Oktsec is an open-source security layer for AI agent-to-agent communication. It provides cryptographic identity (Ed25519), policy enforcement, content scanning with 169+ detection rules, and a complete audit trail for every message and tool call between AI agents. Self-hosted, no LLM dependency, no cloud required.

What is the MCP Gateway?

The MCP Gateway is a security proxy that sits between MCP clients and MCP servers. It intercepts every tool call and applies per-agent identity verification, tool-level access control policies, content scanning with 169+ detection rules, rate limiting, and full audit logging — without requiring any changes to backend MCP server code.

How does Oktsec relate to Aguara?

Aguara is the open-source static security scanner that powers Oktsec's detection engine. Aguara scans skills before deployment (Layer 1). Oktsec extends the same engine with runtime enforcement via the MCP Gateway (Layer 3), cryptographic agent identity, and deployment audits. Threat intelligence from Aguara Watch feeds into both products.

Does Oktsec use AI or LLMs?

No. Oktsec uses deterministic, pattern-based detection with 169+ YAML rules plus NLP analysis (AST parsing, not LLM-based) and taint tracking. No API costs, no latency, no hallucination risk. Runs entirely on-premise.

What agent frameworks does Oktsec support?

Oktsec is framework-agnostic. It works with LangGraph, CrewAI, AutoGen, or any custom agent stack. Deploy as a standalone proxy, use the Go SDK, or expose it as an MCP tool compatible with Claude, Cursor, Windsurf, and any MCP-compatible client.

What threats does Oktsec detect?

Oktsec detects 15 categories of threats: prompt injection, data exfiltration, credential leaks, supply chain attacks, command execution, MCP-specific attacks (tool injection, name shadowing), external downloads, SSRF/cloud attacks, MCP config issues, unicode attacks, indirect injection, third-party content risks, and toxic data flows. Covers 7/10 OWASP Agentic Top 10 categories.

How does agent identity work in Oktsec?

Each agent gets an Ed25519 key pair. Every message and tool call is cryptographically signed. The receiving side verifies the signature before processing. This creates a chain of trust where every interaction is attributable to a specific agent identity, with full audit trail.

Is Oktsec open source?

Yes. Oktsec is open source and self-hosted. The detection engine (Aguara) is Apache-2.0 licensed. Available on GitHub at github.com/oktsec. 28,000+ lines of Go, 380+ tests.

Security layer for
agent-to-agent
communication

Zero verification between agents. Zero authorization on tool calls. Oktsec changes that. Every message and every tool call is signed, inspected, and logged.

You're in. We'll keep you posted on new releases and updates.

Be the first to know about new releases, rules, and integrations.

The problem

Every message is trusted.
By default.

When Agent A sends a message to Agent B, there is no identity verification, no content inspection, and no policy enforcement. Nobody is watching.

OWASP Top 10 for Agentic Applications (2026) now classifies these as critical risks.

Relay injection ASI01 · ASI07

Agent A embeds instructions in a message to Agent B, which executes them as its own. Second-order prompt injection across agent boundaries, already exploited in production.

Data exfiltration ASI07 · ASI08

Sensitive data flows through agent chains without content inspection. PII, credentials, and business data leak across trust boundaries with zero forensic trail.

Agent impersonation ASI03 · ASI10

No cryptographic identity means any agent can claim to be any other. A compromised agent escalates privileges, poisons shared memory, and coordinates attacks undetected.

Why now

Agents are everywhere.
Security is not.

40% of enterprise apps will run AI agents by end of 2026 (Gartner). 3 million active agents deployed in US/UK, only 14.4% with full security approval (Gravitee). OpenClaw reached 145K GitHub stars in weeks with 42,000 exposed instances and 93% critical auth bypass (Bitsight).

In 2026, OWASP published its first Top 10 for Agentic Applications. Inter-agent communication is now classified as a critical risk (ASI07). NIST NCCoE published a concept paper asking how to authenticate, authorize, and audit AI agents. Oktsec already implements answers to all 6 questions →

"Everyone is shipping agents. Nobody is shipping the security layer between them."

Gustavo Aragón Founder, Oktsec · Creator of Aguara

Real-world incidents

This is already happening.

ServiceNow Now Assist (Nov 2025): second-order prompt injection through an agent relay led to full PII exfiltration in production. OpenClaw (2026): 42K+ exposed instances, 93% without authentication, 512 critical vulnerabilities. CrowdStrike describes it as "a powerful AI backdoor agent."

