Runtime security · OWASP ASI · NIST AI RMF

Runtime security for production AI agents

Tracehold intercepts every action your agents take, gates risky changes, issues task-scoped credentials, and keeps an immutable audit trail, so your agents ship faster without touching prod.

Book a demoSee how it works

Built by ex-engineers from HPE and Meta.

Self-hosted or managed. Your audit trail never leaves your VPC.

BLOCKaws:s3:DeleteBucketCRITICAL
ALLOWaws:ec2:DescribeInstancesREAD
APPROVALaws:iam:AttachRolePolicyDESTRUCTIVE
ALLOWgcp:storage.buckets.getREAD
BLOCKaws:rds:DeleteDBInstanceCRITICAL
ALLOWaws:logs:PutLogEventsWRITE
APPROVALgcp:resourcemanager.setIamPolicyDESTRUCTIVE
BLOCKaws:iam:CreateAccessKeyCRITICAL
ALLOWazure:containers.getREAD
ALLOWaws:sqs:SendMessageWRITE
APPROVALaws:ec2:TerminateInstancesDESTRUCTIVE
BLOCKgcp:bigquery.jobs.createCRITICAL
BLOCKaws:s3:DeleteBucketCRITICAL
ALLOWaws:ec2:DescribeInstancesREAD
APPROVALaws:iam:AttachRolePolicyDESTRUCTIVE
ALLOWgcp:storage.buckets.getREAD
BLOCKaws:rds:DeleteDBInstanceCRITICAL
ALLOWaws:logs:PutLogEventsWRITE
APPROVALgcp:resourcemanager.setIamPolicyDESTRUCTIVE
BLOCKaws:iam:CreateAccessKeyCRITICAL
ALLOWazure:containers.getREAD
ALLOWaws:sqs:SendMessageWRITE
APPROVALaws:ec2:TerminateInstancesDESTRUCTIVE
BLOCKgcp:bigquery.jobs.createCRITICAL

Every agent with real permissions is one prompt away from a CISO's worst day.

The SDK that gives your agent power over your infrastructure also gives it power to break it. Without a runtime gate, a single prompt injection or a bad autonomy loop can become a production incident in seconds.

Your agent just deleted a production bucket.

One malformed tool call, no rollback, CISO on the phone.

Your agent leaked a long-lived IAM key.

Same key across envs, no rotation, 90 days of blast radius.

Your audit log has no idea who touched what.

Auditors ask, 'which agent?' and you have no answer.

How it works

One enforcement point. Every agent action.

Four steps sit between your agent and production, all in under 30 milliseconds. Here's the real code.

01

Intercept

The SDK wraps every tool call your agent makes, before it reaches your infrastructure. Drop-in for Python, LangChain, and the Claude Agent SDK. No changes to your agent's prompts, tools, or control flow.

agent.py
tracehold_sdk.client
from tracehold_sdk import TraceholdClient

client = TraceholdClient(
    api_key="th_live_…",
    gateway_url="https://gateway.tracehold.ai",
)

decision = await client.intercept(
    agent_id="agent-prod-cleanup",
    task_id="task-4bf92f35",
    tool_name="delete_bucket",
    cloud_provider="aws",
    action_identifier="aws:s3:DeleteBucket",
    parameters={"Bucket": "prod-customer-data"},
)

if decision.decision == "ALLOW":
    # JIT creds are in decision.credential
    run_the_tool(decision.credential)
02

Classify

Every action is mapped to a risk level — READ, WRITE, DESTRUCTIVE, CRITICAL — using a shipped registry of 400+ cloud actions. Blast radius is scored against your real environment, not a generic model.

classifier/registry.py
backend.classifier
from enum import Enum

class RiskLevel(str, Enum):
    READ = "READ"
    WRITE = "WRITE"
    DESTRUCTIVE = "DESTRUCTIVE"
    CRITICAL = "CRITICAL"

CLOUD_ACTION_RISK = {
    "aws:s3:GetObject":              RiskLevel.READ,
    "aws:s3:PutObject":              RiskLevel.WRITE,
    "aws:s3:DeleteBucket":           RiskLevel.CRITICAL,
    "aws:iam:CreateAccessKey":       RiskLevel.CRITICAL,
    "aws:rds:DeleteDBInstance":      RiskLevel.CRITICAL,
    "aws:ec2:TerminateInstances":    RiskLevel.CRITICAL,
    "gcp:storage.buckets.delete":   RiskLevel.CRITICAL,
    "azure:vm.delete":              RiskLevel.DESTRUCTIVE,
    # 400+ actions across AWS, GCP, Azure…
}
03

Gate

The gateway returns ALLOW, BLOCK, or REQUIRES_APPROVAL with a full explanation — reason, trust score, blast radius, and a safer alternative when one exists. Allowed calls run with short-lived credentials that expire with the task.

