# Oktsec — Security Layer for AI Agent-to-Agent Communication

> Open-source security layer for AI agent communication. Every message and every tool call is signed, inspected, and logged. 169+ detection rules across 15 categories (Aguara engine), including NLP analysis and taint tracking. Cryptographic identity, policy enforcement, and full audit trail. Multi-product security audit with SARIF output. Covers 7/10 OWASP Agentic categories. Self-hosted, no LLM, no cloud.

## Product Overview

Oktsec is a lightweight security layer that sits between AI agents and between agents and their tools. It provides:

- Cryptographic agent identity using Ed25519 key pairs
- Message-level signing and verification for every interaction
- Policy enforcement with tool-level allow/deny rules per agent
- Content scanning using the Aguara detection engine (169+ rules)
- Rate limiting per agent identity
- Complete audit trail with SARIF output
- MCP Gateway for securing any MCP server without code changes

Framework-agnostic: works with LangGraph, CrewAI, AutoGen, or any custom agent stack. Route agent traffic through Oktsec and every message gets identity-verified, policy-checked, and logged.

## Architecture — Three Layers of Defense

### Layer 1: Static Analysis (Aguara Scanner)
Pre-runtime detection of malicious skills and MCP servers. 148+ YAML rules plus NLP and taint tracking analyzers. Runs before deployment.

### Layer 2: Runtime Isolation
Container-level separation of agent workloads. Docker-based sandboxing for individual agent processes.

### Layer 3: Runtime Enforcement (MCP Gateway)
Message-level identity verification and policy enforcement during execution. The MCP Gateway sits between MCP clients and MCP servers, intercepting every tool call with:
- Per-agent identity verification (Ed25519 signatures)
- Tool-level access control policies (YAML-based allow/deny)
- Content scanning on every request and response (169+ detection rules)
- Rate limiting per agent
- Full audit logging

No changes to backend MCP server code required. Deploy as a proxy.

## Detection Categories (15 total, 169+ rules)

1. Credential Leak — 19 rules — API keys (OpenAI, AWS, GCP, Stripe, Anthropic), private keys, DB strings, credential logging
2. Prompt Injection — 17 + NLP — Instruction overrides, role switching, delimiter injection, jailbreaks, obfuscation, agent spawning
3. External Download — 17 rules — Binary downloads, curl-pipe-shell, unpinned npm/pip/go/cargo installs, Docker pull
4. Data Exfiltration — 16 + NLP — Webhooks, DNS tunneling, env var leaks, sensitive file reads, clipboard, screenshot
5. Command Execution — 16 rules — shell=True, eval, subprocess, child_process, PowerShell, hex/octal obfuscation
6. Supply Chain — 15 rules — Suspicious install scripts, obfuscated shell, reverse shells, privilege escalation, container bind mounts
7. MCP Attack — 12 rules — Tool injection, name shadowing, manifest tampering, capability escalation, prototype pollution
8. SSRF & Cloud — 10 rules — Metadata endpoints, IMDS, Docker socket, K8s service discovery, DNS rebinding, IPv6 encoding
9. MCP Config — 8 rules — Unpinned npx servers, hardcoded secrets, shell metacharacters, Docker privileges
10. Unicode Attack — 7 rules — RTL override, bidi characters, homoglyphs, tag characters, Punycode
11. Indirect Injection — 6 rules — Fetch-and-follow, remote config loading, unscoped bash tools
12. Third-Party Content — 5 rules — Mutable content, unvalidated responses, remote templates, unescaped user input
13. Toxic Flow — 3 rules — Source-to-sink taint: private data to public output, credential theft, destructive ops
14. NLP Analysis — Dynamic — Semantic attack detection via Goldmark AST parsing
15. Rug-Pull Detection — Dynamic — Hash-based change tracking across scans

## Implementation Options

1. **Standalone proxy** — Single binary or container. Sits between agents. Any framework, any language. No SDK required.
2. **Go SDK** — Import as a library for Ed25519 signing, content inspection, and injection detection. No separate process.
3. **MCP server** — Expose Oktsec as an MCP tool. Works with Claude, Cursor, Windsurf, and any MCP-compatible client.

## Security Audit

`oktsec audit` auto-detects installed agent frameworks (OpenClaw, NanoClaw, Oktsec) and audits their configurations. A-F grading. SARIF output for GitHub Code Scanning and CI pipelines.

## Performance

- Throughput: 5,500 msg/sec, 90,000 batched
- Signature: ~50us sign, ~120us verify (Ed25519)
- Queries: <6ms at 1M+ rows
- Deployment: Single binary or Docker
- Codebase: 28,000+ lines of Go, 380+ tests

## Frequently Asked Questions

### What is Oktsec?
Oktsec is an open-source security layer for AI agent-to-agent communication. It provides cryptographic identity, policy enforcement, content scanning, and audit trails for every message and tool call between AI agents. Self-hosted, no LLM dependency, no cloud required.

### What is the MCP Gateway?
The MCP Gateway is a security proxy that sits between MCP clients and MCP servers. It intercepts every tool call and applies per-agent identity verification, tool-level access control policies, content scanning with 169+ detection rules, rate limiting, and full audit logging — without requiring any changes to the backend MCP server code.

### How does Oktsec relate to Aguara?
Aguara is the open-source static security scanner that powers Oktsec's detection engine. Aguara scans skills before deployment (Layer 1). Oktsec extends the same detection engine with runtime enforcement via the MCP Gateway (Layer 3), cryptographic agent identity, and deployment audits. Data flows both ways — threat intelligence from Aguara Watch feeds into Oktsec's runtime rules.

