Capsule Security Raises $7M to Prevent AI Agents from Going Rogue in Runtime: Intent is the New Perimeter

Three and a half years ago, we all had our ChatGPT moment. Large language models burst into the mainstream, and we quickly understood something fundamental about them. They are powerful, but also they are non-deterministic, and very unpredictable. 

Quickly a first generation of security companies emerged to address the risk - browser extensions for data leakage prevention, proxies acting as LLM firewalls, static rules to stop prompt injections.

Then, like all novel technologies, AI evolved again, introducing new risks.

We entered the agentic era. AI agents aren't chatbots, as initially imagined. They don't wait for you to type a question and then serve up an answer. They act. Autonomously. Immediately.

You give them permissions, tools, and goals, and they execute with a level of speed and scale that no human team can match.

And to do so, they were given the keys to every castle. They are already inside our most sensitive systems, and we’re now discovering that sometimes - they go rogue.

AI agents don't hack your systems - they use them exactly as expected and designed. And that's the problem.

The Rogue Employee You Never Hired

Here's a real world example from one of our customers, where agents behaved fundamentally differently than expected.

Cursor, the popular coding agent, has a feature called .cursorignore, a guardrail that tells the agent to stay away from certain files. Simple enough. This has worked for decades for config-driven Github Repos and human operators.

Except we watched the agent reason its way around this tried-and-true guardrail. 

It said, effectively: I see I can't access that file directly - it's in the ignore list. So I'll write a shell script to bypass the restriction. The guardrail, which really was just tokens in a context window, were treated like a suggestion, not a wall - and bypassed entirely.

Novel technologies are unpredictable because we're still learning how they behave. 

The terrifying part though, is that agents are already inside the perimeter and acting on production systems. What seems like a secure fortress to us, built over many years of successful security implementations, means nothing when applied to a system that has a completely novel way of thinking and acting, and is capable of breaking down every barrier we put in front of it. 

All of our defenses need a rethink.

The Perimeter Has Shifted. Again.

If you've spent any time in cybersecurity, you know this story. First, the network was the perimeter. Then came cloud and SaaS, the perimeter dissolved, and identity became the new battleground. If you control who has access, you control the risk.

Except we never actually achieved least privilege for humans, and enterprises are still fighting that battle years later. Now we're handing out privileges to AI agents with little to no discernment, at a scale that is orders of magnitude greater, before we've even solved the human problem.

Identity isn't enough anymore. 

An agent can have the right credentials, the right permissions, and the right network access, and still do the wrong thing. The risk isn't who the agent is, it’s what it intends to do at any given moment.

That is what we mean by intent is the new perimeter. 

Because agents are already inside - but are their actions intentionally malicious?

If you aren't watching what your agents are doing, every tool call, every decision, every reasoning step, in real time, then the agent you inherently trusted is already capable of becoming the attacker you never saw coming.

Why I Built Capsule

I need to tell you about a moment that changed everything for me.

I was leading Web Application Firewall at F5 — runtime security was my world. I understood how to watch application behavior in real time, detect anomalies, and respond before damage was done. Then agentic AI started showing up in customer environments, and I realized the tools I'd spent years building were completely blind to it.

I sat in a customer security review where the CISO showed me their AI agent deployment — dozens of autonomous agents running across their infrastructure, making real-time decisions about customer data. I asked the question that would become the foundation of Capsule: "How are you monitoring what these agents are actually doing at runtime?"

Silence. There was no answer — because there was no tool.

I called my co-founder and CTO, Lidan Hazout, that night. Lidan had built identity infrastructure at Transmit Security and understood the access layer deeply. We both saw the same gap: every security tool in the enterprise was designed for a world where software does what it's programmed to do. AI agents broke that assumption entirely. The old tools weren't going to adapt fast enough. A new architecture was required.

We've both built runtime security before — from AppSec to identity. Now we're building it for the agentic era.

Introducing Capsule: The Guardian Agent Platform

Capsule was purpose-built for this moment. We are not a legacy vendor bolting on an "AI feature" to an existing product. We are AI-native — designed from the ground up for a world where agents are the primary actors in your organization.