Without Oktsec AppOmni · Nov 2025

Agent A

Reads poisoned KB article

Agent A

Forwards payload to Agent B as trusted input

Agent B

Executes injected instructions

Agent B

Exfiltrates PII to external endpoint

PII exfiltrated. Zero forensic trail.

With Oktsec Same scenario

Agent A

Reads poisoned KB article

Oktsec

Intercepts message. Content inspection triggers IAP-001.

Oktsec

Blocks message. Operator alerted via webhook.

Audit

Logs sender, content hash, rule, timestamp.

Blocked at boundary. Full audit trail.

The solution

Three layers. One security layer.

A lightweight security layer that sits between your agents and between your agents and their tools. Every message and every tool call is verified, inspected, and logged. 169+ detection rules across 15 categories. The MCP Gateway extends the same pipeline to any MCP server. No LLM in the loop. Thousands of operations per second. Open source.

Layer 01

Agent Identity

Ed25519 keypairs per agent. Every message is cryptographically signed. No message is accepted without verified sender identity.

Ed25519 signatures
Per-agent keypairs
Zero-trust by default

Layer 02

Policy Engine

YAML rules that define what each agent can send, receive, and access. Built on the same detection engine as Aguara, adapted for runtime.

YAML policy rules
169+ detection rules
15 categories
NLP + taint tracking
Tool allowlists
Content inspection

Layer 03

Audit Trail

Every inter-agent message is logged with content hash, sender identity, policy decision, and timestamp. Full forensic capability.

SHA-256 content hashes
Immutable log chain
Full forensic trail

New: MCP Gateway

Security for every MCP server.
Zero code changes.

Oktsec now sits in front of any MCP server as a Streamable HTTP proxy. Per-agent identity, tool-level access control, content scanning, rate limiting, and full audit trail. Agents that handle payments, databases, or file systems get enterprise-grade security with one YAML file.

Read the deep dive →

# 3 steps. That's it.

1. Write a YAML config

2. oktsec gateway --config gateway.yaml

3. Point agents to localhost:9090/mcp

# Every tool call now passes through:

✓ identity · ACL · content scan · rate limit · audit

Detection engine

169+ rules. 15 categories.
Zero LLM guessing.

Every rule is pattern-based and deterministic. NLP analysis detects semantic attacks. Taint tracking follows data flows that regex alone would miss. Covers 7 of 10 OWASP Agentic categories.

Prompt injection Data exfiltration Credential leak Supply chain Command execution MCP attacks SSRF / Cloud Unicode attacks NLP analysis Taint tracking +5 more

Full rule reference on GitHub · 7/10 OWASP Agentic

Security audit

Audit every agent framework. One command.

oktsec audit auto-detects installed agent frameworks and audits their configurations. Scores each product A–F. Outputs SARIF for GitHub Code Scanning and CI pipelines.

$ oktsec audit
Oktsec Audit — Security Configuration Report
 
  oktsec  /home/user/oktsec.yaml
    Score: 85/100 (B)
    ✓ 6 passed  ⚠ 2 warnings
 
  OpenClaw  /home/user/.openclaw/openclaw.json
    Score: 30/100 (F)
    ✗ 5 critical  ✗ 3 high
 
    OC-001  CRITICAL  tools.profile is "full" with no deny list
    OC-002  HIGH      gateway exposed to network (0.0.0.0)
    OC-003  HIGH      dmPolicy is "open"
 
  NanoClaw  /home/user/.nanoclaw/config.json
    Score: 65/100 (C)
    ✗ 1 critical  ⚠ 3 warnings

Auto-detects OpenClaw, NanoClaw, and Oktsec configs. A-F grading. SARIF output for GitHub Code Scanning and CI pipelines.

Performance

Benchmarked. Not promised.

Real numbers from real benchmarks on a single node. The core works today. Capital accelerates the path to enterprise scale.

Metric	Open Source (today)	Enterprise (next)
Throughput	5,500 msg/sec · 90,000 batched	Distributed writers, horizontal scaling
Signature	~50µs sign · ~120µs verify	Go stdlib, no bottleneck
Queries	<6ms at 1M+ rows	ClickHouse for multi-billion rows
Deployment	Single binary · Docker	K8s · Managed cloud · Multi-region

28,000+ lines of Go. 380+ tests. Open source covers startups and design partners from day one. Enterprise scaling is an engineering problem with a known path.