### Does Oktsec use AI or LLMs?
No. Oktsec uses deterministic, pattern-based detection. No API costs, no latency, no hallucination risk. 169+ YAML rules plus NLP analysis (Goldmark AST parsing, not LLM-based) and taint tracking. Runs entirely on-premise.

### What agent frameworks does Oktsec support?
Oktsec is framework-agnostic. It works with LangGraph, CrewAI, AutoGen, or any custom agent stack. Route agent traffic through Oktsec as a proxy, use the Go SDK, or expose it as an MCP tool.

### What threats does Oktsec detect?
Oktsec detects 15 categories of threats including prompt injection, data exfiltration, credential leaks, supply chain attacks, command execution, MCP-specific attacks (tool injection, name shadowing), SSRF, unicode attacks, indirect injection, and toxic data flows. Covers 7/10 OWASP Agentic Top 10 categories.

### How does agent identity work?
Each agent gets an Ed25519 key pair. Every message and tool call is cryptographically signed. The receiving side verifies the signature before processing. This creates a chain of trust where every interaction is attributable to a specific agent identity.

### Is Oktsec open source?
Yes. Oktsec is open source and self-hosted. The detection engine (Aguara) is Apache-2.0 licensed. Available on GitHub at github.com/oktsec.

## Blog Posts

- [Academic Research Validates the Zero-Trust Runtime Architecture Oktsec Implements](https://oktsec.com/blog/agentic-ai-attack-surface-academic-validation/) — Researchers at Northeastern, NYU, UCSD, and UIUC formalize the agentic AI threat model with Stochastic Dependency Resolution, the Viral Agent Loop, and a Zero-Trust Runtime Architecture. Every recommendation maps to a shipping Oktsec feature: Ed25519 identity, MCP Gateway, per-agent tool allowlists, taint tracking, and SARIF audit output.
- [Oktsec v0.6.0: MCP Gateway, Security Hardening & Coordinated Stack Release](https://oktsec.com/blog/v0-6-0-mcp-gateway-release/) — New MCP Gateway mode (Streamable HTTP, multi-backend, per-agent tool allowlists), 21 SSRF CIDR blocks, 15 credential redaction patterns, replay protection, 17 MCP client discovery, official modelcontextprotocol/go-sdk v1.4.0 migration. Coordinated with Aguara v0.4.0 (153 rules) and Watch expansion (42,969 skills, 7 registries).
- [MCP Gateway: A Security Layer for Every MCP Server](https://oktsec.com/blog/mcp-gateway-security-layer/) — Oktsec now acts as a security gateway for any MCP server. Per-agent identity, tool-level policies, content scanning, and audit trails without changing backend code.
- [Kali Linux Just Proved That AI Agents Are Offensive Security Tools](https://oktsec.com/blog/kali-mcp-agents-attack-surface/) — Kali Linux officially integrates Claude Desktop to control pentesting tools via MCP. When agents can run nmap and metasploit through natural language, policy enforcement and identity verification become requirements.
- [NIST's AI Agent Identity Paper Validates the Oktsec Thesis](https://oktsec.com/blog/nist-ai-agent-identity-authorization/) — NIST NCCoE asks 6 questions about AI agent identity, authentication, and authorization. Oktsec already implements answers to all of them.
- [From Open-Source Scanner to Security Platform in 14 Days](https://oktsec.com/blog/from-scanner-to-security-platform/) — How Aguara's open-source scanner, observatory, and MCP server created a compounding data advantage. 42,655 skills, 7 registries, 148 detection rules.
- [Static Analysis + Runtime Isolation: A Defense-in-Depth Framework](https://oktsec.com/blog/static-analysis-plus-runtime-isolation/) — Why neither Docker sandboxes nor static scanning alone is enough. A practical framework combining pre-runtime analysis with runtime isolation for enterprise AI agent deployments.
- [The OpenClaw Security Crisis: What Enterprise Teams Need to Know](https://oktsec.com/blog/openclaw-security-crisis-enterprise-guide/) — CVE-2026-25253, 76 confirmed malicious skills, 42,665 exposed instances. A concise briefing on the risks and mitigations for teams evaluating AI coding agents.
- [Why Agent-to-Agent Security is the Next Enterprise Requirement](https://oktsec.com/blog/agent-to-agent-security-enterprise-requirement/) — Gartner projects 33% of enterprise software will include agentic AI by 2028. As agents communicate with agents, security shifts from perimeter defense to message-level verification.

## Related Products

- [Aguara Scanner](https://aguarascan.com/) — Open-source static security scanner for AI agent skills and MCP servers. 148+ rules, 13 categories. The detection engine that powers Oktsec.
- [Aguara Watch](https://watch.aguarascan.com/) — Continuous threat monitoring dashboard. 40,000+ skills scanned across 7 registries, 4x daily.
- [Aguara MCP Server](https://github.com/garagon/aguara-mcp) — Native MCP tool that gives AI agents direct access to security scanning capabilities.

## Links

- Website: https://oktsec.com
- GitHub: https://github.com/oktsec
- Blog: https://oktsec.com/blog/
- Aguara Scanner: https://aguarascan.com
- Aguara Watch: https://watch.aguarascan.com
- Founder: Gustavo Aragon (https://www.linkedin.com/in/gustavoaragon/)