring | No | Yes (FUSE, Landlock) | No | No | |
| 49 | +| **Policy engine** | YAML + OPA/Rego + Cedar | YAML config | YAML + OPA/Rego | YAML policy | YAML config | Jsonnet | |
| 50 | +| **DLP / secret scanning** | No | Yes (regex, entropy, env leak) | Yes (response scanning) | Yes (output redaction) | Yes | No | |
| 51 | +| **Prompt injection detection** | MCP scanner module | Yes (response scanning) | Yes (8 inbound checks) | No | Yes | No | |
| 52 | +| **Cryptographic identity** | Ed25519 DIDs + ML-DSA-65 | Ed25519 signing | Ed25519 audit chain | No | No | No | |
| 53 | +| **Audit logging** | Structured + OTEL | JSON + Prometheus | JSON + signed hash chain | Structured + OTEL | JSON | No | |
| 54 | +| **Compliance reporting** | EU AI Act, NIST, HIPAA, SOC 2, OWASP | OWASP mapping | DORA, FINMA, SOC 2 | No | No | No | |
| 55 | +| **Dashboard** | No | Prometheus/stats endpoint | Yes (web UI) | Via Watchtower (commercial) | Yes (web UI) | No | |
| 56 | +| **Framework integrations** | 12+ (LangChain, CrewAI, AutoGen, etc.) | Claude Code, Cursor | Claude Desktop, Cursor, any MCP client | Vercel, E2B, Daytona, Cloudflare, etc. | Any MCP client | Claude Code, Copilot CLI | |
| 57 | +| **Trust model** | Same-process middleware | Capability separation (proxy has no secrets) | Same-process proxy | Kernel-enforced isolation | Same-process proxy | Hook-based | |
| 58 | + |
| 59 | +--- |
| 60 | + |
| 61 | +## Detailed Comparison: Commercial MCP Gateways |
| 62 | + |
| 63 | +| | **MintMCP** | **Peta (Agent Vault)** | **TrueFoundry** | **Lasso Security** | **Gravitee** | **Traefik Hub** | |
| 64 | +|---|---|---|---|---|---|---| |
| 65 | +| **Type** | Managed SaaS | Credential vault + gateway | AI platform + gateway | Security platform + OSS gateway | API gateway + MCP | Reverse proxy + MCP middleware | |
| 66 | +| **OSS component** | LLM Proxy (partial) | No | No | Yes (mcp-gateway, Apache 2.0) | No | No | |
| 67 | +| **Key differentiator** | One-click deploy, pre-built connectors | Zero-trust vault, agents never see raw keys | Low latency (3–4ms), 350+ rps | Plugin-based guardrails, PII detection (Presidio) | Protocol-aware, method-level governance | Extends existing Traefik deployments | |
| 68 | +| **Auth model** | OAuth 2.0 | Scoped time-limited tokens | OAuth 2.0 OBO | API key + plugins | Standard API gateway auth | Standard Traefik auth | |
| 69 | +| **Human-in-the-loop** | No | Yes (approval workflows) | No | No | No | No | |
| 70 | +| **Compliance** | SOC 2 | SOC 2 | Varies | Gartner Cool Vendor 2024 | Enterprise certifications | Enterprise certifications | |
| 71 | +| **Best for** | Fast deployment, non-security-specialist teams | Regulated industries, credential management | High-throughput, perf-sensitive deployments | Security-first orgs wanting OSS flexibility | Orgs already on Gravitee | Orgs already on Traefik | |
| 72 | + |
| 73 | +--- |
| 74 | + |
| 75 | +## Platform-Native Solutions |
| 76 | + |
| 77 | +| | **GitHub Agentic Workflows** | **Cloudflare Enterprise MCP** | **GitHub Copilot Agent Firewall** | |
| 78 | +|---|---|---|---| |
| 79 | +| **Scope** | Full defense-in-depth for GH Actions agents | WAF + AI Gateway for MCP servers | Domain allowlist for Copilot cloud agent | |
| 80 | +| **Architecture** | Kernel isolation + MCP gateway + integrity filtering | WAF in front of MCP, portal pattern (N servers → 2 tools) | iptables-based egress filtering | |
| 81 | +| **Policy model** | Declarative YAML (network, integrity levels) | WAF rules + AI Gateway config | Domain allowlist (org or repo level) | |
| 82 | +| **Limitations** | GitHub Actions only | Cloudflare stack only | Only covers agent-started processes, not MCP servers; bypassable | |
| 83 | +| **Notable** | Trust-scored content filtering (merged/approved/unapproved) | Published April 15, 2026 — their own internal deployment | Honest about limitations in their own docs | |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## Architectural Approaches Compared |
