Menu
Blog How it works Use Cases
Products
agentsh
Open-source runtime for AI agent security
Beacon
AI endpoint visibility and control
Watchtower
Enterprise control plane for agentsh and Beacon
Request Access

Execution-time enforcement.
Centralized governance.

Canyon Road secures AI at the moment actions execute — not after. Three products, one architecture: local enforcement powered by central policy.

See the architecture Get early access
Architecture

Three products. One system.

agentsh wraps AI agents for runtime enforcement. Beacon monitors AI desktop apps at the OS level. Watchtower manages both from one place.

Watchtower

Control Plane

Central policy management, approval routing, SIEM export, and fleet-wide kill switch.

Policy RBAC SIEM Kill switch

agentsh

Runtime

Wraps AI agents in CI, containers, and dev environments. Enforces policy at execution time.

Allow Block Prompt Redirect

Beacon

Endpoint

Monitors AI desktop tools (Claude, Cursor, ChatGPT). Per-app visibility and control.

Visibility Per-app rules MDM deploy
How it flows

From policy to enforcement in five steps.

Write once, enforce everywhere. Policies flow down, decisions flow back up.

1

Write policy in Watchtower

Define what's allowed, what's blocked, and what requires approval. Set rules by destination, command, tool, or user group.

Watchtower
2

Distribute to endpoints and environments

Policies sync to Beacon (endpoints) and agentsh (CI, containers, dev environments). Rollout rings let you test before going fleet-wide.

Beacon agentsh
3

Enforce locally at execution time

When an AI tool or agent tries to act, agentsh intercepts the syscall and evaluates policy. Decisions happen in milliseconds, locally.

agentsh
4

Route approvals and decisions

When policy says "prompt," the request routes through Watchtower to Slack, email, or SMS. Approvers decide, and the action proceeds or blocks.

Watchtower
5

Export evidence and respond to incidents

Every action is logged. Export to your SIEM (Splunk, Sentinel, QRadar). If something goes wrong, hit the kill switch to pause AI operations fleet-wide.

Watchtower
New to the concept? Read: Execution-Layer Security Want examples? See: Use Cases
Getting started

Start where your risk is.

You don't need to deploy everything at once. Pick the product that matches your biggest concern.

Shadow AI on endpoints

Employees using Claude, ChatGPT, Cursor without IT visibility. You need to see what's happening and set boundaries.

Start with Beacon

Headless agents in CI/containers

AI agents running in automation pipelines. No UI, no user to prompt. You need policy enforcement at the syscall level.

Start with agentsh

Enterprise governance + compliance

Multiple teams, audit requirements, SIEM integration. You need central control and an emergency brake.

Add Watchtower

Ready to see it in action?

We're working with early design partners to refine the architecture. If you're deploying AI tools or agents and want guardrails that actually work, let's talk.

Request early access Or try agentsh (open source) →