Kernel-Level Enforcement

Zero-trust governance for AI agents

Every agent action is isolated, auditable, and reversible. One binary. One YAML. Enforced at the Linux kernel — not the application layer.

Get Started Talk to Sales
10/10
OWASP ASI coverage
9 MB
Single binary
8 ms
Pod clone time
60
CLI commands
0
Dependencies
The Problem

Security tools were built for humans, not agents

Every enterprise security tool assumes deterministic code written by a human. EDR, DLP, IAM, SIEM — all designed for predictable workflows.

AI agents decide what to do at runtime. They read files, call APIs, modify code, and interact with other agents — all autonomously. Traditional tools can't govern what they can't predict.

envpod is built for agents that decide at runtime.

# Without envpod: Agent writes to host filesystem untracked Agent calls unknown API endpoint unaudited Agent modifies system config irreversible Agent leaks credentials in prompt unscreened # With envpod: Write captured in COW overlay diff/commit DNS allowlist blocks unknown hosts audited Seccomp blocks dangerous syscalls enforced Prompt screening catches leak blocked
Architecture
Foundation + Four Walls + Governance Ceiling
Every pod is a governed environment. The foundation makes everything reversible. The four walls enforce isolation. The ceiling provides intelligence.
┌─────────────────────────────────────────────────────────────┐ │ GOVERNANCE CEILING │ │ Policy Engine · Screening · Vault · Monitoring │ │ Action Queue · Scorecard · Audit · Budget │ └─────────────────────────────────────────────────────────────┘ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ PROCESSOR │ │ NETWORK │ │ MEMORY │ │ DEVICES │ │ PID ns │ │ Net ns │ │ /proc │ │ GPU │ │ cgroups │ │ DNS │ │ mask │ │ Display │ │ seccomp │ │ Firewall │ │ Coredump │ │ Audio │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ ┌─────────────────────────────────────────────────────────────┐ │ FOUNDATION — Copy-on-Write Filesystem │ │ OverlayFS · diff · commit · rollback · snapshots │ └─────────────────────────────────────────────────────────────┘
Capabilities
18 categories. Hundreds of features.
One binary replaces a stack of 33 tools. Full feature catalog
01
COW Filesystem
Every write captured in overlay. diff, commit, rollback. Host never modified.
CE
02
Network Isolation
Per-pod DNS resolver. Allowlist, denylist, monitor. Anti-tunneling. Live mutation.
CE
03
Process Isolation
PID namespace, cgroups v2, seccomp-BPF. Three syscall profiles. NO_NEW_PRIVS.
CE
04
Credential Vault
ChaCha20-Poly1305 encrypted. Env injection. Agent never sees real API keys.
CE
05
Action Queue
Four approval tiers. 20 action types. Queue socket. Undo registry. Hot-reload.
CE
06
Prompt Screening
Regex + AI layers. Injection, credentials, PII, exfiltration. 53 patterns.
CE
07
Web Dashboard
Fleet view, pod detail, inline diff viewer. Freeze, resume, commit from browser.
CE
08
Desktop & GPU
noVNC desktop in browser. GPU passthrough. Audio streaming. File upload.
CE
09
SDK
Python + TypeScript. 44 methods. Local, relay, and service proxy connections.
CE
10
OPA Policy Engine
Rego rules. 7 decision points: queue, vault, commit, DNS, L7, MCP, pod-to-pod.
PREMIUM
11
Agent Identity
Ed25519 per pod. JWT per agent. OIDC/SSO. Three identity layers. Vault scoping.
PREMIUM
12
Fleet Orchestration
IaC manifests. Parallel clone. Batch executor. Scale. envpod up.
PREMIUM
13
Remote Management
HTTP API. WebSocket relay. Node daemon. SSH proxy. Control from anywhere.
PREMIUM
14
Service Proxy
Expose services at *.envpod.cloud. Two-token auth. Token rotation.
PREMIUM
15
Governance Scorecard
7-dimension grading. CWA scoring. Auto-governance rules. Auto-freeze.
PREMIUM
16
OpenTelemetry
