Network-isolated execution environments with controlled egress, domain allowlists, credential injection, and a multi-tenant control plane. Run untrusted AI agents without risking your infrastructure.
Every layer is designed to prevent data exfiltration, supply chain attacks, and lateral movement from untrusted AI agents.
Cells run in isolated Docker networks with no direct internet access. All egress is routed through an Envoy proxy with domain-level allowlists. DNS queries are filtered through CoreDNS. IPv6 is disabled to prevent bypass.
Fine-grained egress control per domain: allowlists, path filtering, per-domain rate limits, and credential injection. Agents can only reach the APIs you explicitly allow, with the exact credentials you provide.
Manage multiple data planes from a single dashboard. Multi-tenant RBAC, full audit trail, log aggregation, analytics, and a web terminal. Policy changes sync automatically to connected cells.
Defense in depth with syscall filtering via seccomp profiles and optional gVisor kernel-level sandboxing. Resource limits (CPU, memory) are enforced per-cell. Raw socket creation is blocked.
API keys and tokens are stored encrypted and injected into requests at the proxy layer. Agents never see raw credentials — they just make requests and the proxy adds the right headers automatically.
Full visibility into what your agents are doing. HTTP request logs, DNS queries, blocked domains, bandwidth analytics, and security events — all searchable and filterable from the dashboard.
Three steps to secure your AI agents.
One-click OAuth login. Your tenant and workspace are created automatically — no setup required.
Register a cell from the dashboard and grab the connection token. Then bring up your own data plane with Docker, or let us manage it for you.
Add domain allowlists, inject credentials, set rate limits, and assign security profiles — all from the web dashboard. Changes sync to your cells in real time.
The Cagent data plane is fully open source. Network-isolated cells, Envoy proxy, CoreDNS filtering, gVisor sandboxing, credential injection — all available on GitHub. Run it standalone or connect it to the managed control plane.
View on GitHub