Bridging the Trust Gap in Agent Deployment: Introducing AgentWard Full-Stack Defense OS

Overview

The rapid evolution of large‑model technology from simple chat assistants to autonomous agents brings new security challenges, as agents now have multi‑step planning, tool invocation, long‑term memory, and the ability to act in physical or digital environments. Traditional safeguards that only filter model output are insufficient; a system‑wide, auditable, and dynamic defense is required.

Base Scan Layer: Securing the Start Point

This layer verifies the authenticity of the agent’s runtime base before any task begins. It performs strict identity and credential checks on the environment, plugins, and core capabilities. If the base is compromised, all subsequent abilities would be built on an untrusted foundation.

Detection combines rule‑based scanning with semantic analysis to identify high‑risk patterns such as prompt injection, privilege escalation, and hidden code execution. Parallel scanning and caching improve efficiency without sacrificing depth. In tests, the layer intercepted over 95% of typical attack vectors.

Input Purification Layer: Guarding the Perception Entry

Agents ingest not only user prompts but also files, logs, web excerpts, and script snippets. Malicious content can be hidden in these inputs, leading to indirect prompt‑injection attacks. The layer uses rule‑based detection targeting high‑risk commands, attempts to bypass security, sensitive data extraction, and anomalous template structures. Any input matching these patterns is blocked before it can influence the agent’s reasoning.

Cognitive Protection Layer: Defending Long‑Term Memory

Because agents retain knowledge across sessions, memory poisoning can persistently corrupt behavior. The layer monitors every write to memory files (e.g., MEMORY.md) and blocks writes that introduce harmful instructions, bias, or persistent backdoors. Demonstrations showed that without protection, a malicious skill could permanently disable C++ assistance, whereas AgentWard prevented the injection.

Decision Alignment Layer: Aligning Intent with Action

This layer continuously tracks the agent’s planned actions, ensuring they remain consistent with the user’s original intent. It checks which tools will be invoked, what operations are planned, and whether any step exceeds the user‑defined boundaries. When a deviation is detected—such as a README‑embedded rm -rf command that conflicts with a read‑only request—the system aborts the action before execution.

Execution Control Layer: Enforcing the Final Gate

The last line of defense evaluates the actual commands about to be run. It blocks high‑risk operations like infinite loops, resource‑exhaustion scripts, destructive deletions, or unauthorized system calls. In a test, an infinite loop command ( while true; do echo "hello"; sleep 1; done) was rejected outright, preventing system instability.

Real‑World Validation

AgentWard has been integrated with the Laikeclaw framework and deployed in pilot projects across Hainan Province and Hangzhou’s Futian District, serving over 50,000 users. Field tests reported a significant reduction in unsafe or unstable events, with more than 95% of typical attack scenarios blocked.

Open Source

AgentWard project code: https://github.com/FIND-Lab/AgentWard

AgentWard’s five‑layer architecture transforms agent security from fragmented filters into a cohesive, system‑level shield, enabling trustworthy deployment of autonomous AI agents in real‑world production environments.