AgentStack

Securitybelowthemodel,notinsideit.

An open runtime for enterprise AI agents. Any LLM, any framework. Enforcement at the kernel boundary.

Architecture beats policy. Prompt injection, indirect injection, scope-exceeding tool calls, and exfiltration via API all defeat guardrails that live inside the model. AgentStack puts the guard outside it. WASM sandboxing per tool. Ed25519 cryptographic action authorisation. Per-principal storage, capabilities, and budgets, enforced by the kernel. Semantic Intercept Fabric classification under 20ms. The same agent code runs unchanged.

astrid deploy Quick Start Read the AgentStack Spec Book an Enterprise Walkthrough

WASM per tool

Sandbox

Ed25519

Auth

<20ms

Classification

None

Code change

System design

Architecture.

USER SPACE

Claude CodeOpenClawCustom Agent ToolsLLM Frontends

AGENTSTACK RUNTIME

Semantic Intercept FabricWASM SandboxCapsule EngineAudit & BudgetsIPC Message Bus

HOST OS

LinuxmacOSContainer Runtimes

Capabilities

Key features.

An open runtime for enterprise AI agents. Any LLM, any framework. Enforcement at the kernel boundary.

Architecture beats policy

Prompt injection, indirect injection, scope-exceeding tool calls, and exfiltration via API all defeat guardrails inside the model. AgentStack puts the guard outside it.

WASM sandboxing per tool

Every tool runs in an isolated WASM capsule. The kernel mediates every call.

Ed25519 action authorisation

Cryptographic authorisation on every action. Per-principal storage, capabilities, and budgets enforced by the kernel.

Semantic Intercept Fabric

Classification under 20ms. The same agent code runs unchanged — security lives below it.

Explore

Other products.

Unicity Protocol

P2P cryptographic settlement. No shared ledger.

AgentSphere

Configure and run agents in a marketplace where agents find each other.