Guardbase launches Coding Agent Attack Matrix — framework for coding agent threat modeling
Runtime Control

Every action checked in context, before it runs.

Guardbase routes every agent action through your policies the moment it happens: allow, block, redact, or ask the user. Sensitive data stays in, destructive commands never run, and your teams keep moving.

CLAUDE CODE CURSOR CODEX GEMINI FILESYSTEM CLI TOOLS MCP SERVERS WEB SEARCH
The control gap

Static permissions judge one action. Agents chain hundreds.

Each action clears the allowlist on its own. The risk lives in the combination, and only context catches it.

01 Searches the web for integration docs
Allowed
02 Reads customer records over the CRM MCP
Allowed
03 Posts a comment on a public GitHub repo
Allowed
Every action was allowed. Customer records are now in a public GitHub comment.
The decisions

Four answers for every action.

Allow, block, redact, or ask the user. Decided the moment it happens.

Allow

Work keeps moving

Most actions pass without friction. Developers don't notice Guardbase until it matters.

Block

Incidents that never happen

Destructive commands and data leaks stop before they happen, with the reason logged.

Redact

Agents work without seeing secrets

Secrets, PII, and PHI are removed in both directions: before the agent processes them, and before anything leaves.

Ask the user

People decide the edge cases

High-risk actions pause and ask the person running the agent, right in their session.

Context

Catches what static permissions can't.

Every decision weighs six things at once. It's how the chain above gets caught.

Identity

Who the agent acts as

An agent acts with the identity of whoever runs it. Decisions start there: which employee, which team, which rules apply to them.

Prior Actions

What the session already did

Risk builds across a session. Deleting a ticket is fine in a clean session, and requires permission in one that touched an untrusted source.

Data Sensitivity

What the data is

Classifiers detect PII, PHI, PCI, secrets, and credentials in everything agents read and send.

Exfiltration Channels

Where data could leave

Posting comments, sending email, creating attachments. Any action that can move data out follows stricter rules than the rest.

Untrusted Content

What the agent consumed

You define which sources count as untrusted, like web search or specific MCP servers. Once an agent reads from one, the session stays marked and policies tighten.

Command Risk

How destructive it is

Deletes, drops, force-pushes. A risky command on its own can ask the user. The same command after untrusted content is blocked.

Policy Engine

Write the policy once. Enforce it everywhere.

Set per user or group: the data agents may process, the commands they may run, the tools they may call, and where anything is allowed to go. Enforced identically across every agent and every surface, MCP or not.

Example policies
FinanceSales

Agents may process customer data, but it only goes to approved destinations. Over MCP or anywhere else.

Engineering

Customer PII never reaches the agent. Redacted before it's processed.

Everyone

After reading untrusted web content, sending anything external asks the user first.

Everyone

Destructive commands on production systems are blocked.

Sales

The CRM MCP server is available to Sales agents. No one else reaches it.

Everyone

Tool calls that send data out, like creating attachments or posting comments, need approval first.

How it works

Native hooks, decisions in your environment.

No changes to the agents themselves. No traffic leaving your environment.

01 Native agent hooks

Hook in

The same lightweight CLI as Agent Inventory configures each agent's native hooks. Enforced through managed settings that developers can't overwrite.

02 Runs in your environment

Decide

Every action routes through Guardbase, inside your environment. Fast decisions before the action runs: allow, block, redact, or ask the user.

03 Full session context

Trace

Every decision is logged with the full session behind it and the reason it was made. When something is blocked, you know exactly why.

Developer experience

Control that doesn't slow anyone down.

Inline, in the agent

Decisions show up in the agent session itself. No separate portal, no ticket, no context switch.

No workflow changes

Developers keep their agents and their setups. The native hooks do the routing.

Built to fail open

If the decision service is ever unreachable, sessions keep working. Enforcement is never the outage.

Know what you're controlling.

Runtime Control deploys through the same CLI as Agent Inventory. Start with visibility, turn on enforcement when you're ready.

FAQs

Common questions.

No. The hooks are enforced through each agent's managed settings, which can't be overwritten on a managed device.

Claude Code, Cursor, Codex, Gemini CLI, OpenCode, Amp, and more. The same policy is enforced identically across all of them.

Shell commands, file reads and writes, MCP tool calls, and web search and fetch. The ways agents actually touch your systems.

Sensitive data is detected with classifiers, and those signals feed the policies you set. The decision itself follows your policy, so enforcement doesn't depend on a model's judgment.

Sessions keep working. Guardbase is designed to fail open, so enforcement never becomes the outage.

In the Guardbase UI, per user or group. Sync with identity providers like Okta, Entra, and Google is coming soon.

More questions? Book a call →
What you get

What changes with Guardbase in place.

Fewer incidents

Risky actions stop before they run. The incident that never happens is the one you don't clean up after.

Proof on demand

Every action logged with its reason. Ready for audits, reviews, and post-incident questions.

Adoption, endorsed

Your teams already run agents. Guardbase turns that into something security can endorse, not just tolerate.

Turn your policies into enforcement.

Bring a policy from your AI usage guidelines and watch it become a runtime control on a live agent.