Hlyn

AI AGENTS WILL GET COMPROMISED.
WHAT HAPPENS NEXT SHOULD BE PREDICTABLE.

Problem

No matter how good detection gets, sooner or later something gets through. Most teams never prepare for what happens next.

Triquetra

You can't stop everything.

Every team building AI agents is trying to stop the next attack. They should. Better prompt injection defenses, better jailbreak detection, better guardrails. The whole industry is trying to stop it before it reaches an agent.

Borromean Rings

You don't know what's happening.

Nobody catches everything. New attacks show up. Zero-days happen. Something gets through. Now you're checking logs, revoking credentials, trying to find what the agent already touched. Every minute, the list gets longer.

Valknut

You find out too late.

Very few teams prepare for everything that comes after it. Eventually, you figure out what the agent accessed, what it changed, and what it never reached. By then, you're just looking at the damage.

Solution

Every agent starts inside its own isolated environment. Think of it as giving every agent its own space to work in. Everything the agent can see, use, and interact with is defined before it starts. Every action the agent takes happens inside that environment. The environment makes sure the outcome stays predictable.

Setup

Install hlyn package

$ pip install hlyn
Resolving dependencies...
✓ hlyn 2.0 installed
✓ hlyn-core, hlyn-enforce, hlyn-audit
$ hlyn activate environment
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
 non-rootless container runtime — Landlock needs unprivileged exec

Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes.

Configure your environment

environment.py
from hlyn import Environment

env = Environment(
    name="production",
    agent="agent-environment-01",
    isolation="kernel",
    trace=True
)

env.status()
# > boundary: ACTIVE
# > integrity: 100%

Set environment policy

containment.policy.yaml
# containment.policy.yaml
environment: production

enforcement:
  seccomp: strict
  landlock:
    filesystem: read-only
    deny_paths: ["env.secrets", "env.credentials"]
  network:
    namespace: isolated
    egress: deny
    allow_hosts: []
  binary_identity: verify
  process_isolation: true

audit:
  log: true
  retention_days: 90

Deploy environment

$ hlyn deploy --policy containment.policy.yaml
Applying kernel-level enforcement...
✓ seccomp BPF filters loaded
✓ Landlock LSM rules applied
✓ Network namespace isolated
✓ Binary identity tracking active
✓ Audit trail: LOGGED
✓ Escape vector: NONE

Environment sealed. Blast radius capped.
ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT

Frequently
asked
questions

Docker is built for packaging and deployment, not for containing a compromised process. An agent inside a container can still reach the network, read mounted files, and use whatever the container has access to. We enforce a layer below that, controlling what the agent can read, call, or reach, even inside a container.
Most AI security products focus on preventing attacks. We focus on what happens after one succeeds. You don't need another promise that prompt injection or jailbreaks will never happen—you need to know exactly what a compromised agent can still do. That's the problem we solve.
It depends, and that's the problem. Today there's no standard way to know how far a compromised agent can go. Every setup is different, and most teams don't know the real worst case until something goes wrong.
Not that attacks never happen, nobody can promise that. We promise that when one does, the outcome is already known. You can say, before anything goes wrong, exactly where the worst case ends. That's not true for most agent setups today.
It means knowing the answer in advance. Ask, "What's the worst this agent can do right now if it's compromised?" and you get a real answer, not a guess. That answer stays the same no matter which attack gets through.
No. Each agent runs in its own isolated space. A compromised agent can't reach another agent unless you explicitly allow it.
What the agent can read, what tools it can use, what network calls it can make, what commands it can run, and what systems it can access. If the agent can do it, we can enforce boundaries around it.
No. We only block things the agent was never supposed to do anyway. Everything it's meant to do keeps working exactly the same.
At the operating-system level, not by another program watching the agent. That matters because the agent can't see the boundary, so it can't find a way around it.
No. Since the rules run at the OS level, there's no extra service sitting in between adding delay.
You write a simple policy for what the agent can read, call, and reach, then turn it on with one command. It works with LangChain, CrewAI, AutoGen, LlamaIndex, OpenAI Swarm, or your own setup. Most teams are running in minutes.
No. Detection tools try to stop the attack. We handle what happens after one gets through. They work well together.
norse decoration