Here's what makes us different:

Runtime-first, not posture-first. Agent security is not cloud security all over again. It's not CSPM. You can't just scan configurations and declare yourself safe (we saw just over the last few weeks when your security scanners can turn against you in some of the most heinous AI-driven supply chain attacks). Agents are dynamic, unpredictable, and capable of reasoning around your guardrails. You need continuous runtime control - watching every interaction, every tool call, every decision as it happens.

No proxies. No gateways. No SDKs. We don't ask you to change your architecture, install browser extensions, or deploy endpoint agents. We hook directly into the native APIs, security hooks, and OpenTelemetry instrumentation that AI platforms already provide. 

No friction. No single points of failure. No proxies for agents to bypass - because we've already seen that happen in customer environments.

Guardian agents powered by fine-tuned SLMs. LLMs are yesterday’s technology. Suited for chatbots, but too generic for tasks that require high precision. We use patented small language models purpose-built for binary classification:

• Is this an instruction violation, yes or no? 
• Is this sensitive data, yes or no? 

These models are fast, cost-efficient, and deterministic by design. We strip out the creativity. We turn the temperature down to zero. The output is a probability score, not a hallucination. And when deeper analysis is needed, we layer in larger models to understand the intent behind the action. 

Because, without organizational context, security decisions are just guesswork.

We're Not Just Talking About the Problem — We're Proving It

While we had this vision, without validation - we couldn’t be sure we were on the right track. So we rolled up our sleeves, not just to build our platform, but to test the waters in the real-world. And what we found knocked our socks off.

As part of our launch, our threat research team is disclosing two zero-day vulnerability classes we discovered in major AI platforms:

ShareLeak: a vulnerability in Microsoft Copilot Studio that allows unauthorized data exfiltration through AI agent workflows, exposing sensitive enterprise information through improperly secured agent interactions - classified as CVE-2026-21520.

PipeLeak: a vulnerability in Salesforce AgentForce that enables data leakage through agent pipeline manipulation, allowing attackers to extract confidential information by exploiting how agents process and route data between systems.

When Moltbook was causing a frenzy, we didn’t just sit on our haunches, while building Capsule we also published the open-source ClawGuard tool for the community, to test for these types of vulnerabilities in their own agent deployments NOW.

This is because these are not theoretical attack vectors. 

These platforms are employed by thousands of enterprises today. 

All while the agentic infrastructure they're building on is, to put it bluntly, full of holes. Every organization deploying AI agents should be asking: what else haven't we found yet?

The CISO Panic Is Real

Every CISO we speak with in 2026 is in some version of panic. The pressure from boards, CEOs and CIOs to adopt AI is relentless, and the stats reflect exactly how exposed that's left everyone: 72% of enterprises are already running AI agents, but only 29% have AI-specific security controls in place. 

That gap isn't closing, it's widening, because agents are proliferating faster than security teams can respond. And the problem isn't just the agents you know about. 

Shadow AI, unsanctioned agents deployed by employees across marketing, finance, sales and engineering, is BYOD all over again, except these devices can reason, act, and access your most sensitive systems autonomously.

Gartner saw it coming. In February 2026 they published their Market Guide for Guardian Agents, a new category designation, and named Capsule as a representative vendor. 

Jamie Dimon said it plainly: the single biggest risk of AI is the consequences to cybersecurity. 

We agree, which is why we built Capsule to be AI-native from the ground up. When the models get more capable, the security has to get more capable too.

Today we step out of stealth, launch our Guardian Agent Platform, disclose PipeLeak and ShareLeak, and open-source ClawGuard. 

But before any of that, one question every security leader needs to answer:

Do you know what your agents are doing right now?

If the answer is no, we should talk.

→ See Capsule in action — watch how runtime agent security works.

→ Talk to our team — for security leaders ready to get ahead of the agentic risk.

Capsule Security is backed by ForgePoint Capital and LAMA Partners, and was selected as a finalist for the inaugural Black Hat Europe 2025 Startup Spotlight and accepted into the AWS, CrowdStrike, and NVIDIA accelerator programs.

The guardrail was just tokens in a context window. The agent treated it like a suggestion, not a wall. We built the wall.