Capsule Blog

Guardian Agent: Shipping a Useful Agentic Experience

Yarin Sasson
July 7, 2026

Every security team asks the same question the moment an AI agent enters their product: how much can it actually touch? Get the answer wrong and you ship one of two failures: a chatbot that can look but never act, or an agent handed enough access to become the next item on its own attack-surface report. We built Guardian Agent to prove that's a false choice.

The trade nobody should have to make

Today, "give me a report on our AI attack surface this quarter" costs a CISO an afternoon of someone's time, pulling an analyst off their queue to screenshot, slide-build, and format. The naive fix is to prefix every prompt with a monolithic schema and let the model figure it out, a token-burning strategy that drives latency up and reasoning quality down. Push further and hand the job to an under-governed agent instead, and you've traded a slow problem for a dangerous one: an assistant sitting on a full schema dump, with no visibility into what it's about to change and no clean line between a user's click and the agent's decision.

Guardian Agent's bet: usefulness and governance aren't in tension, they're a layering problem. Most AI assistants default to running on the server; we did the opposite. The entire agent loop runs locally, inside the browser, built on our pi-agent-core client stack: direct access to live application state as it changes, awareness of the specific charts and routes the user is looking at, and the ability to drive the UI in real time as an in-product companion rather than a bolted-on chatbot. Execution is aggressively local. Governance is not: our backend is a hardened proxy that owns provider credentials, authentication, rate limiting, and auditing. Local reflexes, central rules.

How it sees: context in three layers

Instead of one flat context blob, Guardian Agent assembles its vision bottom-up, each layer narrower and more expensive than the last, loaded only when the layer beneath justifies it. The payoff of Layer 3 is deliberate: the agent explores the GraphQL schema on demand instead of ingesting it up front, which keeps the token window free for reasoning and guarantees it's always working against the freshest schema, not a stale snapshot baked into a system prompt.

How it acts: Describe → Validate → Apply

The same layering principle governs execution. Every state-changing action passes three gates, each strictly narrower than the last, and the agent cannot act on a field it hasn't first been shown exists. Safety here is a property of the layering, not a list of behaviors we're hoping the model avoids.

How we keep it honest

Context isn't a one-time setup, it's maintained like any other product surface. Every component that exposes agent capabilities ships an adjacent .ai.ts file, reviewed in the same pull request as the feature it describes. Agent skills shape behavior and catch prompt regressions early. And agent surfaces are backed by eval docs, starting with the policy builder's POLICY_BUILDER_AGENT_EVAL.md, so regression testing holds steady as the underlying models change.

The Afternoon You Get Back

This is where it stops being architecture and starts being useful. A security lead can ask, in plain language, for a report on this quarter's AI attack surface, and get back a polished, branded PDF in seconds, composed from the very data the agent just queried: executive summary, threat breakdown, charts, in an order that tells the story. No export wizard, no ticket to "the person who knows how to pull that."

The workflow that used to cost an afternoon collapses into one turn, and because the layout is generated rather than hand-built, every report comes out structurally consistent and on-brand, no two analysts formatting the same section two different ways. The business impact lands differently for each persona: the analyst reclaims the time they'd have lost to formatting; the CISO gets a clean, board- and regulator-ready artifact without waiting on anyone. And none of it steps outside the governed loop: the report is composed and rendered client-side, off the main thread so the browser stays responsive, while the backend still owns every credential and audit entry. Real, tangible output a security team can put in front of a board, without trading away the governance that makes it trustworthy.

Two boundaries, not a hope

Most teams test for the wrong risk here: whether the model can generate raw executable code. The real risk is whether it can ever reach execution without something checking it first.

The Capability Boundary means tools are the only route from model output to execution, each with a narrow contract (name, description, schema, validated execution function), so the model emits structured parameters and nothing else. We enforce it twice more downstream: the backend is a proxy holding every real credential (the browser only ever sees a stub key), throttling and quotas live at that same chokepoint, and any third-party rendering code, Chart.js, react-pdf, runs isolated in a web worker.

The Side-Effect Boundary governs anything that changes state. The Consent Gate means mutating tools never fire automatically: a human explicitly approves or rejects first. Specialized headers on every agent-initiated request give us action attestation: audit logs that cleanly separate a user's manual click from an action an agent took under consent. Model as recommender, human as final authority, every action attributable.

Why not just wait for the browser to do this natively

Emerging standards like WebMCP look promising on paper, but they're unproven: we've already found vulnerabilities in the broader model that reinforce our approach. Until that ecosystem matures, a sandboxed, backend-proxied architecture isn't just the safer trade-off, it's the only responsible one.

Narrow, governed authority is the whole model going forward: an assistant that's ruthless, fast, and genuinely useful, without ever holding the keys.

