We benchmarked every accessible production guardrail against a blind-authored attack corpus. Properly measured (ROC-AUC, threshold sweeps, confidence intervals), the picture is more nuanced than “guards don’t work” and more damning. Out of the box, none is deployable. Tuned, the better ones separate attacks from legitimate traffic, but only as a perpetual calibration project. Symbiont’s structural controls need none of it: 0% escape at 0% false positives, by construction.

What the 2026 OWASP agentic security report’s headline finding actually says — and why it’s about reachability, not allowlists.

A new ThirdKey Research preprint on steganographic exfiltration in embedding stores, and a cryptographic provenance defense.

Why prompt-based safety degrades under the same pressures as human working memory, and what to build instead.

Introducing ToolClad: Declarative Tool Interface Contracts for Agentic Runtimes

Every agent framework has a loop. Call the LLM, parse the tool calls, execute them, feed the results back. ReAct, AutoGPT, LangGraph, CrewAI — the shape is always the same. What differs is what happens when things go wrong, and more importantly, what can’t happen at all.