AI AGENTS WILL GET COMPROMISED.
WHAT HAPPENS NEXT SHOULD BE PREDICTABLE.
Problem
No matter how good detection gets, sooner or later something gets through. Most teams never prepare for what happens next.
You can't stop everything.
Every team building AI agents is trying to stop the next attack. They should. Better prompt injection defenses, better jailbreak detection, better guardrails. The whole industry is trying to stop it before it reaches an agent.
You don't know what's happening.
Nobody catches everything. New attacks show up. Zero-days happen. Something gets through. Now you're checking logs, revoking credentials, trying to find what the agent already touched. Every minute, the list gets longer.
You find out too late.
Very few teams prepare for everything that comes after it. Eventually, you figure out what the agent accessed, what it changed, and what it never reached. By then, you're just looking at the damage.
Solution
Every agent starts inside its own isolated environment. Think of it as giving every agent its own space to work in. Everything the agent can see, use, and interact with is defined before it starts. Every action the agent takes happens inside that environment. The environment makes sure the outcome stays predictable.
Setup
Install hlyn package
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. Configure your environment
from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% Set environment policy
# containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 Deploy environment
Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT
Setup
Resolving dependencies... ✓ hlyn 2.0 installed ✓ hlyn-core, hlyn-enforce, hlyn-audit
Detecting host capabilities...
✓ seccomp-bpf: supported
✓ landlock-lsm: supported (kernel 5.13+)
✓ network namespaces: supported
✗ non-rootless container runtime — Landlock needs unprivileged exec
Kernel enforcement: PARTIAL
Run `hlyn doctor` to see required host changes. from hlyn import Environment
env = Environment(
name="production",
agent="agent-environment-01",
isolation="kernel",
trace=True
)
env.status()
# > boundary: ACTIVE
# > integrity: 100% # containment.policy.yaml
environment: production
enforcement:
seccomp: strict
landlock:
filesystem: read-only
deny_paths: ["env.secrets", "env.credentials"]
network:
namespace: isolated
egress: deny
allow_hosts: []
binary_identity: verify
process_isolation: true
audit:
log: true
retention_days: 90 Applying kernel-level enforcement... ✓ seccomp BPF filters loaded ✓ Landlock LSM rules applied ✓ Network namespace isolated ✓ Binary identity tracking active ✓ Audit trail: LOGGED ✓ Escape vector: NONE Environment sealed. Blast radius capped. ENV: hlyn-prod · STATUS: ACTIVE_CONTAINMENT