Oktsec exists because the findings kept repeating.
The company was not designed on a whiteboard. It came out of audit work, one confirmed vulnerability at a time, until the pattern behind them was impossible to ignore.
It started with audits
Before Oktsec had a product, it had a practice: reviewing real software systems where AI agents were starting to work. MCP servers, CLIs, CI/CD pipelines, developer tools, the automation around them. That practice produced more than 250 real vulnerabilities, each reproduced with an executable proof of concept, with reports accepted by security programs at Google, Microsoft, Stripe, Cloudflare, AWS and Mercury.
The pattern was missing authorization
Individually, the findings looked diverse: template injection here, a credential exfiltration path there, a tool that trusted its inputs too much. Read together, they told one story. Almost none of these systems could answer what an agent was allowed to do before it acted, and almost none could prove what it had done after. Detection was everywhere. Authorization was nowhere.
The pattern became a gateway
The first answer was open source: a gateway that sits where agents meet real systems, applies deterministic rules to every tool call, and writes an audit trail with integrity verification. No model in the enforcement path. Rules decide.
The gateway demanded a loop
Running the gateway in real environments exposed the next problem. Enforcement at one boundary is not governance. Companies needed to assign policy centrally, know that each environment was running exactly the policy assigned, and review the evidence that came back, including when it did not come back. Policy has to be signed, pulled by the node, applied locally and verified against expectations.
The loop is Control
That loop is the product. Oktsec Control assigns signed policy to approved agent environments, the environments apply it locally, and Control verifies the evidence each one reports back, routing exceptions to review. Assessment is the same audit practice that started everything, available as a service. The open source gateway remains the entry point.
Policy assigned. Work reported. Evidence verified. That is the whole company, in the order we learned it.
Oktsec was founded in 2026 by Gus Aragón: 20+ years building regulated financial infrastructure, including 12 as CTO. The discipline that markets demand, signed instructions, verified execution and auditable evidence, applied to AI agent work.