Ready to see narrow, governed authority in practice? Book a Demo and we'll show you exactly how Guardian Agent transforms your AI attack surface without ever putting your environment at risk.

Read more articles

Article

Your AI Agent Inventory is Lying to You: The Rise of the "Inline Agent"

Discover the rise of 'Inline Agents' - the shadow IT of the AI era. Learn how Capsule Security uncovers undeclared AI agents hiding in your raw logs.

Guy Bidkar
July 1, 2026
Research

We Analyzed 206,435 AI Agent Skills. Here's What We Found.

Our analysis of 206,435 AI agent skills reveals a rapidly growing software supply chain vulnerable to natural language payloads and dangerous capability combinations. Read the report to understand how these skills bypass traditional security controls and learn how Capsule protects your organization by securing the agent runtime.

Bar Kaduri
June 22, 2026
Article

Mitigating the Agentic AI Threat: What Security Leadership Needs to Prioritize

The theoretical phase of agentic AI security is over—the attack surface is real and the incidents are documented. This post breaks down the defensive architecture taking shape in response: Meta's Agents Rule of Two, deterministic enforcement hooks, identity governance for non-human agents, and the questions security leaders need to be asking right now.

Bar Kaduri
June 16, 2026
Article

OWASP State of Agentic AI Security and Governance 2026: What Changed, and What It Means

A year after the first edition, plausible agentic AI threats now carry CVEs and real incidents. What changed in the OWASP State of Agentic AI Security and Governance 2026.

Bar Kaduri
May 31, 2026
Article

Every agent needs a "stop". We're standardizing it.

The industry standardized how agents talk, but never how to stop one mid-action. Capsule is helping change that through the Agent Control Standard, with hooks.security as the developer-facing companion.

Bar Kaduri
May 27, 2026
Research

The Agentic AI Threat Landscape Has Crossed a Threshold

The security risks of AI agents are no longer theoretical. This blog examines the active threat landscape facing agentic AI in 2026, from prompt injection and supply chain attacks against MCP and skill registries to the governance gap created by vibe coding and Shadow AI.

Bar Kaduri
May 24, 2026
Article

The Rise of Guardian Agents: Securing the Agentic AI Ecosystem

Guardian agents are emerging as a critical security layer for the agentic AI era. As enterprises adopt AI agents that execute tools, handle sensitive data, and operate inside real workflows, human approval loops no longer scale. Guardian agents solve this by supervising other agents in real time: monitoring actions, enforcing policy, and blocking risky behavior before execution.

Lidan Hazout
May 7, 2026
Research

CurseChain: How Hidden README Comments Trick Cursor Into Stealing - and Spreading - Your SSH Keys

Capsule found two Cursor IDE vulnerabilities that let hidden prompt-injection instructions in referenced files steal developers’ SSH keys and contaminate future unrelated projects, causing zero-click or one-click exfiltration even when the attacker ships no malicious code.

Bar Kaduri
April 29, 2026
Research

The State of AI Agent Security 2026

Capsule Security’s State of AI Agent Security 2026 report is the largest independent audit of AI agents to date, showing that the ecosystem is rapidly shipping publicly exposed, weakly guarded, highly connected agents with recurring misconfigurations, near-absent runtime controls, widespread prompt-injection risk, expanding supply-chain exposure, and active malicious campaigns still propagating through agent skill and tool registries.

Bar Kaduri
April 27, 2026
News

Capsule Security Raises $7M to Prevent AI Agents from Going Rogue in Runtime: Intent is the New Perimeter

Capsule is launching a runtime security platform for the agentic AI era, built to monitor and stop autonomous agents that can bypass traditional guardrails, misuse legitimate access, and create a new class of enterprise security risk.

Naor Paz
April 13, 2026
Article

Why MCP Gateways are a Bad Idea (and What to Do Instead)

MCP gateways secure only one protocol and create blind spots, while runtime hooks plus approved MCP registries secure the full agent runtime where real risk lives.

Lidan Hazout
April 12, 2026
Article

ClawGuard: Open Source Security for the Agentic Era

ClawGuard was built to stop dangerous agent behavior at the intent level before execution, and NVIDIA’s NemoClaw reinforces that need by securing the runtime environment from the infrastructure side.

Lidan Hazout
April 12, 2026
Research

PipeLeak: The Lead That Stole Your Database - Exploiting Salesforce Agentforce With Indirect Prompt Injection

Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.

Bar Kaduri
April 9, 2026
Research

ShareLeak: Taking the Wheel of Microsoft’s Copilot Studio (CVE-2026-21520)

The Capsule research team discovered a high severity indirect prompt injection vulnerability in Microsoft Copilot Studio that enables attackers to exfiltrate sensitive data through external SharePoint form.

Bar Kaduri
April 9, 2026