AgentGuard - security for AI agents and MCP servers.
AI-assisted development widens the external exposure surface. AgentGuard reviews the instructions, tools, permissions, and prompt-injection paths that let agents touch code, tickets, shells, browsers, and MCP servers.
Coverage with explainable detection technique.
MCP servers and tool manifests
AgentGuard inventories MCP server configuration, tool exposure, allowed commands, network reachability, and risky server defaults. It flags permission creep with deterministic rules, semantic review, and multi-LLM validation.
Agent configuration files
CLAUDE.md, AGENTS.md, .cursorrules, project prompts, and tool-specific policy files are reviewed for unsafe instructions, secrets in context, implicit trust in external content, and missing security constraints.
Prompt-injection paths
The module maps where untrusted web content, tickets, code comments, package metadata, and documentation can enter an agent workflow, then links those paths to the tools the agent can call.
Tool-call audit evidence
Tool calls, redaction behavior, approval prompts, repository write paths, shell boundaries, and outbound web requests are normalized into an evidence pack that security reviewers can reason about without replaying every session.
A finding built for remediation, not screenshots.
Each module produces a structured evidence pack with severity, business impact, and a runbook excerpt that can be routed to Slack, Jira, Linear, ServiceNow, GitHub, webhook, or SIEM depending on tier.
PDF FINDING PREVIEW
MCP filesystem tool can read deployment secrets from agent workspace
Evidence pack
- MCP server exposes recursive filesystem read without path allowlist.
- Agent instructions tell the model to inspect all dotfiles when debugging deployment failures.
- Workspace contains .env.production and cloud CLI config material in reachable paths.
- Prompt-injection route exists through issue comments that the agent summarizes before tool use.
Business impact
A malicious issue comment can steer the agent toward reading sensitive workspace files and leaking summaries into a ticket or chat thread. This is an agentic exfiltration path, not a traditional web vulnerability.
Remediation runbook
1. Restrict filesystem MCP roots to repository-safe paths. 2. Remove secrets from agent workspaces. 3. Add explicit prompt-injection handling to AGENTS.md. 4. Require approval before reading dotfiles. 5. Enable audit review on all filesystem tool calls.
Included where the workflow needs it.
| Tier | Included | Asset limits |
|---|---|---|
| Community | Not included | Core external scan only |
| Pulse | Not included | CI/CD Shield available; AgentGuard not included |
| Shield | Included | 150 assets, AI/MCP configuration review |
| Fortress | Included | 500 assets, SaintScan handoff for active validation |
| Sentinel | Included | Unlimited by engagement, managed agent operating plan |
Ships findings into the systems that already own remediation.
READY FOR REVIEW
Run this module against authorized scope.
Start with a free scan or route an enterprise module review to sales.