There is a gap in how most teams approach AI agent security. They pick a tool, deploy it, and call the job done. The tool is usually defensive: guardrails, policy enforcement, content scanning. What is missing is the other half of the loop.
Defenses that are never tested are not defenses. They are guesses.
Chainbreaker, from 15 Research Lab, is the other half.
When you deploy a guardrail layer around an AI agent, you have made a bet. You have bet that the rules you wrote cover the attacks you will face, that your content scanner catches the injection patterns adversaries will use, and that your policy conditions hold under adversarial inputs. That bet needs to be tested.
The security industry has understood this for decades. Defensive tooling — firewalls, WAFs, EDR — is paired with offensive tooling — Metasploit, Burp Suite, penetration testing. The two sides inform each other. Red team findings feed blue team improvements. The cycle is the point.
AI agent security has arrived at the same moment. Runtime protection without red-teaming is incomplete. Red-teaming without runtime protection means you find vulnerabilities with nowhere to fix them. You need both, and they need to talk to each other.
Authensor sits between AI agents and the real world. Every action an agent wants to take — API calls, file operations, shell commands, database queries, payments — passes through the authorization pipeline before it executes.
The pipeline has five layers. The policy engine evaluates the intent against declarative rules and returns ALLOW, DENY, or REVIEW. Aegis scans the content for prompt injection, memory poisoning, PII, credentials, and exfiltration patterns. Sentinel watches per-agent behavioral baselines and flags anomalies. The MCP Gateway enforces policy at the tool-call boundary for any MCP-connected infrastructure. Every decision produces a cryptographic receipt that forms a hash-chained, tamper-evident audit trail.
The core principle is fail-closed. No policy means deny. Unreachable control plane means deny. The system defaults to the safest outcome when it does not know what the right outcome is.
Chainbreaker is the AI red-teaming workbench from 15 Research Lab — think Burp Suite for AI agents. It runs structured multi-step attack chains against agent infrastructure, maps findings to MITRE ATLAS TTPs, and produces a Chainbreaker Score (CBS) that gives you a quantified measure of your current attack surface.
Where generic fuzzing sends random inputs and hopes something breaks, Chainbreaker runs adversarial scenarios with intent. It tests whether an agent can be manipulated into taking actions outside its permitted scope. It probes MCP tool servers for authorization gaps. It attempts prompt injection against every ingestion surface. It simulates multi-step attack chains where the compromise builds across interactions rather than landing in a single turn.
The output is not just a vulnerability list. It is a structured map of where your defenses held, where they failed, and which ATLAS techniques were responsible for each finding.
The value of using both tools is not additive — it is multiplicative. Here is how the cycle works in practice:
Build: You define your agent's permitted action space as an Authensor policy. What tools can it call, under what conditions, with what arguments. The policy is declarative, version-controlled, and auditable.
Protect: You deploy Authensor's runtime layer. The policy engine, Aegis scanner, and MCP Gateway wrap your agent's execution surface. Every action is evaluated. Every decision is receipted.
Test: You run Chainbreaker against your protected infrastructure. Chainbreaker attempts to break through the Authensor layer using known attack techniques. It generates a CBS and a detailed finding set.
Improve: Chainbreaker findings feed directly back into Authensor configuration. A finding about a specific prompt injection pattern that bypassed Aegis becomes a new Aegis rule. A finding about a policy condition that allowed an out-of-scope action becomes a policy revision. A finding about a TOCTOU gap becomes a TOCTOU protection configuration.
Ship: The revised Authensor configuration is validated against the Chainbreaker finding set. CBS improves. The cycle provides evidence that you tested your defenses, not just deployed them.
Repeat: Agent capabilities change. New frameworks ship. New attack research drops. The cycle continues.
Both the EU AI Act and the NIST AI RMF require adversarial testing as part of the AI lifecycle, not as a one-time pre-deployment check.
EU AI Act Article 9 (Risk Management) requires that high-risk systems identify and mitigate risks "throughout the lifecycle." Static pre-deployment testing does not satisfy this. You need continuous adversarial evaluation against an evolving threat landscape. Chainbreaker provides the structured attack execution. Authensor provides the runtime control.
Article 12 (Logging) requires that every decision be recorded with enough context to reconstruct what happened. Authensor's receipt system satisfies this directly — every authorization decision produces an immutable, queryable record. Pair this with Chainbreaker's CBS and finding reports, and you have a complete compliance evidence package: here is what we tested, here is what passed, here is what failed, here is what we changed in response, here are the receipts showing the runtime behavior.
The combination gives auditors what they actually need: proof that you tested the defenses, not just that you deployed them.
One of the most direct integration points is between Chainbreaker's injection findings and Aegis's rule set. Aegis ships with 15+ prompt injection detection rules and 22 memory poisoning rules informed by MINJA attack research. When Chainbreaker discovers a new injection pattern that bypasses existing rules, that pattern can be contributed back to the Aegis rule set.
This is the open-source flywheel in practice. A red-team finding at one organization becomes a detection rule that protects every organization running Aegis. The threat intel compounds over time. The community's collective attack surface knowledge gets encoded into the shared defense layer.
15 Research Lab contributes attack research directly to Authensor's defensive rules. Petri behavioral seeds — behavioral fingerprints of known attack patterns — flow from 15RL's research into Sentinel's anomaly detection baselines. The organizations share a research feedback loop by design.
If you are currently running Authensor without adversarial testing: run Chainbreaker against your deployment. The CBS will tell you where your defenses are actually holding.
If you are currently doing red-teaming without a runtime protection layer: Authensor gives you somewhere to apply your findings. Add it as the enforcement layer. Run Chainbreaker again. Measure the improvement.
If you are building AI agents from scratch: start with both. Define your policy first. Deploy Authensor from day one. Run Chainbreaker before your first production deployment. Iterate from a tested baseline, not a theoretical one.
Both tools are open source. Both are free to self-host.
Star both repos. Try both tools. If you find something that one misses, the other will help you close it.