01 · The Behavioral Firewall · Platform

The Behavioral
Firewall.

Securing the Agentic Economy

[KYDE]

The Behavioral Firewall sits between your agents and every LLM provider. Every agent gets a cryptographic identity, enforced behavioral scope, and a court-ready evidence trail, without touching a single line of agent code.

<100ms

Target latency

100%

Planned provider coverage

0

Code changes by design

02 · The operational gap

Questions most enterprises
can't answer.

Identity

Who acted?

Agents share service accounts with broad permissions. No traceable identity. No role boundaries. A support agent scoped for €500 refunds issues €5,000 because nobody scoped its authority.

Causal Context

Why did it decide that?

An HR agent retrieves a policy document from 2022 and uses it to guide a termination. The current policy says something different. Nobody logged which source it relied on.

Scope & Budget

What are the boundaries?

Token budgets don't exist. API access is unrestricted. An intern's research agent burns through your entire monthly token allocation while your production agents queue.

Tamper-Evidence

What happened?

A procurement agent posts confidential contract terms in Slack. Leadership needs the full evidence trail. The logs are vendor-provided, self-reported, software-only. A compromised host can rewrite them silently.

And the question nobody asks until it's too late
Cross-System Governance

Who governs the chain?

An agent raises a price in Salesforce, triggers a payment in Stripe, and updates inventory in SAP. Each vendor logs their own system. Nobody logs the complete workflow. When the chain breaks, you have fragmented logs across ten consoles, and zero cross-system governance.

Resilient organizations don't just detect these failures.
They architect systems that prevent them.

03 · Prevent · Prove · Rate

Three functions. One layer.

Deployed between your agents and the real world, covering every provider, every framework, from day one.

01

PREVENT

Before the damage. Deny-by-default.

Deterministic guardrails at the boundary. The catastrophic action can't execute if it never reaches the system. The buy reason today: NIS-2 board liability. DORA.

  • Deny-by-default at the boundary
  • API allowlists per agent role, enforced, not advisory
  • Token & cost budgets enforced pre-call
  • Hard circuit breakers before external systems
  • Agent identity & role scoping, no shared service accounts
  • Provider-agnostic, every model, every provider
02

PROVE

The suspect can't write the police report.

Every agent action signed as a tamper-evident 6D fingerprint. Stored outside the runtime, architecturally independent of every LLM provider. What vendors log is self-reported. Ours isn't.

  • Unique agent ID per session
  • 6D fingerprint, who / what / when / where / why / how
  • Ed25519-signed append-only ledger
  • Tamper-evident hash chain, alter any entry, every link breaks
  • Architecturally independent of every LLM provider
  • NIS-2, DORA, EU AI Act evidence trail

Optional High-Security Layer

Military-grade hardware isolation via TPM/HSM, signing keys never exposed to the host OS. For regulated environments where software-only signing isn't enough.

03

RATE

Behavior scored across every provider, in one currency.

The KYDE Trust Score™, behavioral baselines, anomaly detection, and cross-provider scoring. Vendors grade their own homework. We grade behavior.

  • KYDE Trust Score™, normalized across all providers
  • Behavioral baseline per agent and role
  • Continuous drift & anomaly detection
  • Industry-benchmarked scoring model
  • Cross-provider behavioral comparison in one currency
  • Foundation for insurance underwriting and compliance rating
04 · How it works

The proxy intercepts. Signs. Chains. Forwards.

KYDE runs as a local or hosted HTTP proxy, fully compatible with the OpenAI API schema. Any agent that can be pointed at a base URL can be governed.

terminal

$ export OPENAI_BASE_URL=https://kyde.intranet/v1

Target deployment: one environment variable. Designed for zero code changes.

FIG.2
4.1

Intercept

Every request from every agent routes through the proxy. The agent sees no difference.

4.2

Register

The request is matched to an agent identity and role. Budget and policy checks run before the call is forwarded.

4.3

Sign & Chain

An Ed25519-signed, SHA-256 hash-chained entry is written. Alter any record and every subsequent link breaks.

