Gensee Crate | Runtime Security for AI Agents

5 min read Original article ↗

Gensee Crate Action-layer security

Runtime security for agents that act across tools, time, and machines.

Gensee Crate goes deeper than prompts, follows long-horizon agent behavior across sessions, and runs as a low-latency sidecar beside the agents teams already use.

Prevent earlierbefore risky action

Deeper coverageuser to system

Longer memoryacross sessions

Sidecar deploymentagents unchanged

DeeperUser intent to system actions

·

LongerMulti-session lineage and defense

·

SidecarWorks with unmodified agents

·

Defense in depthRequests, tools, memory, files, network, processes

·

Commodity desktopsIncluding macOS endpoints

·

Low latencyMillisecond-level sidecar decisions

·

Out-of-box agentsClaude Code and MCP-style tool use

·

On-prem readyKeep policy and evidence inside your environment

·

DeeperUser intent to system actions

·

LongerMulti-session lineage and defense

·

SidecarWorks with unmodified agents

·

Defense in depthRequests, tools, memory, files, network, processes

·

Commodity desktopsIncluding macOS endpoints

·

Low latencyMillisecond-level sidecar decisions

·

Out-of-box agentsClaude Code and MCP-style tool use

·

On-prem readyKeep policy and evidence inside your environment

·

Quick answers

Gensee Crate defends systems that use AI agents.

Gensee Crate catches unsafe agent behavior before it becomes a system-level side effect. It connects user requests, agent plans, tool calls, memory, skills, files, network activity, and processes into one policy-aware trace.

What is it?

Runtime defense for systems using AI agents, focused on unsafe actions, persistence, tool use, and system side effects.

How is it different?

It follows intent all the way down: user request, agent behavior, MCP/tool calls, memory, skills, files, network, and processes.

What risks?

Prompt injection, memory poisoning, long-horizon attacks, risky tool use, and delayed unsafe actions.

How does it run?

A low-latency sidecar beside unmodified agents on endpoints like MacBook, with company policy and on-prem evidence for enterprise deployments.

01 · Deeper

Defense in depth for every layer of agent action.

Any layer can be unsafe: the user request, the agent's plan, or the system action. Gensee Crate maps the full path so it can detect risk and enforce defense in depth instead of trusting one prompt filter.

Defense in depth illustration with Human Layer, Agent Layer, and System Layer stacked as protected security surfaces

02 · Longer

The dangerous action may happen three sessions later.

Agent risk is not always a single bad request. It can be planted in memory, hidden in a skill, carried through an artifact, and triggered days later by a benign-looking task.

Long-horizon agent risk timeline showing Session 1 planting memory or skills, Session 2 ordinary agent work, and Session 3 blocked system action

A long-horizon failure

  1. Session 1 Persistence is planted.

    A web page, repo, or dependency convinces the agent to save a helpful memory, modify a skill, or leave behind a shell helper.

  2. Session 2 The user asks a normal task.

    The agent returns to the project, reads local context, invokes tools, and unknowingly follows the poisoned instruction path.

  3. Session 3 Side effects appear.

    A file is staged, a secret is touched, a process runs, or a network request leaves the machine. A single-session scanner sees only the final action.

How Crate defends

Lineage across sessions.

Crate links requests, memories, skill edits, tool calls, artifacts, process launches, file effects, and network activity into one trace.

Persistence-aware policy.

Memory writes, skill changes, generated scripts, hooks, and executable artifacts become policy surfaces, not invisible agent state.

Explainable response.

When Crate blocks or asks for approval, teams can see the chain that made the action risky, not just the last command.

Early benchmark signal

Higher defense rates across agent threat types.

Preliminary AgentCanary Benchmark results show Gensee Crate improving defense rate across threat types.

Memory poisoning

18.8 pt lift

Long-horizon tasks

34.6 pt lift

Prompt injection

15.7 pt lift

Runtime overhead 0.6%-1.2% 10ms-400ms per request

* Results tested on MacOS running Claude Code with Qwen-3.5-397B model.

03 · Sidecar

Runs beside the agents teams already use.

Gensee Crate is designed as a non-intrusive runtime sidecar. It works with unmodified, out-of-the-box agents on commodity desktops, including macOS, without forcing teams to adopt a new agent framework.

Distributed Gensee Crate setup with developer laptops running AI Agent and Crate Sidecar, connected to an MCP Skills Harness Gateway, Company Policy, and Gensee Dashboard
01

Unmodified agents

Start with agents like Claude Code and MCP-style tool use as they run today, instead of rebuilding the agent stack around a security SDK.

02

Commodity endpoints

Designed for real developer machines and local workstations, including macOS desktops where agentic coding tools already live.

03

Sidecar enforcement

Observe and interpose around tools, files, network, execution, memory, skills, and artifacts without sitting in the user's way.

04

Unchanged developer/user experience

Targets ~0% false positive and 200ms-500ms-level overhead, so protection is unnoticeable with interactive coding and desktop workflows.

05

Enterprise path

The same sidecar model can feed company-set policy, on-prem evidence storage, identity, alerting, SIEM, and internal developer systems.

Market signals

Early demand for deep, long-horizon agent defense.

Enterprise AI teams are starting to ask for runtime defense that follows coding agents beyond one prompt, one tool call, or one session.

Enterprise demandDeep-stack, long-horizon defense

Research ecosystemEigentAI, CamelAI, UCSD

Native agent workflowsClaude Code now, Codex planned

Native environmentsMacBook now, Linux planned

Enterprise signal

“We seek solutions from GenseeAI for in-depth, long-horizon defense for our company-wide AI agent system.”

AI Security Team from a hyperscale IT company

Research and partner network

GenseeAI partners with EigentAI and CamelAI, is backed by research from UCSD WukLab, with venture backing from TSFV.

Two offerings

From endpoint defense to enterprise trust fabric.

Gensee Crate starts with local runtime enforcement for individual agent users and extends into centralized policy, identity, evidence, and multi-agent controls for company-wide agentic safety.

Layered OWASP and ASI threat map showing Gensee Crate defense coverage across model and agent risks, endpoint enforcement, and enterprise trust fabric
Coverage map: local endpoint enforcement grounds agent actions in system events; enterprise deployment adds identity, policy, and trust fabric.

Open source endpoint

For individual developers and agent users who want local protection when agents interact with LLMs, tools, skills, websites, email, files, and execution surfaces.

Individual developers Agent users LLM threats Tool threats Skills Websites Email

Enterprise deployment

For company-wide agentic safety: on-prem distributed deployment, integration with the existing company ecosystem, company-set policy, identity binding, tamper-evident evidence, quotas, MCP/tool manifests, SIEM integrations, and controls for malicious-human and multi-agent risks.

On-prem Distributed Company policy Identity binding Tamper-evident Quotas MCP manifests SIEM Multi-agent

Get started

Secure the agents your team already uses.

Book a demo to see Gensee Crate around Claude Code, MCP tools, skills, memory, and system actions. The open-source developer edition is available on GitHub.