The declared scopes reach a crown jewel that carries priced loss. The result shows the modeled dollars and the one scope to strip. Don’t grant it as-is.
Agent-Reachability Gate — Before you grant an AI agent its scopes: what could those scopes reach?
Can this AI agent reach your crowns? Answered before you grant.
Paste the agent’s MCP manifest and IAM grants. The Gate models the scopes you declare on a tenant-safe clone of your twin — pre-grant, no live agent, no external scan.
Reach is proven on the clone; dollars are modeled. An agent that reaches nothing returns null — never a $0 that reads as safe.
The access review nobody can answer.
A reviewer can see an agent’s scopes — not what they reach, chained across your environment. The Gate answers exactly that, while stripping a scope is still free.
The scopes reach a crown, but it has no dollar profile to price — so a human decides. We never invent a number to force a verdict.
No declared scope reaches a crown in the modeled twin. Labeled clearly as “models the declared scopes only” — never an absolute-safety claim.
An over-permissioned agent doesn’t have to be hacked. It just has to be fooled.
A confused-deputy candidate both ingests untrusted input and holds authority reaching a crown — poisoned input could steer its legitimate permissions. That’s a structural fact about the grant, never a behavioral prediction.
The verdict ships as a dated, Ed25519-signed Agent Authority Record — dated input for the human-oversight file EU AI Act Art. 14 will ask of in-scope high-risk systems from 2 December 2027, re-checkable by your auditor at /verify, without trusting us.

Paste the agent’s scopes
The MCP manifest, the IAM grants, the tokens it holds — the access on paper, before it ships.
The twin walks the grant
The engine computes what that access reaches if the agent is compromised — the confused-deputy chains included.
An Agent Authority Record
A dated, structural verdict you can attach to the rollout review — modeled, labeled, and re-checkable on the next upload.
A compromised agent, priced — and the one scope to strip.
If the declared scopes can move, the Gate lists the routes, prices the modeled exposure, and names the single scope that closes every one of them. A modeled example from the fictional Acme Capital estate.
Withhold the network:dial billing-subnet scope and all three hops close — before the grant.
Printed on the result: this is your twin’s modeled reach IF the agent is compromised, given the scopes you declared — not a claim the agent is malicious. An agent that reaches nothing returns null, never a zero.
We gate the access, not the agent.
The Gate makes no claim about the agent, touches nothing live, and prices only what it can prove.
We model the scopes you declare, not the agent’s behavior.
No live agent, no external scan, no behavioral guess. We take the tool scopes you’re about to grant and model where that ambient authority reaches on your own graph — asked before the grant.
Compromise is conditional, never asserted.
Every result is framed “IF this agent is compromised.” We never claim the agent is or will be malicious — the gate is about the blast radius of the access, not the character of the agent.
The agent is hypothetical; your twin is untouched.
The agent node and its scope edges live only in a projected clone of your twin for the length of the check. Your baseline environment model is never mutated. Nothing is deployed.
Reach is proven; dollars are modeled; nothing is zero-filled.
The routes are a proven traversal on the projected graph; the loss is modeled with FAIR. An agent that reaches no crown returns null, never a $0 that reads as safe — and a crown we can’t price reads REVIEW, not a fabricated BLOCK.
The same engine that draws your paths.
Do you run the agent to test it?
Is a BLOCK a claim the agent is malicious?
What do I get to keep?
We model the scopes you declare, not the agent’s behavior. Every result is framed “if this agent is compromised”; reach is proven on the clone, dollars modeled, and an agent that reaches nothing returns null.
An agent is waiting for its scopes. What would they reach?
Included in the Program tier — no add-on, no separate SKU.
Cross-stitched from the 15 security tools we support · annotated against 26 distinct MITRE ATT&CK techniques · backed by 9,000 automated tests
Full coverage & honesty detail → /features#coverage
The deliverables a senior consulting partner would produce — refreshable, sourced, board-ready.
If one service account leaks, what does it reach — and what is that worth?
Deep dive →If this vendor is breached, what do they reach inside you?
Deep dive →A signed, dated proof a crown jewel is NOT reachable — re-checkable without trusting us.
Deep dive →