Skip to content
Tyr

Why Tyr?

The problem

AI coding agents and autonomous LLMs now run with full user privileges on developer laptops, build servers, and production VMs. In practice this means:

  • Credential exposure. ~/.aws/credentials, .env files, SSH keys, gh tokens — all readable.
  • Silent exec. curl | bash, rm -rf, arbitrary shell commands from a single misread instruction.
  • Opaque LLM traffic. Outbound calls to OpenAI, Anthropic, or any provider — with whatever context the agent chose to send.
  • No fleet visibility. You have 50 engineers running Cursor. You can’t answer “did any of them leak source to a third-party LLM today?”

There is no Falco for AI agents. No unified policy layer that says:

“My Cursor instance can read the repo but not ~/.ssh, can call api.openai.com but not random domains, and must ask before sudo.”

— across every machine in the fleet.

Why existing tools fall short

ToolProblem
LLM SDKs with guardrailsOnly catch what the agent tells you. Bypassed by any subprocess call.
Container sandboxesDevelopers won’t run their AI agents inside containers for latency + UX reasons.
Network firewallsCan’t distinguish api.openai.com from openai-exfiltrator.example.com on IP alone.
Audit logs (auditd / OSQuery)Observability only — no enforcement, no AI semantics.
Falco / TetragonRuntime security primitives, but no AI-agent awareness and no central policy plane.

Why kernel-level?

Because anything above the kernel is bypassable.

  • LD_PRELOAD: the agent can unsetenv("LD_PRELOAD") or exec a stripped binary.
  • ptrace: detectable and skippable.
  • Seccomp: too coarse — no path-based deny rules.
  • Language-level guardrails: only apply to that runtime.

eBPF runs in the kernel, sees every syscall, and denies before the call completes. It’s the only layer that’s both universal and non-bypassable from userspace.

Why Cedar?

Cedar is Amazon’s open-source policy language originally built for IAM and Verified Permissions. It’s:

  • Declarative — says what, not how.
  • Proven — backed by formal verification.
  • Fast — evaluates thousands of rules per millisecond.
  • Boring — in the good way. No custom DSL for us to maintain.

Tyr lets you author in a friendly YAML and compiles it to Cedar.

→ Next: How Tyr compares · Quick start