Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions site/astro.config.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,10 @@ export default defineConfig({
label: "Blog",
items: [
{ label: "All Posts", slug: "blog" },
{
label: "Agent Security Tooling Landscape — April 2026",
slug: "blog/agent-security-tooling-landscape-april-2026",
},
{
label: "OpenClaw Plugin: How It Works",
slug: "blog/openclaw-plugin-deep-dive",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
---
title: Agent Security Tooling Landscape — April 2026
description: A neutral overview of the agent security, policy enforcement, and governance space as of April 2026.
---

_Published 2026-04-16_

We've been mapping the agent security space since March 26, 2026, while building Agent Receipts. This post is our working view of the landscape as of April 2026 — the tools, the architectural approaches, the primitives that are converging, and the gaps that remain.

## Executive Summary

The agent security space has rapidly matured. Every major architectural approach — MCP proxying, egress firewalling, kernel-level enforcement, application-level policy engines, and enterprise gateways — now has at least one serious implementation. Microsoft's entry (Agent Governance Toolkit, April 2026) is the most comprehensive single project, covering policy, identity, compliance, and SRE across five language SDKs.

The space segments into four layers:

| Layer | What it does | Key players |
|---|---|---|
| **MCP Gateways** (commercial) | Managed proxy for MCP traffic with auth, audit, rate limiting | MintMCP, Peta, TrueFoundry, Lasso, Gravitee, Traefik Hub |
| **Agent Firewalls** (open-source) | Intercept + scan agent traffic (MCP and/or HTTP) | Pipelock, mcp-firewall (ressl), Agent Wall, mcp-firewall (dzervas) |
| **Kernel-Level Enforcement** | OS-level syscall interception, sandboxing | agentsh / Canyon Road, Anthropic sandbox-runtime |
| **Governance Frameworks** | Application-level policy engine, identity, compliance | Microsoft AGT, GitHub Agentic Workflows |

```mermaid
graph TD
K[Kernel enforcement — agentsh]
E[Egress proxy — Pipelock]
G[MCP gateway — MintMCP / Peta]
F[Governance framework — Microsoft AGT]
AR["Agent Receipts — independent audit layer (spans all channels)"]
K & E & G & F --> AR
```

---

## Detailed Comparison: Open-Source Agent Security Tools

These are the tools most relevant to an individual builder or small team entering the space.

| | **Microsoft AGT** | **Pipelock** | **mcp-firewall (ressl)** | **agentsh (Canyon Road)** | **Agent Wall** | **mcp-firewall (dzervas)** |
|---|---|---|---|---|---|---|
| **Released** | Apr 2026 | Jan 2026 | Feb 2026 | 2025–2026 | Feb 2026 | 2026 |
| **Language** | Python (primary), TS, .NET, Rust, Go SDKs | Go | Python | Go + system-level | Node.js | Rust |
| **License** | MIT | Apache 2.0 | AGPL-3.0 (commercial available) | Source-available (commercial) | MIT | MIT |
| **Approach** | Application middleware | Egress proxy + MCP proxy | MCP stdio proxy + SDK library | Kernel enforcement (Landlock, FUSE, ptrace, seccomp) | MCP stdio proxy | Claude Code pre-tool-use hook |
| **MCP proxy** | No (framework adapters) | Yes (stdio) | Yes (stdio) | No (syscall-level) | Yes (stdio) | No (hook-based) |
| **HTTP/egress proxy** | No | Yes (7-layer scanner) | No | Yes (network proxy) | No | No |
| **Shell/command control** | No | No | No | Yes (shell shim, ptrace) | No | No |
| **File I/O control** | No | Integrity monitoring | No | Yes (FUSE, Landlock) | No | No |
| **Policy engine** | YAML + OPA/Rego + Cedar | YAML config | YAML + OPA/Rego | YAML policy | YAML config | Jsonnet |
| **DLP / secret scanning** | No | Yes (regex, entropy, env leak) | Yes (response scanning) | Yes (output redaction) | Yes | No |
| **Prompt injection detection** | MCP scanner module | Yes (response scanning) | Yes (8 inbound checks) | No | Yes | No |
| **Cryptographic identity** | Ed25519 DIDs + ML-DSA-65 | Ed25519 signing | Ed25519 audit chain | No | No | No |
| **Audit logging** | Structured + OTEL | JSON + Prometheus | JSON + signed hash chain | Structured + OTEL | JSON | No |
| **Compliance reporting** | EU AI Act, NIST, HIPAA, SOC 2, OWASP | OWASP mapping | DORA, FINMA, SOC 2 | No | No | No |
| **Dashboard** | No | Prometheus/stats endpoint | Yes (web UI) | Via Watchtower (commercial) | Yes (web UI) | No |
| **Framework integrations** | 12+ (LangChain, CrewAI, AutoGen, etc.) | Claude Code, Cursor | Claude Desktop, Cursor, any MCP client | Vercel, E2B, Daytona, Cloudflare, etc. | Any MCP client | Claude Code, Copilot CLI |
| **Trust model** | Same-process middleware | Capability separation (proxy has no secrets) | Same-process proxy | Kernel-enforced isolation | Same-process proxy | Hook-based |

