AegisSwarm-Core is the open-source reference implementation behind "Securing the Swarm: Governance, Attack Surfaces, and Zero-Trust Architectures in Multi-Agent AI Environments." It intercepts, evaluates, and audits every agentic action in real time, so autonomous agents stay inside a deterministic, verifiable boundary instead of running on alignment alone.
Multi-agent systems plan, delegate, and call tools without per-step human oversight. That creates an execution-plane attack surface that perimeter security was never designed for. Here is why teams adopt AegisSwarm-Core instead of bolting on ad hoc checks:
Rs = C_impact × (1 - P_conf) scoring model gives a deterministic, auditable trigger for human-in-the-loop escalation rather than relying on the agent's own confidence claims.Four independent subsystems sit between an agent and the outside world. A request must clear all four before any tool executes.
PII/PHI tokenization and a dual-stage semantic classifier screen every input before it reaches an agent's context window, the primary defense against indirect prompt injection (OWASP ASI01).
Short-lived X.509-SVID and JWT-SVID credentials via SPIFFE/SPIRE replace static API keys. Agent-to-agent calls require mutual TLS, closing off "Confused Deputy" escalation (OWASP ASI03).
Every tool request is evaluated against Rego policies in Open Policy Agent before execution: autonomy tiers, globally blocked tools, and network access controls are enforced as code.
A dynamic risk score, Rs = C_impact × (1 - P_conf), is computed per transaction. If it exceeds the configured threshold, execution freezes until a human operator grants cryptographic clearance.
Mapped to the OWASP Top 10 for Agentic Applications (December 2025).
| Risk | AegisSwarm mitigation |
|---|---|
| ASI01: Agent Goal Hijack | Dual-stage injection filter + GoalVerifier semantic check |
| ASI02: Tool Misuse & Exploitation | OPA tier policies + globally blocked tool registry + sandbox |
| ASI03: Agent Identity & Privilege Abuse | SPIFFE/SPIRE mTLS + JWT-SVID peer validation |
| ASI04: Resource Overconsumption | Per-session token budget + rate limiting per tool |
| ASI05: Supply Chain Compromise | OPA policy-as-code CI gate on every manifest change |
Go 1.22+, a local SPIRE agent, and OPA are the only prerequisites.
git clone https://github.com/sunilgentyala/AegisSwarm-Core.git
cd AegisSwarm-Core
go mod download
# Run guardrail integration tests
go test ./tests/... -v
# Run vulnerability simulation tests (ASI01, ASI02, ASI03)
go test ./tests/vulnerability_simulation/... -v
# Lint and test OPA policies
opa check policies/
opa test policies/ -v