| 88 | + |
| 89 | +| Approach | Enforcement guarantee | Bypass risk | Setup complexity | Coverage scope | |
| 90 | +|---|---|---|---|---| |
| 91 | +| **Kernel-level** (agentsh) | Strongest — syscall interception | Very low (requires kernel exploit) | High (kernel 6.7+, FUSE, capabilities) | Shell, filesystem, network, processes | |
| 92 | +| **Egress proxy** (Pipelock) | Strong for network — capability separation | Medium (agent could use alternative channels) | Low (single binary) | Network egress, MCP responses | |
| 93 | +| **MCP stdio proxy** (mcp-firewall, Agent Wall) | Moderate — protocol-level interception | Medium (only covers MCP channel) | Low (wrap command) | MCP tool calls and responses only | |
| 94 | +| **Application middleware** (Microsoft AGT) | Weakest — same trust boundary as agent | High (agent can bypass if compromised) | Low (pip install) | Whatever the framework exposes | |
| 95 | +| **Hook-based** (dzervas/mcp-firewall) | Moderate — pre-execution check | Medium (depends on client enforcement) | Very low | Tool calls in supported clients | |
| 96 | + |
| 97 | +--- |
| 98 | + |
| 99 | +## Key Primitives Convergence |
| 100 | + |
| 101 | +Multiple projects have independently converged on the same cryptographic and protocol primitives: |
| 102 | + |
| 103 | +| Primitive | Used by | |
| 104 | +|---|---| |
| 105 | +| **Ed25519 signing** | Microsoft AGT, Pipelock, mcp-firewall (ressl), Agent Receipts | |
| 106 | +| **SHA-256 hash chaining** | mcp-firewall (ressl), Agent Receipts | |
| 107 | +| **DIDs (Decentralized Identifiers)** | Microsoft AGT, Agent Receipts | |
| 108 | +| **OPA/Rego policies** | Microsoft AGT, mcp-firewall (ressl) | |
| 109 | +| **Cedar policies** | Microsoft AGT | |
| 110 | +| **W3C Verifiable Credentials** | Agent Receipts (unique in this space) | |
| 111 | +| **OWASP Agentic AI Top 10** | Microsoft AGT, Pipelock, mcp-firewall (ressl) | |
| 112 | +| **YAML policy config** | All projects | |
| 113 | + |
| 114 | +Agent Receipts (this project) sits outside the enforcement tools in the table above — it is an audit trail, not a policy engine. Its trust model: signing keys live in a separate `agent-receipts-daemon` process (not in the agent, proxy, or SDK), so the audit trail is independent of the component being audited. |
| 115 | + |
| 116 | +--- |
| 117 | + |
| 118 | +## Gap Analysis |
| 119 | + |
| 120 | +Areas that remain underserved despite the crowded landscape: |
| 121 | + |
| 122 | +| Gap | Description | Who's closest | |
| 123 | +|---|---|---| |
| 124 | +| **Unified cross-channel audit** | Correlating MCP calls + REST calls + shell commands + browser actions into one timeline per agent session | Canyon Road (Watchtower) — but commercial/closed | |
| 125 | +| **CISO-ready reporting** | PDF/HTML reports a security team can review to approve agentic AI adoption | mcp-firewall (ressl) has compliance reports; Microsoft AGT has framework mappings; neither produces turnkey CISO artifacts | |
| 126 | +| **HTTP/OpenAPI interception** | Policy-enforced proxy for agent REST API calls (not just MCP) | Pipelock (egress proxy); agentsh (network proxy) — but neither is OpenAPI-schema-aware | |
| 127 | +| **Browser automation governance** | Intercepting Puppeteer/Playwright/CDP actions with policy enforcement | Nobody (GitHub Copilot firewall explicitly doesn't cover this) | |
| 128 | +| **Policy portability standard** | A way to express agent policies that works across tools | Microsoft AGT supports 3 languages but no cross-tool standard exists | |
| 129 | +| **Agent identity federation** | Verifying agent identity across organizational boundaries | Microsoft AGT (SPIFFE/SVID) is closest; still early | |
| 130 | + |
| 131 | +--- |
| 132 | + |
0 commit comments