Built for what the model shouldn't be trusted with.
Run Claude Code, Codex, or any agent on your own Kubernetes — with credential isolation, zero-trust networking, and per-MCP-server containerization on by default. Configure in Terraform. Swap vendors in one Terraform block.
Prompt injection can turn any AI agent into an exploit.
The model reads attacker-controlled data — a web page, a file, a tool's output — and treats it as instructions. If the resulting tool calls reach a process that holds secrets, the agent has become the exploit. Every feature below is what Agyn does so these patterns stop working. Architecture deep-dive ↗
GitHub Copilot Codespaces
Prompt injection in a repo made Copilot read GITHUB_TOKEN from its own environment and emit it through the model output. The token was in env vars because that is where Codespaces puts it.
EchoLeak — Microsoft 365 Copilot
A single crafted email caused Copilot to read across OneDrive, SharePoint, and Teams during routine summarisation and exfiltrate the contents. Zero clicks. Broad filesystem reach made cross-source exfil possible.
30+ CVEs across AI IDEs
Agents wrote JSON files referencing attacker-hosted schema URLs. The editor's schema validator fetched the URL — leaking the file's contents in the request. The agent never explicitly sent the data; the validator did.
The agent never holds your secrets.
A credential the agent can read is a credential the agent can leak. Two proxies sit outside every sandbox: the LLM Proxy carries provider keys, the Egress Gateway carries tool tokens. The agent calls upstream with synthetic placeholders; the real key is attached at the network edge.
no tool tokens
no env secrets
A credential the agent can read is a credential the agent can leak. Brokering moves the question from “can the agent exfil the credential?” to “what is the credential allowed to do?”
Every agent gets its own cryptographic identity.
Identity lives in an x509 certificate the platform mints with OpenZiti — not in an API token the model could read or leak. Dial policies are bound to that identity. A compromised agent stays inside its own allow list.
Every agent gets its own x509 identity from OpenZiti. Dial policies are bound to identity — not to IP allowlists. A compromised agent stays inside its own list; neighbouring agents and other tenants' services stay unreachable.
One Pod per agent. One sidecar per MCP. No shared kernel.
Every workload runs in a Kata Containers + Firecracker microVM — a hardware-enforced kernel boundary per Pod. The agent and its MCPs share the Pod, but each MCP is its own container with its own secrets. A compromised tool cannot reach another tool's filesystem, credentials, or network.
- Dedicated workspace volume — not shared with other agents
- Restricted profile: no root, no caps, read-only root FS, no privilege escalation
- No provider keys, no tool tokens, no env secrets
Ship Claude Code today. Switch to Codex by changing two lines.
Claude Code, Codex, and Agyn's own agent ship as ready-to-deploy containers. The Agent resource has an init_image field that selects the agent CLI; the LLM Proxy handles both Anthropic Messages and OpenAI Responses on the same endpoint. MCPs, skills, hooks, egress rules, identity — all unchanged across vendors.
# Swap vendor: two lines change. Everything else stays. resource "agyn_agent" "support" { organization_id = agyn_organization.acme.id name = "Support" - model = agyn_llm_model.claude_opus.name - init_image = "ghcr.io/agynio/agent-init-claude:v1" + model = agyn_llm_model.gpt5.name + init_image = "ghcr.io/agynio/agent-init-codex:v1" idle_timeout = "5m" availability = "internal" # everything below is unchanged across vendors mcps = [agyn_mcp_server.github.id, agyn_mcp_server.linear.id] skills = [agyn_skill.code_review.id] egress_rules = [agyn_egress_rule.github.id] group = agyn_group.support_engineers.id }
Reviewed, versioned, owned by the team.
Agents, MCPs, skills, egress rules — declared as Terraform resources. Reviewed before merge, versioned in git, owned by the team that operates them. Agents become infrastructure that survives employee turnover — audited, rolled back, handed off. Per-agent RBAC via OpenFGA lets you share without granting platform-wide access.
Terraform will perform the following actions: + agyn_secret.github_token + agyn_secret.openai_key + agyn_llm_model.claude_opus + agyn_llm_model.gpt5 + agyn_egress_rule.github + agyn_mcp_server.github + agyn_mcp_server.linear + agyn_skill.code_review + agyn_agent.support + agyn_group.support_engineers Plan: 10 to add, 0 to change, 0 to destroy. Apply complete. Resources: 10 added.
| Capability | owner | maintainer | participant |
|---|---|---|---|
| Chat with the agent | |||
| Read agent config | read | ||
| Edit prompts, skills, MCPs | |||
| Attach EgressRules & Secrets | |||
| Share with another team | |||
| Delete the agent |
Built for regulated and sovereign deployments.
When regulation or sovereignty requires it, Agyn runs on your Kubernetes — on-prem, in your VPC, or air-gapped. EKS, GKE, AKS, OpenShift, bare-metal. The control plane runs where you run it. Internal services behind VPNs and firewalls are reachable through per-identity OpenZiti dial policies, not by flattening your network.
not an IP list
Agyn runs on any conformant Kubernetes — EKS, GKE, AKS, OpenShift, on-prem, air-gapped, even kind. The loop runs where you run it. Your data, your audit logs, your incident response.
See it on your own cluster.
30 minutes. We'll deploy Claude Code on your Kubernetes, wire it to your secrets through the Egress Gateway, and show you what credential isolation looks like end-to-end.