4.4

Forward

The original request continues to the LLM provider. Target added latency: under 100ms.

05 · Audit Dashboard

Full fleet visibility.

Every agent, session, and action across your infrastructure, mapped, logged, and auditable from a single dashboard.

kyde.intranet/dashboard/topology

Fleet Status

System health and active threat overview

Last 24 hours ↓

Fleet Health Score

78

/100

Stable across 12 active agents
Critical At risk Healthy
Security 84
Integrity 74
Reliability 80
Economics 87
Compliance 76
Breach 1 critical incident in progress
View incident →

Active Agents

12

Open Alerts

34

Blocked Chains (24h)

1

Data Integrity

✓ Verified

kyde.intranet/dashboard/topology

192.168.68.0/24

RFC1918 (corporate private) · activity in the last 24 hours

Last 24 hours ↓

Agents (3)

Agent

Role

Upstreams

Req.

Last seen

agent:b6068d94edf0

customer_facing

anthropic

6

12:45:53

agent:a2f1c8b3d7e9

infrastructure

openai

24

12:44:11

agent:9e4d2c1f6a8b

intern_sandbox

openai

3

12:39:07

Recent Sessions (3)

Session

Model

Req.

Last seen

s-5944d14b2406

claude-sonnet-4-6

4

12:45:53

s-3c1700ddb97e

claude-haiku-4-5

1

12:45:34

session:b878a6801d9a9e68

gpt-4o

1

12:39:07

06 · Evidence capture

Every entry answers six questions.

Who

Agent ID, role, user identity

What

Prompt, model, response

When

Millisecond-precise UTC timestamp

Where

Host, machine ID, network origin

Why

Last 5 messages as causal context

How

Tool calls and endpoints touched

Every answer sealed per entry: Ed25519 signature + SHA-256 hash-chain link.

audit_entry.json
{
  "entry_id": "e_7f3a2b1c",
  "sequence": 1847,
  "agent_id": "sales_bot_prod",
  "role": "customer_facing",
  "timestamp": "2026-03-15T14:23:07Z",
  "action": "chat.completion",
  "provider": "openai",
  "model": "gpt-4o",
  "tool_calls": ["crm.update_deal", "slack.send_message"],
  "input_hash": "sha256:9f86d0...",
  "entry_hash": "sha256:7b2e4d...",
  "prev_hash": "sha256:1c3f8a...",
  "signature": "ed25519:Mk3nR9..."
}
07 · Fleet management

Roles. Budgets. Boundaries. Per agent.

Every agent in your fleet gets a distinct identity and an assigned role. Roles determine what an agent is permitted to do, and what it costs you when it does it.

Core

Identity & Roles

Register every agent with a unique ID. Assign roles, infrastructure, customer_facing, internal_research, intern_sandbox. Roles carry permissions, not agents.

Fleet

Priority & Resource Allocation

Your production infrastructure agent gets priority over your intern's research bot. When token budgets run tight, critical agents aren't the ones that queue.

Budget

Token & Cost Budgets

Set hard limits per agent, per role, or per team. Daily, weekly, monthly. No agent runs up a bill you didn't scope.

Policy

API Allowlists & Blocklists

Define which endpoints each role is permitted to reach. Your billing agent talks to the payment API. Your support agent doesn't.

Coming Soon

Behavioral Baselines & Anomaly Detection

KYDE learns what normal looks like for each role. When an agent deviates, unusual call volume, unexpected endpoints, out-of-pattern tool usage, you get alerted before it becomes an incident.

08 · Architecture

Gateway, not endpoint.

KYDE · Gateway Model

Agent A ──┐

Agent B ──┼──► KYDE ──► LLM API

Agent C ──┘

Central DB · One record

  • One deployment covers the entire fleet
  • Built to support every agent, framework, and LLM
  • Central visibility, no aggregation required
  • No per-agent installation or configuration

Endpoint / Runtime Solutions

Agent A + Runtime ──► LLM API   ↓ Log A

Agent B + Runtime ──► LLM API   ↓ Log B

Agent C + Runtime ──► LLM API   ↓ Log C

  • Install on every agent separately
  • Framework- and runtime-specific
  • Fragmented logs, difficult to aggregate

Property

KYDE

Endpoint Solutions

Deployment effort

One ENV variable

Per-agent installation

Agent coverage

All agents, automatically

Each agent separately

Fleet management

Central roles, budgets, policies

Per-agent configuration

Audit trail

Single, tamper-evident record

Fragmented per agent

Code changes needed

None

Typically required

09 · Root of trust

Root of trust.
From software to silicon.

