CyberTwin
Program tier · AI agents

Agent-Reachability Gate — Before you grant an AI agent its scopes: what could those scopes reach?

Can this AI agent reach your crowns? Answered before you grant.

Paste the agent’s MCP manifest and IAM grants. The Gate models the scopes you declare on a tenant-safe clone of your twin — pre-grant, no live agent, no external scan.

Reach is proven on the clone; dollars are modeled. An agent that reaches nothing returns null — never a $0 that reads as safe.

No live agent · No external scan · Answered pre-grant · Included in the Program tier
The pre-grant question

The access review nobody can answer.

A reviewer can see an agent’s scopes — not what they reach, chained across your environment. The Gate answers exactly that, while stripping a scope is still free.

BLOCK

The declared scopes reach a crown jewel that carries priced loss. The result shows the modeled dollars and the one scope to strip. Don’t grant it as-is.

REVIEW

The scopes reach a crown, but it has no dollar profile to price — so a human decides. We never invent a number to force a verdict.

ALLOW

No declared scope reaches a crown in the modeled twin. Labeled clearly as “models the declared scopes only” — never an absolute-safety claim.

An over-permissioned agent doesn’t have to be hacked. It just has to be fooled.

THE CONFUSED DEPUTY

A confused-deputy candidate both ingests untrusted input and holds authority reaching a crown — poisoned input could steer its legitimate permissions. That’s a structural fact about the grant, never a behavioral prediction.

The verdict ships as a dated, Ed25519-signed Agent Authority Record — dated input for the human-oversight file EU AI Act Art. 14 will ask of in-scope high-risk systems from 2 December 2027, re-checkable by your auditor at /verify, without trusting us.

The Agent-Reachability Gate surface — declared agent scopes checked against the modeled twin before rollout.
Sample environment (seeded demo) · as of upload · point-in-time snapshot, no live scan
1
Declare

Paste the agent’s scopes

The MCP manifest, the IAM grants, the tokens it holds — the access on paper, before it ships.

2
Gate

The twin walks the grant

The engine computes what that access reaches if the agent is compromised — the confused-deputy chains included.

3
Record

An Agent Authority Record

A dated, structural verdict you can attach to the rollout review — modeled, labeled, and re-checkable on the next upload.

The worked example

A compromised agent, priced — and the one scope to strip.

If the declared scopes can move, the Gate lists the routes, prices the modeled exposure, and names the single scope that closes every one of them. A modeled example from the fictional Acme Capital estate.

AI agent: support-copilotBLOCK$1,600,000
support-copilot → billing subnet → prod VPC → cardholder database (crown) · cross-surface · 3 hops · ALE p50 $1.6M
THE ONE SCOPE TO STRIP

Withhold the network:dial billing-subnet scope and all three hops close — before the grant.

Printed on the result: this is your twin’s modeled reach IF the agent is compromised, given the scopes you declared — not a claim the agent is malicious. An agent that reaches nothing returns null, never a zero.

Why this is defensible

We gate the access, not the agent.

The Gate makes no claim about the agent, touches nothing live, and prices only what it can prove.

We model the scopes you declare, not the agent’s behavior.

No live agent, no external scan, no behavioral guess. We take the tool scopes you’re about to grant and model where that ambient authority reaches on your own graph — asked before the grant.

Compromise is conditional, never asserted.

Every result is framed “IF this agent is compromised.” We never claim the agent is or will be malicious — the gate is about the blast radius of the access, not the character of the agent.

The agent is hypothetical; your twin is untouched.

The agent node and its scope edges live only in a projected clone of your twin for the length of the check. Your baseline environment model is never mutated. Nothing is deployed.

Reach is proven; dollars are modeled; nothing is zero-filled.

The routes are a proven traversal on the projected graph; the loss is modeled with FAIR. An agent that reaches no crown returns null, never a $0 that reads as safe — and a crown we can’t price reads REVIEW, not a fabricated BLOCK.

Questions

The same engine that draws your paths.

Do you run the agent to test it?
No live agent, no external scan. We model the scopes you declare — the MCP manifest and IAM grants — on a tenant-safe clone of your twin, before the grant. We model the reach of the access, never the agent’s behavior.
Is a BLOCK a claim the agent is malicious?
Never. Every result is framed “IF this agent is compromised.” The confused-deputy flag is a structural fact about the grant — poisoned input could steer legitimate permissions — never a behavioral prediction.
What do I get to keep?
A dated, Ed25519-signed Agent Authority Record — dated input for the human-oversight file EU AI Act Art. 14 asks of in-scope high-risk systems from 2 December 2027, re-checkable by your auditor at /verify without trusting us.

We model the scopes you declare, not the agent’s behavior. Every result is framed “if this agent is compromised”; reach is proven on the clone, dollars modeled, and an agent that reaches nothing returns null.

Coverage

An agent is waiting for its scopes. What would they reach?

Included in the Program tier — no add-on, no separate SKU.

Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests

Full coverage & honesty detail → /features#coverage

ProgramMost Popular
$36,000/yr
Annual only

The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.