OTLP export to Grafana, Datadog, Splunk. Pre-built dashboards.
PREMIUM
17
Vault Proxy
Transparent HTTPS MITM. Agent sends dummy creds, proxy injects real ones.
PREMIUM
18
Sealed Mode
Zero host visibility. Agent cannot see the host filesystem at all.
PREMIUM
Compliance
Kernel-level compliance, not application-level promises
Other tools enforce governance at the application layer — the agent can bypass it. envpod enforces at the kernel. The agent has no choice.
10/10
OWASP ASI
All 10 Agentic Security Initiative risks covered at the kernel level. CE provides foundational coverage. Premium adds depth.
NIST
AI Risk Management
Full mapping to NIST AI RMF. GOVERN, MAP, MEASURE, MANAGE — all subcategories mapped to envpod features.
EU
AI Act Aligned
Risk categorization, transparency, human oversight, documentation. Governance scorecard provides continuous evidence.
$ envpod verify my-agent   15/15 boundaries held   attestation signed
How It Works
Four commands. Full governance.
The agent thinks it's on your real system. But every write is captured, diffable, and reversible.
01
envpod init
Create a governed pod from pod.yaml. One YAML defines everything.
02
envpod run
Agent runs inside the pod. All writes go to the COW overlay.
03
envpod diff
Review every file the agent created, modified, or deleted.
04
envpod commit
Accept changes to host. Or rollback — discard everything.
CE vs Premium
Free forever. Premium when you scale.
CE gives you kernel-level governance that no other free tool provides. Premium adds identity, policy intelligence, and fleet orchestration.
CapabilityCE (Free)Premium ($399)
Kernel isolation (5 namespaces + cgroups + seccomp)YesYes
COW filesystem + diff/commit/rollbackYesYes
DNS filtering + pod-to-pod discoveryYesYes
Credential vault (ChaCha20-Poly1305)YesYes
Action queue (4 tiers, 20 types)YesYes
Web dashboard + SDK + 68 examplesYesYes
OPA/Rego policy engine (7 decision points)Yes
Agent identity (Ed25519/JWT + OIDC/SSO)Yes
Vault proxy (agent never sees keys)Yes
Fleet orchestration (IaC, parallel clone, scale)Yes
Remote management (relay, node daemon, SDK)Yes
Service proxy (*.envpod.cloud)Yes
OpenTelemetry + Grafana dashboardsYes
Governance scorecard + adversarial verifyYes
Full 144-feature comparison →
Pricing
Start free. Scale with confidence.
The full governance stack is free. Premium when you need identity, policy, fleet orchestration, and observability.
Community Edition
$0
Free forever. Self-hosted. BSL 1.1.
  • 47 CLI commands
  • Full kernel isolation
  • COW filesystem governance
  • DNS filtering + firewall
  • Credential vault
  • Action queue + approval tiers
  • Web dashboard
  • Python + TypeScript SDK
  • Prompt screening
  • 68+ example configs
  • OWASP 10/10 at kernel level
Install CE
Premium
$399 / seat / mo
Everything in CE, plus enterprise governance.
  • 60 CLI commands (+13)
  • OPA/Rego policy engine
  • Agent identity (Ed25519/JWT)
  • OIDC/SSO integration
  • Vault proxy injection
  • Fleet orchestration (IaC, scale)
  • Remote management + relay
  • Service proxy (*.envpod.cloud)
  • OpenTelemetry + Grafana
  • Governance scorecard
  • OWASP attestation + verify
  • Priority support
Get Premium
Enterprise
Custom
Premium + SLA + dedicated support.
  • Everything in Premium
  • Dedicated support engineer
  • SLA guarantee
  • Compliance report signing
  • Custom policy templates
  • On-premise deployment
  • Training + onboarding
  • Roadmap influence
Contact Sales
Platform
Single binary. Every platform.
Static binary. No daemon. No container runtime. No dependencies. 9 MB.
Ubuntu 22.04+ Debian 12+ Fedora 39+ Rocky / Alma 9+ Arch Linux openSUSE WSL2 (Windows) macOS (OrbStack) Raspberry Pi 4/5 Jetson Orin Docker (nested)
$ curl -fsSL https://envpod.dev/install.sh | sh