"48.9% of organizations are entirely blind to AI agent behavior" — Salt Security, April 2026

Threat level: ELEVATED
ORILink — Agent Security Middleware

Every instruction
looks legitimate.
Your agent can't tell
the difference.

ORILink annotates every token with origin and trust before your model sees it. Pre-inference inbound. Pre-execution outbound. Model-agnostic across the full hardening spectrum.

View Pricing
Patent pending · Edmonton, Canada · Now available
Blind to agent behavior
48.9%
Salt Security, April 2026
Injection surge (YoY)
↑340%
Center for Internet Security, 2026
Defenses bypassed
12/12
Nasr, Carlini, et al., 2025
Can't tell agents from bots
48.3%
Salt Security, 2026

Every defense stops before it reaches the model. ORILink closes that gap.

ORILink — Network Layer Monitor
Simulation
01_INTERNET
02_WAF / EDGE
03_UNPROTECTED
04_ORILink
05_LLM_AGENT
BLOCKED: UNTRUSTED ORIGIN
Frame cycle: 6.0s Enforcement: ACTIVE Latency: <1ms

The attack gets through

WAFs parse network traffic, not semantic intent. Framing attacks, context switching, and payload splintering bypass them routinely.

ORILink intercepts

Every token is annotated with origin metadata and trust weight. Untrusted tokens are blocked before inference begins.

Legitimate flow continues

0 false positives across 708 Business SDK test cases. Trusted instructions pass through cleanly with sub-millisecond latency overhead.

Three problems.
No existing solution.

01

No native trust distinction at the token level

hover to learn more
The detail

A trusted operator instruction and a malicious injection are identical at the token level. The model cannot tell them apart — it executes both. This is not a model flaw. It's a fundamental property of how transformers process input.

02

Perimeter defenses don't reach the model

hover to learn more
The detail

WAFs and prompt guards operate above the language layer. Framing attacks, context switching, and payload splintering bypass them routinely — without triggering any signature match.

03

Agents are compliant by design

hover to learn more
The detail

Autonomous agents execute instructions — that's their purpose. Without enforcement below the language layer, a compromised instruction chain is indistinguishable from a legitimate one. Compliance is the vulnerability.

ARCHITECTURE

Protocol Mechanics

Trust enforced below
the language layer.

Four unconditional enforcement points — two before your agent reads anything, two before it acts or speaks. Model-agnostic across the full hardening spectrum.

Inbound Pre-inference

Inbound Content Filtering

Before your agent reads it — origin and trust checked, injection signatures blocked.

PRE-INFERENCE

Trust checked before the model sees anything

Before your agent reads anything, ORILink checks where it came from. Instructions from your own system carry full trust. Content from external websites, documents, or other agents carries lower trust based on its origin. Anything carrying an injection signature is blocked before your agent ever sees it.

Inbound Pre-inference

Structured Input Validation

Encoding and obfuscation detection — hidden payloads caught before inference.

PRE-INFERENCE

Encoded and obfuscated payloads, normalized and caught

Before your agent reads anything, ORILink also validates the structure and encoding of incoming data. Injection payloads hidden inside JSON fields, base64-encoded instructions, Unicode substitution tricks, zero-width character insertion — all caught and normalized before the model sees them.

Outbound Pre-execution

Outbound Action Enforcement

Before your agent acts on it — judged by what it would actually do.

PRE-EXECUTION

What the action does — not what it's called

Before your agent acts on anything, ORILink evaluates what it's actually about to do. Not what the instruction calls it — what it would actually accomplish. Unauthorized data access, sending files to external destinations, scanning systems outside the agent's scope, generating attack payloads — blocked before execution regardless of how the instruction was framed.

Outbound Post-generation

Output Leakage Detection

Before your agent sends anything — secrets caught before they leave.

POST-GENERATION

Secrets stopped before they reach a recipient

Before your agent sends anything, ORILink scans the output for sensitive data that shouldn't leave. API keys, passwords, private keys, credentials, and configuration secrets — caught before they reach the recipient, whether the leakage was accidental or intentional.

100%
Attack block rate
All test cases
0
False positives
Across 708 Business SDK test cases
6
Model families validated
Full hardening spectrum
Trust at scale

Trust that propagates through the entire network.

ORILink doesn't just protect a single agent. Trust annotations travel with content — through every handoff, every agent-to-agent message, every tool call. A single compromised instruction cannot silently elevate its own trust weight as it moves through your agent network.

Single agent

Complete inbound and outbound enforcement. The agent operates freely within its authorized scope and cannot be weaponized outside it. Every action — cleared or blocked — is logged with full provenance: instruction origin, trust weight, classifier result, and timestamp.

Agent teams and swarms

Provenance envelopes travel with every A2A message. A compromised agent cannot elevate its trust weight when forwarding to peers — contagion stops at the first hop.

Enterprise control

Every action cleared or blocked is logged with full provenance. ORIGuard watches your agents around the clock — detecting runaway loops, credential compromise, and shadow agent signatures. On a CRITICAL event it suspends the flagged agent, snapshots the full state for forensics, and alerts your team immediately. You investigate. The damage stops.

ORILink
Agent Alpha TRUSTED
Web Retriever VERIFIED
Vector DB TRUSTED
Compromised BLOCKED
Tool API
Target System
BLOCKED
Trusted instruction Verified data Blocked ORILink enforced
Positioning

Identity tells you who. ORILink tells you what.

Okta tells you the agent authenticated. ORILink tells you what it's about to do — and stops it if it shouldn't.

Capability Perimeter / WAF Identity (Okta) ORILink
Token-level trust annotation
Pre-inference blocking
Outbound intent classification
A2A provenance enforcement
Agent continues after block
Model-agnostic deployment

Agent continues after block. Most tools crash or freeze the agent on a block. ORILink issues a structured refusal and the agent keeps running — a block is a normal operating condition, not a failure state.

600+
Enforcement decisions logged
100%
Block rate
0
False positives · 708 Business SDK test cases
1ms
Avg enforcement latency
Full threat coverage — 21 vectors

Works with your existing stack.

ORILink doesn't replace your security infrastructure. It fills the gap none of it covers — the layer beneath the model, before inference. Drop it in alongside whatever you're already running.

Models
OpenAI
OpenAI
Anthropic
Anthropic
Meta
Meta
Mistral
Mistral
Google
Google
Ollama
Ollama
···
 
Agent Platforms
OpenClaw
OpenClaw
LangChain
LangChain
Nvidia Nemotron
Nemotron
···
 
Security Tools
CrowdStrike
CrowdStrike
Cisco
Cisco
Datadog
Datadog
Splunk
Splunk
Wiz
Wiz
···
 
Alert Channels
Slack
Slack
Microsoft Teams
Teams
Email
SMS
Telegram
Telegram
Webhook
···
 

A sampling of compatible models, platforms, and tools.

Designed for engineering and security teams deploying AI agents at scale.

Patent pending. Self-hosted. Your data never leaves your environment.

View Pricing
Read the whitepaper (PDF)