“Most security categories are named after the threat. The agent firewall is named after the control surface — because the threat doesn’t have a name yet, only a shape.”
Why This Category Exists Now
The shape: software that reasons, executes, and acts on behalf of a human. Code that decides what to do next based on a prompt and the state of your filesystem. A program that opens network connections you didn’t authorize, because the model thought it would help finish the task. The name people will eventually settle on — AI agent — undersells how strange this is from a security architect’s perspective.
For the first time since the original endpoint protection wave, there is a control surface in the enterprise that no existing tool covers. And it’s accumulating exposure faster than any prior category formed.
| Headline metric | What it measures |
|---|---|
| 88% | Organizations reporting at least one AI agent security incident in the last year |
| +$670K | Average shadow-AI premium per incident, above the cyber breach baseline |
| 12–18 months | Window before this category has an entrenched control-plane vendor |
This is not a forecast. It’s an active backlog of incidents that current tools cannot pattern-match on, accumulating across every enterprise running modern AI tooling.
What the Existing Stack Cannot See
Every security architecture review starts the same way: which tool category covers which threat? For agent risk, the answer is “none of them.” The mismatch is not subtle.
| Category | Built for | Operates at | What it misses about agents |
|---|---|---|---|
| EDR / XDR (CrowdStrike, SentinelOne, Defender) | Malware behavior, process anomalies | OS process layer | Agent binaries are signed; behavior matches an authorized user |
| DLP (Symantec, Forcepoint, Microsoft Purview) | Data exfiltration | Network egress, file ops | Agents destroy rather than exfiltrate; deletion classifies as benign |
| CASB / API gateway | Sanctioned SaaS API traffic | Application API layer | Agents call OS syscalls directly; they don’t route through gateways |
| Prompt guardrails (Lakera, Protect AI) | Pre-execution filtering of LLM I/O | Above the OS, in app memory | By the time the action hits the kernel, the prompt is gone |
| SIEM / observability (Splunk, Datadog) | Forensics, post-hoc analysis | Log layer | The action is irreversible by the time it shows up in a dashboard |
EDR vendors will catch up — eventually. But agent runtime governance is fundamentally a different control point than process anomaly detection. It requires a kernel layer that intercepts what an agent is allowed to do before the action reaches the OS, not after.
What First-Generation AI Security Misses
The other side of the market — the prompt-guardrail and output-classifier vendors who got funded in 2023 and 2024 — built for a world where the AI was a chat interface. The threat model was prompt injection, jailbreak, and data exfiltration via response.
That world is over. The threat model has moved to agents that take actions on the endpoint. None of the prompt-layer vendors operate at the OS layer. None of them see what happens after the agent decides to write a file, open a socket, or modify the registry.
The result: the enterprise has two adjacent stacks, neither of which sees the surface where agents actually operate. The CISO is asked to govern something they cannot observe.
Where the Agent Firewall Sits
The agent firewall is the missing primitive: a kernel-level control plane for AI agent behavior on the endpoint. It enforces policy at the boundary where the agent’s request becomes an OS-level action — file I/O, registry write, network connection, inter-process call.
Three architectural properties separate it from what came before:
| Property | What it means | Why it matters |
|---|---|---|
| Per-agent policy, not per-process | Policy follows the agent identity, not the binary path | A coding agent can reach GitHub but not Salesforce; a research agent can read documents but not modify them |
| Copy-on-write isolation | Violating ops are cloned into a sandbox rather than denied | Agent gets the result it expected; original resource untouched; productivity preserved |
| Continuous signature pipeline | New agents catalogued automatically, restrictive defaults applied | Unsanctioned tools get governed before they’re even known to procurement |
The four kernel scopes the firewall enforces across:
| Scope | What it controls | Failure mode without it |
|---|---|---|
| Filesystem | Path-level read / write / delete | Codebase wipe, credential theft from ~/.aws/, leak of customer data on disk |
| Registry (Windows) | Persistent system configuration | Agent establishing persistence, modifying group policy, tampering with other software |
| Network | Per-process socket connections, destinations | Agent reaching unauthorized SaaS, exfiltrating to attacker-controlled endpoints |
| Object / IPC | Inter-process communication, shared memory | Agent injecting into other processes, coordinating across the box |
A fifth scope — WSL and VM containers — is on the roadmap. The architectural pattern extends naturally; the engineering work is incremental.
