Agentic AI-security¶
In plain terms: you've deployed an AI — a chatbot, an agent with tools, or a model behind an API. Can someone jailbreak it, make it leak data, or trick it into doing something it shouldn't? Tulip lets you build an agent that checks, automatically and continuously, and reports only the flaws it can actually prove. Think of it as a penetration tester for AI that refuses to cry wolf.
How it works, in three steps:
- Point Tulip at a target AI —
Target.endpoint("https://bot.example/chat"). - Run a job —
red_team(target)attacks it;assure(target)scores its defenses. - Get evidence — each result is an
Evidencefinding (the attack worked, here's the proof) or anAbstention(no proof, so no claim). Never a guess.
More precisely: Tulip builds agents whose subject is another AI system —
agents that red-team and assess other AI (continuous monitoring is
on the roadmap), and produce a grounded Evidence record or an explicit
Abstention, never a hallucinated verdict.
A cybersecurity agent = a target (an AI system) × a job (red-team · assure; monitor is roadmap) × an output (grounded
Evidence|Abstention) × being itself trustworthy by construction.
Why this, and why now¶
Companies ship LLM agents — with tools, memory, autonomy, and access to data and actions — into production. That is a new, largely unguarded attack surface: prompt injection (direct and indirect), tool abuse / excessive agency, data exfiltration, memory and RAG poisoning, A2A identity confusion, unknown model and hardware provenance.
The tools that exist miss it. SIEM/SOC platforms see infrastructure, not agent semantics. Guardrail libraries filter I/O but don't test or assess. Cloud AI-SPM is static posture, not dynamic adversarial testing of a live agent. And AI red-team tooling that does test AI hallucinates findings — the literature is explicit that AI scorers lack grounding. Tulip's answer is abstain-by-construction grounding (GSAR): no evidence, no claim.
The Target — what you point at¶
A Target is a uniform handle to the AI system under assessment. One
.send() contract over four constructors:
from tulip.security import Target
Target.endpoint("https://bot.example/chat") # a remote LLM / agent endpoint
Target.agent(my_tulip_agent) # an in-process tulip.Agent
Target.a2a(peer_send) # an A2A peer's send coroutine
Target.from_callable(fn) # any sync/async str -> str
Everything below operates on a Target, so the same probe runs against a
black-box endpoint, an agent you built, or an offline stub in CI.
red_team — attack, grounded¶
red_team runs the OWASP-ASI / MITRE-ATLAS probe suite against a target and
grounds each outcome. A probe whose attack landed yields an Evidence
finding; an inconclusive one yields an Abstention.
from tulip.security import Target, red_team, is_finding
report = await red_team(Target.endpoint("https://bot.example/chat"), suite="owasp-asi")
for r in report:
if is_finding(r):
print(r.severity.value, r.title, r.taxonomy) # e.g. LLM01, ASI02, AML.T0054
else:
print("abstained:", r.reason)
The bundled catalogue covers direct and indirect prompt injection, jailbreak, excessive agency / tool misuse, and sensitive-information disclosure — each tagged with the taxonomy a SOC and an AI-assurance reviewer expect.
assure — assess, grounded¶
Where red_team asks can I break it?, assure asks how well does it hold
up? guardrail_coverage runs the suite and grounds a posture finding in the
direct observations — INFO when fully hardened, escalating to CRITICAL at 0%
coverage, with the taxonomy listing exactly the gaps.
from tulip.security import assure
posture = await assure(target) # grounded guardrail-coverage posture
This is a grounded finding, not a policy verdict. Tulip is deliberately not a governance / policy-enforcement product (that ground is well held by Cisco DefenseClaw and Microsoft's Agent Governance Toolkit) — it abstains rather than assert posture it cannot evidence.
Secure by default — the floor¶
An agent that red-teams or assures other AI must itself be trustworthy.
governed_agent builds a tulip.Agent with the security spine on by default —
GSAR grounding, guardrails (PII / injection / a dangerous-tool denylist;
allowlist is opt-in), and a tamper-evident audit trail — and returns it
alongside that trail.
from tulip.control import governed_agent
secured = governed_agent(model="openai:gpt-4o", tools=[...])
result = secured.run_sync("...")
assert secured.audit_trail.verify() # the chain is intact (tamper-evident)
The AuditTrail is a keyless, in-memory SHA-256 hash chain: every action
commits to the hash before it, so any later edit, deletion, or reorder breaks
verify() against a trusted head hash. That makes it tamper-evident (it
detects edits) rather than tamper-proof — there is no signing or external
anchoring yet. It exports as JSONL for shipping to a SIEM, where signing or
write-once anchoring can harden it further.
Enforce it before it acts¶
Grounding, verification, and the audit trail make an agent trustworthy; the
admission gate makes that trust binding. Run a side-effecting action through
admit() (or ctx.actions.execute()): it fires only if the action clears the
policy chain (approve() → ALLOW), records the decision either way, and raises
AdmissionError otherwise. That's the line between an agent that could be safe
and a runtime that enforces safety — no action reaches production without a
verified, approved, audited warrant. See
SecurityContext.
Regular cyber — the second pillar¶
This page covers securing AI (pillar B). The same engine, pointed at
infrastructure instead of an AI system, is the other pillar of "agentic AI for
cybersecurity": classic security operations — the bundled SOC-analyst factory,
the IR playbooks (phishing_triage, ransomware_containment, nist_800_61_ir),
and read-only cloud-posture auditing. Different target, different taxonomy — same
Target + grounded-Evidence contract. It's first-class, not a demo: grounding
is exactly what makes an AI SOC agent's verdicts trustworthy, answering the
false-positive pain teams hit with AI-graded triage.
See also: Grounded findings · GSAR typed grounding · Threat scenarios · Cloud-posture agent.