AgentSuite-Blue
Overview
AgentSuite-Blue is an end-to-end security, governance, and compliance suite for agentic systems. Built on a defense-in-depth model, it combines one static-scanning component, two real-time guardrail components, fine-grained access control, Shadow AI detection, dand end-to-end observability into a single platform.
Both the static and runtime guardrails are powered by our purpose-built models, which enforce standard policies (e.g., EU AI Act and OWAPS Top-10) as well as fully customized policies. The models are optimized for low latency — adding as little as 100ms per call — and a low false-positive rate, with tunable thresholds so teams can dial sensitivity to their environment.
The figure below shows the overall architecture of AgentSuite-Blue. Each component produces its detailed report of the events it processes.
Components
In the following sections, we provide an overview of each component in AgentSuite-Blue.
MCP Guard
For connected MCPs and APIs, MCP Guard statically scans the tool descriptions of all the tools and detects the tools with injected prompts. It can also scan the code of MCPs/APIs if they are available, and detect security vulnerabilities. Learn more →
Skill Guard
Skill Guard statically scans agent skills, analyzing their contents to detect malicious instructions and injected prompts before the skill is loaded by an agent. Learn more →
Prompt Guard
Our Prompt Guard enables real-time protection of agent input prompts following given policies. It can detect potentially malicious prompts and prompts that violate the given policies. Learn more →
Action Guard
Our Action Guard enables real-time protection of agent tool and function calls. It can detect potentially malicious tool calls based on the agent execution history and block the malicious tool calls before they are executed. Learn more →
Access Control
Our Access Control enables real-time governance of agent privileges over tools and resources. Administrators can configure fine-grained access rules for each agent, and the Access Control will continuously monitor all tool call and resource invocations to block any unauthorized access. Learn more →
Shadow AI
Our Shadow AI detects unauthorized AI agents and applications across enterprise local and cloud endpoints. It surfaces which AI agents are being used, by whom, and how frequently — and reconstructs each session's full activity trajectory (processes spawned, outbound connections, files touched) so security teams can detect unsanctioned AI usage and investigate risky behavior. It can be integrated with commercial EDR platforms (e.g., Microsoft Defender and CrowdStrike Falcon) Learn more →
Observability
AgentSuite-Blue provides both static and dynamic observability. Static observability analyzes an agent's source code and uncovers its topology and connected tools and MCPs. Dynamic observability captures the full execution trajectory of an agent at runtime, including input prompts, intermediate tool calls, tool results, and final outputs. Learn more →
Integration & Deployment
AgentSuite-Blue integrates seamlessly with major agent platforms — either as in-process hooks or through our gateway — and can protect a large number of agents with only a few lines of code. Supported integration targets include:
- Existing web agents (e.g., Claude agents, OpenAI agents) — connected through the gateway as MCP connectors.
- Existing desktop agents (e.g., Claude Code, GitHub Copilot, AMP agents) — protected via the hooks or gateway.
- Custom agents built on major ADKs (e.g., Google ADK, OpenAI Agents SDK, Anthropic Claude SDK, LangChain, Strands, and Microsoft 365 Agents) — instrumented as hooks by using the AgentSuite SDK.
We provide SaaS and on-premise deployment options for the Agent Gateway. For SaaS deployment, a hosted dashboard endpoint is provided and all functionality is available immediately. For on-premise deployment, the platform can be deployed using Docker containers with your own database.
Get Started
Integration through Hook
Integration to local agent and agents written with ADK through hooks using our AgentSuite ADK.
Integration through Gateway
Set up your gateway, connect MCP servers, configure AgentSuite-Blue, and connect to your target agent via MCP connectors (Mainly used for connecting to Web UI agents).