How Behavry Works
Behavry sits between your AI agents and the systems they interact with. Every action an agent takes passes through the enforcement pipeline before reaching its target — in milliseconds.
The Enforcement Pipeline
Every tool call an agent makes goes through five steps:
- Authenticate — Verify the agent's cryptographic identity. Who is making this request, in which session, on whose behalf?
- Scan — Check the content for prompt injection, DLP violations, and trust domain signals.
- Evaluate policy — Run the action against your active policies. Is it allowed, denied, or does it need human review?
- Log — Record the full event — agent, action, arguments, decision, risk score — in the tamper-evident audit log.
- Enforce — Allow the call through, block it with an error, or hold it for escalation.
The agent's call either reaches the target system or it doesn't. Nothing passes through silently.
Key Components
Agent Identity
Every agent gets a cryptographic identity (JWT, RS256). Behavry knows exactly which agent is acting, in which session, on whose behalf. Identities persist across sessions and build up a behavioral history over time.
Policy Engine
Policies are evaluated for every single tool call. Decisions are: allow, deny, escalate to human, or restrict to a limited operating mode. Policies are written in Rego and take effect the moment they're activated.
Behavioral Monitor
Behavry builds a baseline of normal behavior for each agent. Deviations — unusual tool sequences, risk spikes, prompt injection patterns, trust resets — trigger alerts and optional escalation without requiring a policy rule for every scenario.
Audit Log
Every action is logged with its full context. The log is append-only and hash-chained — each event cryptographically references the previous one, making tampering detectable. Logs can be exported to your SIEM.
Dashboard
Your security team gets a real-time view of all agent activity, policy violations, escalations, behavioral anomalies, and compliance posture — no command line required.
Deployment Options
| Mode | Description |
|---|---|
| SaaS | Hosted by Behavry. Connect your agents and go. |
| Self-Hosted | Runs entirely in your infrastructure. Contact us for the deployment guide. |
| Hybrid | Control plane hosted by Behavry, enforcement data plane in your network. |