Why the Window Is 12–18 Months
Categories like this don’t stay open forever. Three forces converge to close them, and they’re all already firing:
| Force | What it does | Timing |
|---|---|---|
| Architectural lock-in | Whoever ships first defines the integration patterns the ecosystem standardizes on — policy YAML schema, audit-trail format, telemetry API | Standardizes within 9–12 months of category emergence |
| Procurement gravity | Once a CISO has signed a six-figure contract for “agent governance,” they don’t sign a second one a year later | First-mover wins the vertical; second-mover sells to the runner-up |
| The acquirer test | EDR, identity, and SaaS-posture platforms all want to bolt this on. The first independent vendor with real coverage becomes the obvious acquisition target. The second becomes a feature | Strategic acquisition window opens at 12–18 months, closes by 24 |
The 12-to-18 month window is the time before one of those forces fires. Working backwards: whoever has shipped a credible product, deployed it at three named customers, and published the security architecture by mid-2027 owns the category.
What This Is and Isn’t
For a CISO sizing this category against existing line items in the budget:
| The agent firewall is | The agent firewall is not |
|---|---|
| A kernel-level enforcement layer for AI agent behavior on managed endpoints | A replacement for EDR, identity, or DLP — it sits alongside them |
| Per-agent policy that travels with the agent identity, not the binary | A prompt-guardrail or output classifier — those operate above the OS |
| A control plane for both standalone agents and embedded SaaS agents | A SaaS-posture or CASB tool — that surface is the application API layer |
| Copy-on-write semantics that preserve productivity | A block-on-deny tool that triggers organ rejection from engineering teams |
| Designed to feed SIEM / UEBA as a new risk dimension | A standalone reporting console — it’s a control point, not a dashboard |
The Bet
We’re building the agent firewall because we think most security companies will mistake this for an extension of their existing product line — when it’s actually a new control surface that requires kernel work, signature infrastructure, and a different architectural posture than anything in the AI-security or EDR markets today.
| Most likely outcome from incumbents | Why it falls short |
|---|---|
| EDR vendors add an “AI agent module” | The control point is wrong — they instrument the process layer, not the kernel scopes where agent intent becomes side effect |
| Prompt-guardrail vendors add endpoint telemetry | They have no kernel driver work; OS-level enforcement is years away |
| SaaS-posture platforms expand to “AI governance” | They cover Species 1 (embedded SaaS agents) but miss Species 2 entirely — the standalone agents on developer laptops |
| EDR M&A consolidation absorbs a startup | This is the most likely 24-month outcome, and is the reason the window closes when it does |
For the enterprise, the strategic question isn’t whether this category exists. It’s whether to govern it now — when the choice is wide and the cost of inventory plus a top-decile pilot is measured in weeks — or after the first wipe-out incident, when the board is asking different questions.
The Bottom Line
The agent firewall is the missing control surface in the modern endpoint security stack. EDR doesn’t see it. DLP doesn’t see it. CASB and prompt guardrails operate at the wrong layers. Only kernel-grade isolation — per-agent policy, copy-on-write semantics, continuous agent observability — sits at the layer where intent becomes OS-level action.
Field notes from inside the build will land on this blog on most days. Subjects include what the signature pipeline is finding in active deployments, how copy-on-write is performing across the four kernel scopes, and how design partners are using policy to enable agentic productivity rather than gate it.
If you’re a CISO, security engineer, or operator thinking about this surface, request a working session. We will walk through your environment, run the inventory, score the top agents we find, and scope a deployment. The first inventory and score take 90 minutes.