"48.9% of organizations are entirely blind to AI agent behavior" — Salt Security, April 2026
ORILink is middleware. It sits between your data sources and your agent, and between your agent and everything it can act on. Every input is inspected before the model sees it. Every output is inspected before it executes. No model changes. No framework lock-in.
Works alongside your existing security stack. ORILink does not replace firewalls, authentication, or network security. It adds a layer those systems cannot provide — enforcement at the point where language becomes action. Enforcement decisions export as structured JSON, alerts stream via webhook to your configured notification channel, and the audit registry supports CSV and JSON export for compliance reporting.
Every ORILink deployment enforces the following, unconditionally, regardless of model, framework, or operator configuration.
| Threat | Status | How it works |
|---|---|---|
|
Prompt injection
Hidden instructions in documents, web pages, or tool responses
|
Blocked | Malicious instructions embedded in content your agent reads are intercepted and annotated with untrusted provenance before they reach the model. Applies to text, structured data, and encoded payloads. |
|
Structured data injection
Attack payloads hidden in JSON fields, API responses, NFT metadata, or object attributes
|
Blocked | Fields containing permission escalation language, identity claims, capability unlocking strings, or behavioral directives are detected and quarantined before processing. Schema deviations trigger trust weight downgrade. |
|
Encoded injection
Attacks hidden inside Base64, URL-encoded, or hex-encoded content
|
Blocked | Content is safely decoded and rescanned against the full injection signature library. Nested encoding is handled recursively up to a configurable depth ceiling. Malformed encoding is flagged and downgraded, not silently passed. |
|
System prompt disclosure
Agent reveals its own instructions when probed by an external party
|
Blocked | Outbound text is scanned for verbatim and paraphrased reproduction of the agent's system prompt before it exits the output channel. Disclosure to operator channels is flagged, not blocked. |
|
Governance rule leakage
Agent discloses its constraints, tools, or operator configuration to external parties
|
Blocked | Output containing constraint language, capability boundaries, tool enumeration, or operator configuration details is blocked before reaching external recipients. 26 governance disclosure patterns across four categories. |
|
Unauthorized reconnaissance
Agent attempts to scan, probe, or map systems outside its authorized scope
|
Blocked | Actions targeting hosts, paths, or endpoints outside the operator-defined scope are blocked pre-execution, regardless of how the instruction is framed. Framing attacks — reconnaissance described as "connectivity checks" or "system diagnostics" — are caught by execution graph analysis. |
|
Data exfiltration
Agent reads sensitive data then transmits it to an external endpoint
|
Blocked | Multi-step exfiltration chains are tracked across a 50-action session window with a 30-minute time window. Read followed by external transmission is intercepted even when the steps are spread across many intervening actions. |
|
Agent impersonation
Agent presents itself as a different agent, system, or authority
|
Blocked | Output claiming a different identity than the agent's configured ID is blocked at the output layer. Honest self-identification passes. Authority fabrication — claiming permissions or roles not in agent configuration — is blocked independently. |
|
Social engineering of humans
Agent generates deceptive content designed to manipulate a human recipient
|
Blocked | Deception signals in outbound content — fake urgency, false authority claims, impersonation language, provenance laundering — are detected and blocked before delivery. A single high-weight signal is sufficient to block. |
|
Sub-agent spawning
Agent attempts to initialize or launch unauthorized agent instances
|
Blocked | Spawning intent is detected across 19 semantic variants — from explicit commands to indirect operational language including bootstrap, provision, fork, and spin up. Operator-authorized spawning passes cleanly. |
|
Lateral movement
Agent accesses systems or data stores outside its authorized scope
|
Blocked | Scope boundary enforcement evaluates the action target before evaluating instruction framing. Lateral movement described as "data access," "adjacent system access," or "efficiency optimization" is blocked because the target is out of scope, regardless of language. |
|
MCP server injection
Malicious MCP servers inject hidden instructions into agent context via tool responses
|
Blocked | MCP server identity is verified before registration using proof-of-possession. Tool responses are sanitized before reaching agent context. Unverified servers are rejected at the enforcement layer. |
|
ClickFix / binary execution
Social engineering attacks that trick agents into downloading and executing malicious binaries
|
Blocked | Download-then-execute chains detected across 5 attack patterns before execution. Confidence-scored 0.72–0.95. Tier-aware: Individual SDK blocks at threshold, Business tier adds operator alerts. |
|
Tool tampering
Tool definitions or responses modified after initial verification
|
Blocked | SHA-256 hash verification with TOCTOU mitigation detects tool modification between verification and execution. Atomic checks prevent race condition exploits. Business tier adds Telegram operator alerts on detection. |
|
Behavioral drift
Agent's actions gradually diverge from its authorized objective across a session
|
Detected | Each action is scored against the agent's declared goal at instantiation. Cumulative drift above a configurable threshold triggers escalation — catching sophisticated multi-step attacks where no individual action triggers a block but the trajectory reveals the true objective. |
Before your agent reads anything, ORILink also validates the structure and encoding of incoming data. Injection payloads hidden inside JSON fields, base64-encoded instructions, Unicode substitution tricks, zero-width character insertion — all caught and normalized before the model sees them.
