AI AGENTS WILL GET COMPROMISED.
WHAT HAPPENS NEXT SHOULD BE PREDICTABLE.
From zero to prod in seconds
Install hlyn package
$ pip install hlyn
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
$ hlyn activate environment
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. Configure your environment
environment.py
from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% Set environment policy
containment.policy.yaml
# containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 Deploy environment
$ hlyn deploy --policy containment.policy.yaml
Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT
From zero to prod in seconds
$ pip install hlyn
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
$ hlyn activate environment
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. environment.py
from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% containment.policy.yaml
# containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 $ hlyn deploy --policy containment.policy.yaml
Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT
Frequently
asked
questions
Docker is built for packaging and deployment, not for containing a compromised process. An agent inside a container can still reach the network, read mounted files, and use whatever the container has access to. We enforce a layer below that, controlling what the agent can read, call, or reach, even inside a container.
Most AI security products focus on preventing attacks. We focus on what happens after one succeeds. You don't need another promise that prompt injection or jailbreaks will never happen—you need to know exactly what a compromised agent can still do. That's the problem we solve.
It depends, and that's the problem. Today there's no standard way to know how far a compromised agent can go. Every setup is different, and most teams don't know the real worst case until something goes wrong.
Not that attacks never happen, nobody can promise that. We promise that when one does, the outcome is already known. You can say, before anything goes wrong, exactly where the worst case ends. That's not true for most agent setups today.
It means knowing the answer in advance. Ask, "What's the worst this agent can do right now if it's compromised?" and you get a real answer, not a guess. That answer stays the same no matter which attack gets through.
No. Each agent runs in its own isolated space. A compromised agent can't reach another agent unless you explicitly allow it.
What the agent can read, what tools it can use, what network calls it can make, what commands it can run, and what systems it can access. If the agent can do it, we can enforce boundaries around it.
No. We only block things the agent was never supposed to do anyway. Everything it's meant to do keeps working exactly the same.
At the operating-system level, not by another program watching the agent. That matters because the agent can't see the boundary, so it can't find a way around it.
No. Since the rules run at the OS level, there's no extra service sitting in between adding delay.
You write a simple policy for what the agent can read, call, and reach, then turn it on with one command. It works with LangChain, CrewAI, AutoGen, LlamaIndex, OpenAI Swarm, or your own setup. Most teams are running in minutes.
No. Detection tools try to stop the attack. We handle what happens after one gets through. They work well together.