Security & compliance

Security built for prompts, tools, and action chains.

Agents introduce a new attack surface — injected prompts, misused tools, runaway cost, and silent data access. Cortex puts every run behind eight fail-closed gates, scoped RBAC, DLP, and automated detection & response, all recorded in a tamper-evident ledger your auditors can verify.

Aligned with SOC 2 · ISO 27001 · ISO 42001 · EU AI Act · NIST AI RMF

MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
The agent threat model

A new attack surface, governed by default.

Cortex defends the layers a traditional appsec stack never sees: the prompt, the tool call, the model choice, and the chain of actions an agent takes on its own. Every control is fail-closed — deny is the default, and nothing executes without passing the gates.

Fail-closed gates

Eight runtime gates run on every agent action. A missing identity, blown budget, blocked guardrail, or denied policy stops the run — no override path without an audited break-glass event.

Scoped RBAC

Tenant-scoped users, roles, and API keys. The gateway derives the trusted tenant and actor from the key and overwrites any caller-supplied identity, so a token can never act outside its tenant.

Detection & response

Five rules watch the signals Cortex already emits — injection attempts, cost spikes, repeated failures, policy denials, break-glass — and auto-contain the offending agent or tool.

Provable audit

Every gate decision lands in a hash-chained Trust Ledger with signed receipts. verifyChain detects any edit and returns the broken sequence number — hashOk:false.

Fail-closed by design

The eight governance gates every run must pass.

Identity → budget → guardrails → registry → control tower → execute → output guardrails → audit. If any gate denies, the run never reaches the model or the tool. Deny is the default.

01Identitydeny 40302Budgetdeny 40203Guardrailsdeny 45104Registrydeny 40405Control Towerdeny 40906Executepass07Output guarddeny 45108Auditpass
403 MODEL_NOT_ALLOWED402 budget cap reachedguardrail block403 IDENTITY_EXPIRED409 inactive identity
Access control & data protection

Who can act, on what, and what may leave.

Identity-aware access for humans, agents, and API keys — paired with data-loss prevention scanning on every input and output.

Users & roles
  • Tenant-scoped users with owner / admin / member roles
  • Admin guards on every control-plane mutation
  • Control Tower pause restricted to admins
  • Demo-login client paths gated out of production
API keys
  • Gateway derives trusted tenant + actor from the key
  • Caller-supplied identity is overwritten, never trusted
  • Keys scoped to a single tenant — no cross-tenant reach
  • Rotation-ready; secrets fail closed without an env key
Agent identity (IAM)
  • Each agent carries owner, purpose, risk tier, expiry
  • Allowed models & actions enforced at runtime
  • Expired identity → 403 IDENTITY_EXPIRED before execution
  • Token mint refuses inactive (409) or expired (403)
DLP — input & output
  • Input guardrails scan prompts before model or tool runs
  • Prompt-injection rejection emits an InputBlocked event
  • Output guardrails screen generated artifacts before release
  • MCP gateway runs DLP in/out on every tool exchange
Agent Detection & Response

From suspicious signal to automated containment.

ADR turns the run, action, and security events Cortex already records into incidents — then contains the offending agent or tool without waiting for a human, while every step is logged.

Signals Cortex already emits
Suspicious prompts
Tool misuse
Unusual data access
Cost spikes
Repeated denials
Detection rules
injection_attemptcost_spikerepeated_failuresrepeated_policy_denialbreak_glass
Incident opened
Automated containment
Pause
Disable
Revoke
autoContained · pause via Control Tower
How containment works

Five rules, deduped incidents, and a Control Tower kill switch.

A scan evaluates every rule against the last 24 hours of signals and opens incidents — deduped by ruleKey::subjectId against anything already open or contained, so you are not buried in repeats. Containment pauses the subject agent or tool through the same Control Tower switch that runs your whole fleet.

  • cost_spike — a run over the cost threshold in 24h
  • injection_attempt — blocked prompt-injection inputs per agent
  • repeated_policy_denial — denials past the threshold
  • Contain marks autoContained and emits SecurityIncidentContained
MCP Gateway
tool reqtool reqtool reqfirewallallowlistDLP in/outrate limitrisk scoreallowdeny
mcp ▸ managed registry · kill switch armed
01Identitydeny 40302Budgetdeny 40203Guardrailsdeny 45104Registrydeny 40405Control Towerdeny 40906Executepass07Output guarddeny 45108Auditpass
Multi-tenant isolation

One tenant can never reach another's data.

Every tenant-owned resource is keyed and queried on (tenantId, id). The gateway pins the tenant from the API key, control-plane reads and writes require tenant context, and cross-tenant negative tests guard workflows, knowledge, ontology, audit, billing, and triggers.

  • Tenant ID required on every tenant-owned operation
  • Predicates use (tenantId, id) for read / update / delete
  • Trusted tenant derived from the key, not from caller input
  • Hardened pod defaults: non-root, read-only FS, NetworkPolicy
Straight talk on posture

What's enforced today — and what we're still hardening.

We document our security posture honestly so your review team can trust it. Cortex is aligned with the frameworks below; certifications are pursued, not claimed.

Enforced now
  • Eight fail-closed runtime gates on every run
  • Gateway API-key guard with derived tenant + actor
  • Agent IAM with risk tier, expiry, allowed models
  • Input + output guardrails and MCP DLP
  • Hash-chained Trust Ledger with signed receipts
  • ADR scan, dedupe, and auto-containment
Hardening toward production
  • Internal service auth fail-closed without a key
  • Audit/event write paths source-signed end to end
  • Container / microVM sandbox replacing dev executor
  • Durable Redpanda/Kafka eventing with outbox
  • App-level CSP and security headers
  • Real-time streaming ADR (today: on-demand scan)
Security & compliance

Mapped to the frameworks your auditors already use.

Cortex is built for and aligned with the controls below — with one-click evidence export through Compliance Packs. Aligned with, not certified.

SOC 2ISO 27001ISO 42001HIPAAGDPREU AI ActNIST AI RMFFINRA

Put your agents through the security review with confidence.

Fail-closed gates, scoped RBAC, DLP, detection & response, and a provable ledger — the controls your enterprise review demands, ready before you deploy.