Seven pillars. Specific, defensible, and tied to actual deployment patterns we use. If a section reads like marketing fluff to you, tell us — we’ll cut it.
Each customer's agent runs in a tenant-scoped environment — separate VPS, container namespace, or cloud project. No shared multi-tenant agent host. Data planes are separated from any marketing or automation surface, which means a content-generation agent on a public network can never share a process with a key-holding production agent.
API keys (Anthropic, OpenAI, internal vendors), signing keys, wallet keys: held in a customer-controlled secret store — 1Password, AWS Secrets Manager, HashiCorp Vault, or a hardened on-prem store. Agent code reads keys at runtime; keys never enter the prompt, the chat history, or the agent's memory. Rotation is a customer-driven operation, not ours.
Every agent action that touches a customer system — send email, write a file, call an API, post to Slack, sign a transaction — is logged with: input received, tool invoked, parameters used, output observed, timestamp, agent identity. Logs go to a customer-owned destination (your SIEM, your S3, your database). We do not hold the only copy. Given a logged trace, an agent run can be replayed in a sandbox to investigate any decision.
External content — incoming emails, web pages fetched, documents uploaded by end-users — is treated as untrusted input. Instructions inside that content do not get executed as agent commands. Tool boundaries enforce the trust boundary. The "summarize this email" tool cannot escalate into "send a wire to <attacker IBAN>" — the email body is data, not instructions, by design. Aligned with OWASP LLM Top 10, especially LLM01 (prompt injection) and LLM06 (sensitive information disclosure).
Every agent operation has a dry-run mode or a rollback path. Production deployments default to dry-run for the first 7 days; we explicitly flip to live mode after a review meeting. Destructive operations — delete, send-money, post-publicly — require an explicit confirmation step that cannot be auto-approved by another agent in the chain. Human-in-the-loop on irreversible actions, no exceptions.
We pin versions of the agent runtime, model SDKs, and tool integrations. Updates are reviewed before deployment. Third-party MCP servers, Composio integrations, and Claude Skills are vetted before use. The list of trusted connectors is documented per deployment so you can audit it.
We treat system prompts as defenses, not as secrets — we assume the system prompt may leak. Security comes from tool boundaries and isolation, not from "the model won't tell anyone its instructions." For high-value operations, we use a second model or a deterministic check to validate the first model's output before it executes.
Bring it. Recon engagements start with whatever’s actually keeping your security team up.
Start with a Recon