01Discovery
Find
Map the tool surface. Catch indirect-injection gaps.
→ findings.json
v0.1.0 releasedAI agent security
Capability security
for AI agents.
Three Rust modules for AI agents that call tools. Find what they touch. Bind their authority. Guard every call. MCP-native. Audit-mapped to OWASP LLM, NIST AI RMF, MITRE ATLAS. MIT licensed.
$
curl -fsSL capframe.ai/install | sh~/agents — capframe doctor
$ capframe doctor [ok] find discovery v0.1.0 [ok] bind authority v0.1.0 [ok] guard enforcement v0.1.0 [ok] report compliance v0.1.0 → all systems ready → 2 MCP servers detected → 14 tools mapped → 0 unbounded agents
§ 01The pipeline
Four stages. One binary. No LLM in the decision path.
02Authority
Bind
Mint scoped, revocable capability tokens.
→ cf_tok_a91…
03Enforcement
Guard
Evaluate every tool call against policy at runtime.
→ allow / deny
04Compliance
Report
Audit-ready artifact: OWASP / NIST / ATLAS.
→ report.html
§ 02The three modules
Standalone, or composed.
Each module ships as its own Rust crate, its own CLI subcommand, and its own GitHub repo. Run them independently or wire them together through a shared findings schema.
02.1Discovery
Find
Walks every MCP server, every tool endpoint, every parameter your agent can touch. Surfaces indirect-injection gaps and unconstrained inputs, then emits a structured findings file aligned to the OWASP LLM Top 10.
capframe find
$ capframe find ./mcp-server.toml ✓ mapped 14 tools across 2 mcp servers ⚠ 3 tools accept input without constraints (LLM01) → ./capframe.findings.json
02.2Authority
Bind
Mints capability tokens — macaroon-style, attenuable, revocable, ed25519 holder-of-key, with signed denial receipts (HMAC-SHA256). Each agent carries a scoped token; every call produces a tamper-evident receipt that doubles as compliance evidence.
capframe bind
$ capframe bind --agent shopify-bot \
--tools "order.read, refund.write" \
--max-refund 50.00 --ttl 24h
✓ token minted: cf_tok_a91f4e…
scope: 2 tools, $50 ceiling
expires: 2026-05-18T08:14:00Z02.3Enforcement
Guard
A deterministic runtime policy layer. Each tool call is evaluated against the token and the policy synthesized from Find's report — before the call reaches the tool. No LLM in the decision path. Single-digit-microsecond evaluation.
capframe guard
$ capframe guard --policy ./policy.toml ✓ sentry listening on :8783 ✓ policy synced: 14 rules, 3 categories ✓ watching for tool calls…
§ 03Compliance
The artifact your security team hands to an auditor.
Every Capframe run produces evidence mapped to the three frameworks regulated buyers already require. Run capframe report to export HTML or PDF.
OWASP LLM
Top 10 — 2025- ✓LLM01 prompt injection
- ✓LLM02 insecure output
- ✓LLM07 insecure plugin
- ✓LLM08 excessive agency
NIST AI RMF
v1.0- ✓GOVERN
- ✓MAP
- ✓MEASURE
- ✓MANAGE
MITRE ATLAS
v4.7- ✓TA0043 reconnaissance
- ✓TA0006 credential access
- ✓TA0040 impact
- ✓TA0007 discovery
§ 04Specimen transcript
What it looks like in the shell.
~/agents — capframe — 80×24
$ capframe find ./my-mcp-server.toml ✓ mapped 14 tools across 2 MCP servers ⚠ 3 tools accept input without constraints (LLM01) ⚠ 1 tool has indirect-injection surface (LLM01, ATLAS T0051) → findings written to ./capframe.findings.json $ capframe bind --agent shopify-bot \ --tools "order.read, refund.write" \ --max-refund 50.00 --ttl 24h ✓ token minted: cf_tok_a91f4e… holder: ed25519 / shopify-bot scope: 2 tools, $50 refund ceiling expires: 2026-05-18T08:14:00Z revoke: capframe revoke cf_tok_a91f4e $ capframe guard --policy ./policy.toml --port 8783 ✓ sentry listening on :8783 ✓ policy synced: 14 rules, 3 categories ✓ watching for tool calls… $ capframe report --format html --out ./report.html ✓ report written OWASP LLM Top 10: 4/10 covered, 2 findings open NIST AI RMF: Govern ✓ Map ✓ Measure ✓ Manage ✓ MITRE ATLAS: 2 techniques flagged, 0 active exploits
$
curl -fsSL capframe.ai/install | sh§ 05Pricing
Open source. Hosted when you need it.
Free
$0
self-hosted
All three modules. Local CLI. Full OWASP / NIST / ATLAS report generator. MIT license.
- ✓All three modules
- ✓Local-first CLI
- ✓Full report generator
- ✓Run anywhere
Most popular
Pro
$199
per month
Hosted dashboard, findings history, scheduled scans, Slack alerts. For AI teams shipping agents at velocity.
- ✓Hosted dashboard
- ✓Findings history + diffing
- ✓Scheduled scans
- ✓Slack / Discord alerts
- ✓Up to 10 agents
Enterprise
Talk
to us
On-prem / VPC. SSO, audit logs, signed compliance reports, SLA. For regulated buyers in fintech, healthcare, defence.
- ✓SSO + audit logs
- ✓On-prem / VPC deploy
- ✓Signed compliance reports
- ✓SLA + Slack channel
- ✓Unlimited agents
§ 06Common questions
What people ask before they install.
- Q.01Does this only work with MCP?
- Today, yes — Capframe is built around the Model Context Protocol. Adapter support for OpenAI function calling, Anthropic tool use, and LangGraph is on the roadmap.
- Q.02Does my agent data leave my environment?
- No. The CLI is local-first. The Pro / Enterprise hosted control plane is opt-in and stores only the metadata you choose to sync.
- Q.03Is the runtime Guard fast enough for production?
- Yes. Guard is a Rust process; policy evaluation is single-digit microseconds. There is no LLM in the decision path — every allow/deny is deterministic.
- Q.04Why three separate modules?
- Different teams adopt them at different speeds. Security teams often start with Find. AI engineers usually start with Guard. The capability-token layer (Bind) is for teams ready to commit to a permission model.
- Q.05Why open source?
- Security infrastructure you can't read isn't trustworthy. The code your boundaries depend on should be inspectable.
- Q.06Which agent frameworks does Capframe support today?
- Anything that speaks MCP. That covers Claude Desktop, Cursor, Continue, Cline, LangGraph (via the MCP bridge), and most agentic Rust/Python frameworks.