QuantmLayer
Kernel-enforced · open source · one binary

Contain the coding agent. Not just trust it.

An AI coding agent runs with your privileges — your keys, your network, your machine. QuantmLayer puts it in a kernel cell that enforces what it's allowed to do, learned from behavior and provable after the fact.

install curl -fsSL https://quantmlayer.com/install.sh | sh
ql — one command, six kernel walls
QuantmLayer containing a coding agent: SSH key invisible, network blocked, tamper-evident audit, all in one command.
The threat is not hypothetical

Agents are wired into dev machines faster than they're contained.

These tools are handed real credentials and run privileged, in editors and CI. When one is compromised — or rug-pulled after you trusted it — its behavior is the attack.

FEB 2026 · SUPPLY CHAIN

A malicious coding-agent npm release shipped a payload to ~4,000 machines in 8 hours.

It read SSH keys, ran arbitrary shell commands, phoned home, and installed a persistent daemon that survived reboots.

src: StepSecurity · Snyk · A. Khan
APR 2026 · CVE-2026-12537

A major agent CLI: a CVSS 10.0 remote code execution — the maximum score.

Pre-sandbox command execution, reachable in CI pipelines. The trust model shipped behind the capability.

src: Google · GHSA-wpqr-6v78-jr5g

The payload's behavior is the threat — reading secrets, reaching the network, dropping a binary. Contain the behavior and it doesn't matter which agent carried it.

Same payload, inside the cell

Three hostile actions. Three different walls. Nothing changed but the cage.

QuantmLayer runs the agent inside a least-privilege cell built from Linux kernel primitives. Below, an exact stand-in for that supply-chain payload runs uncontained, then inside a cell — with no change to the payload itself.

ql — the supply-chain payload, contained
The same malicious payload run uncontained (succeeds) then inside a QuantmLayer cell: key invisible, egress blocked, dropped daemon denied at execve.
wall 01 — filesystem

Secrets aren't hidden. They're absent.

SSH, cloud, and token credentials don't exist inside the cell — a read returns “no such file,” not “permission denied.”

cat ~/.ssh/id_rsa → no such file
wall 02 — network

Egress is default-deny.

No route leaves the cell except what a profile allow-lists. Exfiltration and C2 can't even resolve a host.

curl unlisted-host → blocked
wall 03 — exec

Only approved binaries run.

Content-verified by hash (BPF-LSM). A dropped payload binary is denied at execve — its hash was never approved.

./dropped-daemon → denied
wall 04 — audit

Provable after the fact.

Every run commits its governing policy to a hash chain. Edit one record and it breaks — third-party-verifiable evidence.

audit verify → intact
Beyond the process — the protocol

MCP servers are third-party code. The protocol trusts them. We don't.

An MCP tool server runs with your privileges and the protocol enforces nothing at the call layer. The QuantmLayer gateway sits in the JSON-RPC stream and makes each tools/call prove itself against the server's own schema — denied calls never reach it, and every decision is auditable.

ql mcp gateway — one forwarded, three denied
The QuantmLayer MCP gateway inspecting four tool calls: one valid call forwarded, three denied for schema violation, unknown tool, and gated state-change.
Private preview

Enterprise identity & credential controls

Cell-scoped, short-lived credentials and fleet-wide, tamper-evident attribution — in private preview with design partners.

Talk to us →
Learned from behavior · enforced by the kernel · provable

The agent doesn't have to be trusted. The cell doesn't trust it.

One static binary. Seven agents out of the box. Open source.