---

## Detailed Comparison: Commercial MCP Gateways

| | **MintMCP** | **Peta (Agent Vault)** | **TrueFoundry** | **Lasso Security** | **Gravitee** | **Traefik Hub** |
|---|---|---|---|---|---|---|
| **Type** | Managed SaaS | Credential vault + gateway | AI platform + gateway | Security platform + OSS gateway | API gateway + MCP | Reverse proxy + MCP middleware |
| **OSS component** | LLM Proxy (partial) | No | No | Yes (mcp-gateway, Apache 2.0) | No | No |
| **Key differentiator** | One-click deploy, pre-built connectors | Zero-trust vault, agents never see raw keys | Low latency (3–4ms), 350+ rps | Plugin-based guardrails, PII detection (Presidio) | Protocol-aware, method-level governance | Extends existing Traefik deployments |
| **Auth model** | OAuth 2.0 | Scoped time-limited tokens | OAuth 2.0 OBO | API key + plugins | Standard API gateway auth | Standard Traefik auth |
| **Human-in-the-loop** | No | Yes (approval workflows) | No | No | No | No |
| **Compliance** | SOC 2 | SOC 2 | Varies | Gartner Cool Vendor 2024 | Enterprise certifications | Enterprise certifications |
| **Best for** | Fast deployment, non-security-specialist teams | Regulated industries, credential management | High-throughput, perf-sensitive deployments | Security-first orgs wanting OSS flexibility | Orgs already on Gravitee | Orgs already on Traefik |

---

## Platform-Native Solutions

| | **GitHub Agentic Workflows** | **Cloudflare Enterprise MCP** | **GitHub Copilot Agent Firewall** |
|---|---|---|---|
| **Scope** | Full defense-in-depth for GH Actions agents | WAF + AI Gateway for MCP servers | Domain allowlist for Copilot cloud agent |
| **Architecture** | Kernel isolation + MCP gateway + integrity filtering | WAF in front of MCP, portal pattern (N servers → 2 tools) | iptables-based egress filtering |
| **Policy model** | Declarative YAML (network, integrity levels) | WAF rules + AI Gateway config | Domain allowlist (org or repo level) |
| **Limitations** | GitHub Actions only | Cloudflare stack only | Only covers agent-started processes, not MCP servers; bypassable |
| **Notable** | Trust-scored content filtering (merged/approved/unapproved) | Published April 15, 2026 — their own internal deployment | Honest about limitations in their own docs |