Each entry is signed with an Ed25519 keypair generated locally on first initialization. The hash chain ensures sequential integrity, tamper with any single entry, and every subsequent link breaks.

For environments where software-only signing isn't enough, KYDE's architecture is built for hardware-rooted attestation from day one.

No re-architecture required between levels. Same API. Same data format. Same evidence chain. The root of trust gets deeper, the interface stays the same.

Level

Mechanism

Status

Ed25519 Signed

Cryptographic signing at the point of capture, core to the current development phase.

IN DEVELOPMENT

TPM / HSM

Military-grade hardware isolation. Signing keys never exposed to host OS.

PLANNED

TEE (TDX/SEV-SNP)

Trusted Execution Environment attestation for maximum integrity.

PLANNED

FIPS 140-3

Architecture designed for FIPS-validated cryptographic modules.

TARGET ARCHITECTURE
10 · Deployment

One environment variable.
Designed for 0 code changes.

The stack sits outside your agent. It cannot be overridden by agent code, and it requires none. Any agent that can be pointed at a base URL is governed, immediately.

Sits outside the agent

Cannot be overridden by agent logic or bypassed by agent code.

No SDK dependency

No library to install, no wrapper to integrate, no runtime to manage.

Framework-agnostic

LangChain, AutoGen, CrewAI, custom, governed equally with one ENV variable.

Targeting under 100ms latency

Governance is designed to be invisible to agent code and end users.

Before vs. After

Install SDK on every agent

One ENV variable or Group Policy push

Framework-specific integration

Any base URL, every agent, every framework

Governance logic in agent code

Governance outside the agent. Immovable.

Re-integrate when model changes

Zero changes when switching providers

Three ways to deploy.

01 Developer / Single machine

Environment Variable

export OPENAI_BASE_URL= https://kyde.intranet/v1

Point any agent at the proxy with one ENV variable. Ideal for local development or single-machine deployments.

02 IT / Enterprise fleet

Group Policy

GPO → LLM_PROXY= https://kyde.intranet/v1

Push a single GPO that redirects all LLM API traffic through KYDE. No developer action, no application changes, no opt-in required.

03 Cloud / SaaS

Hosted Proxy

OPENAI_BASE_URL= https://your-org.kyde.io/v1

Managed deployment. Traffic routes through KYDE's infrastructure. Data-residency options available for EU-regulated environments.

11 · Compatibility

Provider-agnostic. Zero SDK changes required.

Provider

Status

OpenAI (GPT-4o, o1, o3)

Supported

Anthropic (all models)

Supported

Azure OpenAI

Supported

DeepSeek

Supported

Mistral / Ollama / Local

Supported

Google Gemini (via OpenAI compat.)

Supported
12 · Governing the chain

Governing the Chain.

Enterprises don't run on one vendor's stack. Your agents shouldn't be governed by one either. KYDE governs the entire execution chain, across MCP servers, legacy APIs, and third-party platforms like Salesforce, SAP, and Stripe. We don't just log the LLM completion. We govern the operational consequence.

Every major vendor governs their own stack. Nobody governs what happens between stacks, until now.

Action type

Governed

LLM Call

chat.completion, embeddings, any model request

✓ Yes

MCP Tool Call

crm.update, slack.send, db.query via MCP server

✓ Yes

Internal API

REST/gRPC calls made by agents to internal systems

✓ Yes

Agent-to-Agent

Delegation and sub-agent invocation

✓ Yes

External Service

Third-party API calls routed through the proxy

✓ Yes

Get started

See the Behavioral Firewall in action.

View Docs →