Everything you need to know about Canyon Road's Execution-Layer Security platform.
Beacon secures supervised AI on endpoints — desktop copilots like Claude, Cursor, and ChatGPT that run with employee credentials. AgentSH secures unsupervised agents wherever they run — CI, containers, pipelines, and dev environments. Both enforce policy at execution time, but in different contexts.
Watchtower is the centralized control plane. It distributes security policies to AgentSH and Beacon endpoints, routes approval workflows, exports audit logs to your SIEM, and provides a fleet-wide kill switch for emergencies.
Steering redirects AI to approved alternatives instead of hard-blocking. For example, redirecting package requests to your internal registry instead of the public one. This keeps developers productive and prevents retry loops that happen when agents keep hitting a hard block.
AgentSH intercepts every system call — network connections, command executions, and file changes — made by AI agents in CI/CD pipelines. Every action is logged with full process chain context and can be exported to your SIEM via Watchtower. You get real-time visibility into what agents access, run, and connect to.
AgentSH enforces least-privilege policies at the syscall level. Commands like terraform apply or kubectl apply can be set to require human approval before execution. Policies are defined as code, versioned in git, and enforced deterministically — no prompt engineering involved.
Watchtower supports policy distribution across your entire fleet. Define different policies per team, environment, or workload type. Policies are pushed from Watchtower to AgentSH and Beacon endpoints, and enforcement happens locally at runtime.
Canyon Road provides deterministic, runtime-enforced controls — not prompt-based guardrails. Beacon and AgentSH block unauthorized network connections and file access at the execution layer, and Watchtower generates audit trails showing every policy decision. These logs map directly to SOC 2 and ISO 27001 control requirements.
Canyon Road's Execution-Layer Security operates at the system call level — below the AI model, below the application. It intercepts network connections, process executions, and file operations before they happen. Controls are deterministic and policy-based, not dependent on prompt engineering or model behavior.