---

## Architectural Approaches Compared

| Approach | Enforcement guarantee | Bypass risk | Setup complexity | Coverage scope |
|---|---|---|---|---|
| **Kernel-level** (agentsh) | Strongest — syscall interception | Very low (requires kernel exploit) | High (kernel 6.7+, FUSE, capabilities) | Shell, filesystem, network, processes |
| **Egress proxy** (Pipelock) | Strong for network — capability separation | Medium (agent could use alternative channels) | Low (single binary) | Network egress, MCP responses |
| **MCP stdio proxy** (mcp-firewall, Agent Wall) | Moderate — protocol-level interception | Medium (only covers MCP channel) | Low (wrap command) | MCP tool calls and responses only |
| **Application middleware** (Microsoft AGT) | Weakest — same trust boundary as agent | High (agent can bypass if compromised) | Low (pip install) | Whatever the framework exposes |
| **Hook-based** (dzervas/mcp-firewall) | Moderate — pre-execution check | Medium (depends on client enforcement) | Very low | Tool calls in supported clients |

---

## Key Primitives Convergence

Multiple projects have independently converged on the same cryptographic and protocol primitives:

| Primitive | Used by |
|---|---|
| **Ed25519 signing** | Microsoft AGT, Pipelock, mcp-firewall (ressl), Agent Receipts |
| **SHA-256 hash chaining** | mcp-firewall (ressl), Agent Receipts |
| **DIDs (Decentralized Identifiers)** | Microsoft AGT, Agent Receipts |
| **OPA/Rego policies** | Microsoft AGT, mcp-firewall (ressl) |
| **Cedar policies** | Microsoft AGT |
| **W3C Verifiable Credentials** | Agent Receipts (unique in this space) |
| **OWASP Agentic AI Top 10** | Microsoft AGT, Pipelock, mcp-firewall (ressl) |
| **YAML policy config** | All projects |

Agent Receipts (this project) sits outside the enforcement tools in the table above — it is an audit trail, not a policy engine. Its trust model: signing keys live in a separate `agent-receipts-daemon` process (not in the agent, proxy, or SDK), so the audit trail is independent of the component being audited.

---

## Gap Analysis

Areas that remain underserved despite the crowded landscape:

| Gap | Description | Who's closest |
|---|---|---|
| **Unified cross-channel audit** | Correlating MCP calls + REST calls + shell commands + browser actions into one timeline per agent session | Canyon Road (Watchtower) — but commercial/closed |
| **CISO-ready reporting** | PDF/HTML reports a security team can review to approve agentic AI adoption | mcp-firewall (ressl) has compliance reports; Microsoft AGT has framework mappings; neither produces turnkey CISO artifacts |
| **HTTP/OpenAPI interception** | Policy-enforced proxy for agent REST API calls (not just MCP) | Pipelock (egress proxy); agentsh (network proxy) — but neither is OpenAPI-schema-aware |
| **Browser automation governance** | Intercepting Puppeteer/Playwright/CDP actions with policy enforcement | Nobody (GitHub Copilot firewall explicitly doesn't cover this) |
| **Policy portability standard** | A way to express agent policies that works across tools | Microsoft AGT supports 3 languages but no cross-tool standard exists |
| **Agent identity federation** | Verifying agent identity across organizational boundaries | Microsoft AGT (SPIFFE/SVID) is closest; still early |

---

1 change: 1 addition & 0 deletions site/src/content/docs/blog/index.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ Updates, deep dives, and field notes from building the Agent Receipt Protocol.

- **2026-05-17** — [The audit boundary belongs outside the agent](/blog/daemon-process-separation/) — The architectural problem with in-process receipt signing, and how daemon process separation restores the audit property.
- **2026-04-27** — [OpenClaw Plugin: How It Works](/blog/openclaw-plugin-deep-dive/) — Plugin architecture, receipt anatomy, self-verification, and how the OpenClaw integration differs from the MCP Proxy.
- **2026-04-16** — [Agent Security Tooling Landscape — April 2026](/blog/agent-security-tooling-landscape-april-2026/) — MCP gateways, agent firewalls, kernel enforcement, governance frameworks, and the convergence of primitives like Ed25519, SHA-256 chaining, and DIDs.
Loading