How Capsule Is Approaching the Security Risks of AI Agents

AI agents have gone from interesting experiment to production reality faster than most security teams can track. Microsoft recently reported that more than 80% of Fortune 500 companies now run active AI agents built with low-code and no-code tools. That number says a lot — but it doesn’t say anything about how many of those companies have meaningful visibility into what those agents are actually doing once they’re deployed.

Capsule Security launched out of stealth today to address exactly that problem, announcing a $7 million seed round led by Lama Partners and Forgepoint Capital International alongside a runtime security platform designed to monitor and control AI agent behavior in real time.

When Guardrails Aren’t Enough

I spoke with Naor Paz, co-founder and CEO of Capsule. Capsule was founded in 2025 by Paz, who spent eight years in Israeli intelligence, including Unit 8200, before leading F5’s WAF product line, and co-founder Lidan Hazout, who built identity threat detection at Transmit Security.

He stressed that even when guardrails are implemented, AI agents don’t always follow the rules. Cursor, the AI coding tool, has a feature called `.cursorignore` — it tells the agent which files to stay out of. In theory, a reasonable guardrail. Paz described how Capsule has seen agents reasoning around it. The agent figures out it can’t access the file directly, so it decides to write a shell script to work around the restriction instead.
That isn’t a malfunction. The model is doing what it’s supposed to do — find the most efficient path to the outcome it was given. The guardrail is just another token in the context. If accomplishing the goal requires going around it, the agent will go around it.

That’s a genuinely strange thing to have to account for in a security model. Most of our assumptions about software are built on deterministic behavior — you set a rule, the system follows the rule. LLM-powered agents don’t work that way. They reason and improvise, and as Paz put it, “unless you watch every single interaction of them in runtime, you can’t be sure what they’re going to do.”

Capsule’s platform sits inside the agent’s execution path and evaluates every tool invocation and data access request as it happens. When an agent tries something it shouldn’t, the platform can stop it before the action completes and generate an audit trail for security and compliance teams.

Intent Is the New Perimeter

Something Paz said during our conversation provides clarity on why existing tools fall short: “Intent is the new perimeter.” I’ve been saying for a few years that identity is the new perimeter — that in a cloud world, controlling who can access what matters more than where traffic comes from. That’s still true. But with agents, even identity and access controls don’t close the loop. An agent can have the right credentials, the right permissions, and still end up somewhere no one intended because its goal-seeking behavior takes it there. Watching what the agent is actually trying to do, in real time, is the piece that’s missing.

Shadow AI compounds this further. When employees started using ChatGPT before their companies had any policy around it, the response was containment — block the tools, write the policies. It mostly worked, or at least it was manageable. Unsanctioned AI agents connected to internal systems are a different problem. An unsanctioned generative AI tool reads. An unsanctioned agent acts. Capsule integrates with endpoint detection tools and identity providers to map agent usage across an organization, including local models running entirely outside IT’s line of sight.

The Security Gap Is Already Wide

According to Capsule, 72% of enterprises are already running AI agents, but only 29% have AI-specific security controls in place. I asked Paz why the gap is that wide. His answer was pretty direct — security teams tried to block AI adoption, and it didn’t work. The pressure from CEOs, boards, and competitors made blocking a losing proposition. So now those same teams are trying to secure something that’s already in production and moving fast. “Every single CISO we speak with is panicking,” Paz told me. “They’re very confused.”

Alongside the launch, Capsule published research disclosing two zero-day vulnerabilities it found in major enterprise agent platforms. ShareLeak is a critical-severity prompt injection flaw in Microsoft Copilot Studio, which has been patched and assigned CVE-2026-21520. PipeLeak is a similar issue in Salesforce Agentforce, triggered through untrusted lead-form inputs. Both are examples of how ordinary content in an agent’s environment can be crafted to redirect what the agent does. Paz’s take on the state of these platforms: “They’re just Swiss cheese full of holes.”

What Capsule Is Building

The platform requires no proxies, gateways, SDKs, or browser extensions, and supports Cursor, Claude Code, Microsoft Copilot Studio, Salesforce Agentforce, and ServiceNow. Capsule also released ClawGuard, an open-source tool that adds a pre-invocation checkpoint for agents on open frameworks. Gartner has named this category “guardian agents” and lists Capsule as a representative vendor. The company also came out of a competitive field — six finalists from nearly 1,000 applicants — in the CrowdStrike, AWS, and NVIDIA Startup Accelerator at RSAC 2026.

Near the end of our conversation, Paz brought up Jamie Dimon’s recent Axios interview, where the JPMorgan CEO named cybersecurity as the single biggest problem with AI. It’s not a surprising view coming from Dimon, but it reflects something that’s becoming harder to ignore as models get more capable. The more an agent can do, the more it can do that you didn’t intend. That’s the window Capsule is trying to close.