GatewayDecision (response)
POST /api/v1/gateway/intercept
{
  "decision": "REQUIRES_APPROVAL",
  "action_id": "a3f7e1c2-…",
  "reason": "CRITICAL action against a production bucket",
  "trust_score": 0.87,
  "blast_radius": {
    "environment": "prod",
    "resource_count_estimate": 1,
    "rollback_available": false,
    "score": 0.92
  },
  "safe_alternative": {
    "suggested_action": "aws:s3:PutBucketVersioning",
    "rationale": "Preserves data while satisfying cleanup intent.",
    "owasp_tag": "ASI02"
  }
}
04

Audit

Every decision lands in an append-only, HMAC-SHA256 hash-chained audit trail, tagged with the OWASP ASI risks and NIST SP 800-53 controls it satisfies. Export the evidence bundle, hand it to your auditor.

audit_logs row
append-only · HMAC-chained
# Every decision lands here. Append-only.
# DB-level INSERT-only grant enforced in prod.

sequence_number  = 184_203
organization_id  = "org-acme"
agent_id         = "agent-prod-cleanup"
event_type       = "action.requires_approval"
decision         = "REQUIRES_APPROVAL"
parameters_hash  = "sha256:a1b2c3…"  # PII-safe
owasp_tags       = ["ASI02", "ASI08"]
nist_controls    = ["AC-6", "AU-2", "CM-5"]
trace_id         = "4bf92f3577b34da6…"
prev_entry_hash  = "7fa2…"
entry_hash       = hmac_sha256(
    key=AUDIT_HMAC_KEY,
    msg=prev_entry_hash + row_bytes,
)
Product

Everything you need to run agents in production.

Six primitives, one platform. Mapped to OWASP Top 10 for Agentic Applications and NIST AI RMF from day one.

Single enforcement gateway

One enforcement point between your agent and the infrastructure it touches. Every action classified, every action decided, nothing slips through.

JIT task-scoped credentials

Short-lived credentials issued per task through your provider's native identity federation. They live for the length of the task, then evaporate.

Immutable audit trail

HMAC-SHA256 hash-chained, append-only. Tamper-evident by construction. Export-ready for SOC2, NIST SP 800-53, and OWASP ASI evidence.

Trust scoring + taint tracking

Every agent gets a continuous trust score. Prompt injection, context poisoning, and tainted inputs lower the ceiling in real time.

Continuous adversarial testing

Replay real-world attack scenarios against your agent pipeline on every deploy. Catch regressions before they reach production.

LLM-backed safer alternatives

When an action is blocked, Tracehold suggests a safer alternative, curated for known actions, LLM-generated for novel ones.

Compliance

Built around OWASP ASI and NIST AI RMF from day one.

Every Tracehold decision is tagged with the OWASP Agentic Application risk it addresses and the NIST SP 800-53 control it satisfies. Export the evidence bundle, hand it to your auditor.

OWASP Top 10 for Agentic Applications 2026

ASI01Goal Hijack
ASI02Tool Misuse
ASI03Identity Abuse
ASI04Supply Chain
ASI05Code Execution
ASI06Context Poisoning
ASI07Inter-Agent Comms
ASI08Cascading Failures
ASI09Trust Exploitation
ASI10Rogue Agents

Currently shipped in alerts/detectors.py

  • def detect_prompt_injection(ctx)
    ASI01
  • def detect_tainted_critical(ctx)
    ASI02
  • def detect_burst_rate(ctx)
    ASI04
  • def detect_pii_in_parameters(ctx)
    ASI06
  • def detect_critical_without_approval(ctx)
    ASI08
  • def detect_repeated_block_retry(ctx)
    ASI10
NIST AI RMFNIST SP 800-53GDPR-ready

For platform engineers

Wire the SDK once. Your agents get safer, you ship faster.

  • One-line Python wrapper for LangChain + Claude Agent SDK
  • Runs in observe mode on day one, zero production risk
  • Hot-reloadable rules, no redeploy to tune
  • OpenTelemetry spans on every decision, traceable in Jaeger

For security engineers & CISOs

Every agent action, classified, gated, audited.

  • OWASP ASI01–ASI10 anomaly detectors built in
  • Immutable hash-chained audit trail, exportable to S3
  • Trust scoring and taint propagation for prompt injection defense
  • Evidence bundles mapped to NIST SP 800-53 controls

See Tracehold running against your stack.

30-minute demo. We run your real agent workflow through the gateway against a sandboxed copy of your stack.

Book a demo