Before your agent sends anything, ORILink scans the output for sensitive data that shouldn't leave. API keys, passwords, private keys, credentials, and configuration secrets — caught before they reach the recipient, whether the leakage was accidental or intentional.
Agent-to-agent trust enforcement (ORIMesh) is included in every tier, including the Individual SDK. The Business SDK adds a tamper-evident audit registry and real-time monitoring across your full agent deployment.
| Threat | Status | How it works |
|---|---|---|
|
A2A contagion
A compromised agent passes malicious instructions to peer agents through trusted channels
|
Blocked | Every agent-to-agent message carries a tamper-evident provenance envelope. Trust weights are immutable through forwarding chains — a compromised agent cannot elevate its authority to influence peers. Messages without a valid envelope are rejected at the receiving agent's enforcement layer. |
|
Trust elevation via forwarding
Agent attempts to increase its authority by relaying messages through A2A channels
|
Blocked | Trust weights assigned at message origin are immutable. No forwarding agent can elevate the trust weight of content it relays. The receiving agent enforces the original annotation assigned at first ingestion. |
|
Circular relay loops
Agents relay messages to each other indefinitely, consuming resources without bound
|
Blocked | Circular forwarding chains are detected by origin recurrence tracking in the provenance envelope. Non-owner-initiated loops are blocked. Owner-authorized loops are flagged for operator review. Volume-based loop detection catches runaway patterns that don't form explicit circles. |
|
Unverified content forwarding
Agent forwards content from external or unverified sources to peer agents without provenance annotation
|
Blocked | External data source inference automatically classifies forwarded content from third-party services, external URLs, and ambiguous origins as unverified. Ambiguous origin defaults to unverified — fail-secure by design. ORIMesh provenance or explicit operator authorization provides the verified escape. |
|
Audit trail tampering
Enforcement records are modified or deleted to conceal an attack
|
Detected | All enforcement decisions are stored in a tamper-evident SHA-256 hash chain. Any modification to the registry — including selective deletion of entries — is detectable on integrity verification. The hash chain is verified on demand and on export. |
|
Cross-agent anomaly patterns
Attack patterns that span multiple agents or sessions and are invisible at the individual action level
|
Monitored | ORIMark correlates enforcement decisions across all enforcement layers and all agents in a deployment. Cross-layer anomaly patterns — clean session history followed by sudden drift escalation and output leakage on the same agent — trigger alerts. Block rate thresholds, repeated block patterns, and integrity failures all surface as operator alerts. |
Integrates with your existing security infrastructure. ORILink exports enforcement decisions as structured JSON, streams alerts via webhook to your configured notification channel, and maintains a queryable audit registry with CSV and JSON export for compliance reporting. It is designed to sit alongside your SIEM, SOC tooling, or existing agent orchestration framework without replacement or reconfiguration of either.
See these defenses running live — 43 days, 2,536 blocks, 42 enforcement categories. View the production report →