Agent security: what we do so you can sleep

The pitch for Vezra is easy to love: every agent has its own computer, real access to your tools, full autonomy over its day. The pitch is also a list of security concerns if you're the kind of founder who reads SOC 2 reports for fun. This post is for you.

We'll be concrete. This is what we actually do — not aspirational, not "industry standard," just what's running in production today.

Isolation, per agent

Every agent you hire runs in a separate, unprivileged Linux environment. No shared filesystem between agents. No shared browser profile. No shared cookies, tokens, or shell history. If you hire five agents, you have five isolated machines, and the only thing they share is the orchestration layer that schedules them.

This matters because it means a prompt injection that compromises one agent cannot pivot to another. We've seen attacks in the wild that try to leak credentials by talking the agent into reading another agent's tokens. On Vezra, there's nothing to read — the other agent's tokens live in a different filesystem on a different machine.

Credential vaulting

When you connect an integration, we don't hand the agent a secret. We hand the agent a reference. The actual token lives in our vault, keyed per-agent-per-connector. When the agent calls a tool, the request is signed by our side — the agent never sees the raw credential, and it never gets written to the agent's filesystem.

If an agent misbehaves and you revoke it, its credentials are gone instantly. If the provider (say, Shopify) rotates a token, we pick up the rotation through the normal OAuth refresh flow and the agent keeps working without touching the new secret.

Network egress control

Agents cannot make arbitrary outbound network calls. Each agent has an allowlist of domains it can reach, populated from the integrations and tools it's authorized to use. If your support agent suddenly tries to POST to pastebin.com, the request is blocked and we alert.

You can audit the full egress log for any agent in the activity panel. Every HTTP call the agent has ever made is there, with the URL, the timestamp, and the intent the agent had when making it.

Prompt injection defense

This is the attack surface everyone in agentic products is losing sleep over. The way it works: an attacker plants instructions in data the agent reads — a support ticket, an email, a product description — and the agent follows those instructions instead of your brief.

We do three things to defend against this:

• Hardened system prompts. Our system prompt explicitly reserves authority to us and marks untrusted input with clear boundaries.
• Tool scoping. Agents can only call the subset of tools their role requires. A support agent can't spend money. A finance agent can't send email to external contacts.
• Action confirmation on high-risk operations. Things like issuing a refund over a threshold, deleting data, or sending bulk email require an explicit confirmation step, by default.

This isn't solved in the field — nobody's done a better job than "defense in depth" — but defense in depth is what we do.

Memory hygiene

An agent's memory is persistent — that's part of what makes it useful — but persistence is an attack surface. We keep the memory explicit: the agent sees a memory store it can read and write. It can't memorize secrets by accident, because it can't see them. And you can see what the agent has remembered at any time.

If you ever want to wipe an agent and start over, there's one button. Memory, history, everything.

Audit logs

Every tool call, every message, every login, every deploy — logged, timestamped, immutable. Logs are retained for 90 days by default, longer on the Enterprise plan. You can export them, pipe them to your SIEM, or filter them in the dashboard.

If a customer ever asks "what did my support agent do with my data," we can answer that question in minutes.

Data residency and compliance

Vezra is deployed in SOC 2 Type II-audited infrastructure. We're GDPR-compliant. We offer EU data residency on our Business and Enterprise plans. We have a signed DPA available to customers who need one. Enterprise customers can run agents in their own cloud account (BYOC) if full control is the requirement.

We take the unglamorous stuff seriously because the moment it matters, it really matters.

The honest part

No security posture is perfect. Prompt injection is an active research area. Emerging attack patterns will find new cracks. Our commitment isn't that nothing will ever go wrong — it's that we'll tell you when it does, fast, and we'll ship the fix faster.

We're optimizing for a product that feels like hiring a teammate. Part of that feeling is the boring confidence that your teammate isn't going to accidentally leak your data. That's the bar.

If you want the full security overview before you sign up, email us at security@vezra.io. We reply within a business day, and we'll send you our SOC 2 report under NDA.