Implementation

Framework-agnostic. Drop-in security.

Oktsec doesn't care what orchestrator you use. LangGraph, CrewAI, AutoGen, or your own custom stack. Route agent traffic through Oktsec and every message gets identity-verified, policy-checked, and logged.

1 Deploy Oktsec

→

2 Define policies

→

3 Point agents

→

✓ Secured

Layer

Standalone proxy

Single binary or container. Sits between agents. Any framework, any language. No SDK required.

SDK

Go SDK

Import as a library for Ed25519 signing, content inspection, and injection detection. No separate process.

MCP

MCP server

Expose Oktsec as an MCP tool. Works with Claude, Cursor, Windsurf, and any MCP-compatible client.

Landscape

What exists today.

Agent security is an emerging category. Each approach solves a piece of the problem.

Approach	Strength	Gap
Oktsec Rule-based security layer	Identity + policy + content inspection + audit at the message level. No AI guessing, local-first, open source. 7/10 OWASP Agentic	Early stage. Not yet enterprise-hardened, no cloud-hosted option yet.
AI firewalls Cisco AI Defense, Lakera	Network-level prompt filtering, enterprise scale	No agent identity, no inter-agent policy, LLM-based
Agent identity Multifactor, AIM	Cryptographic agent identity, auth protocols	No content inspection, no runtime policy at the message level
Static scanners mcp-scan, Invariant	Pre-deploy vulnerability detection, open source	No runtime protection. Scans before deploy, not during execution.

Ecosystem

Built on Aguara.
Extended for runtime.

Aguara scans skills before deployment. Aguara Watch crawls 7 registries tracking 40K+ skills. Oktsec extends the engine with runtime enforcement, cryptographic identity, and deployment audits. Each tool feeds data back into the detection engine.

Aguara Scan

153+ rules · 13 categories · NLP · Taint

→

Aguara Watch

40K+ skills · 7 registries · 4x daily · A–F grades

→

Oktsec

Runtime security · MCP server

Same detection engine. Data flows both ways.

Market opportunity

The security layer between AI agents
does not exist yet.

Every previous computing paradigm created a dedicated security category: firewalls for networks, IAM for cloud, EDR for endpoints. AI agents are the next platform shift, and the inter-agent communication layer is entirely unprotected.

TAM

$8.4B by 2028

AI security market growing at 23.3% CAGR. Agent security is the fastest-growing subsegment as enterprise adoption accelerates.

TIMING

40% of enterprise apps

Gartner predicts 40% of enterprise applications will feature AI agents by end of 2026, up from less than 5% in 2025. The adoption curve is vertical.

GAP

14% with security approval

3 million agents deployed in production, only 14.4% with full security approval. Enterprises need tooling before they can scale agent deployments.

Why Oktsec wins this market

Open-source wedge. Aguara is already the most comprehensive open-source AI agent scanner (169+ rules, 15 categories). Community adoption drives distribution.

Data moat. Aguara Watch scans 40,000+ skills across 7 registries every 6 hours. This threat intelligence feeds directly into the detection engine.

Full stack. Only solution that combines pre-deployment scanning, runtime enforcement, cryptographic identity, and audit trail in one product family.

No LLM dependency. Deterministic, pattern-based detection. No API costs, no latency, no hallucination risk. Runs entirely on-premise.

Security layer for agent-to-agent communication

Every message is trusted.By default.

Relay injection ASI01 · ASI07

Data exfiltration ASI07 · ASI08

Agent impersonation ASI03 · ASI10

Agents are everywhere.Security is not.

This is already happening.

Three layers. One security layer.

Agent Identity

Policy Engine

Audit Trail

Security for every MCP server.Zero code changes.

169+ rules. 15 categories.Zero LLM guessing.

Audit every agent framework. One command.

Benchmarked. Not promised.

Framework-agnostic. Drop-in security.

Standalone proxy

Go SDK

MCP server

What exists today.

Built on Aguara.Extended for runtime.

The security layer between AI agentsdoes not exist yet.

$8.4B by 2028

40% of enterprise apps

14% with security approval

Building the security infrastructurefor AI agents.

Security layer for
agent-to-agent
communication

Every message is trusted.
By default.

Agents are everywhere.
Security is not.

Security for every MCP server.
Zero code changes.

169+ rules. 15 categories.
Zero LLM guessing.

Built on Aguara.
Extended for runtime.

The security layer between AI agents
does not exist yet.

Building the security infrastructure
for AI agents.