Now in early access, book a 30-minute demo →
← Back to blog Company

Why We Built Anomity: Securing the AI Agent Endpoint

Omer Gold Co-founder & CEO, Anomity · · 4 min read

Anomity is agentic endpoint security. We built it because the way people work changed faster than the way security teams could see it. Inside almost every organization today, developers and employees are running AI agents, wiring up MCP servers, and installing extensions, skills, plugins, and hooks directly on their laptops. Those artifacts hold credentials, grant broad permissions, and reach across the network. And almost none of it shows up in the tools security teams already own. This post is the founding thesis: agentic AI adoption outran governance, the endpoint became the missing layer, and visibility-first is the only honest way to close the gap.

Adoption outran governance

The shift didn't arrive through a procurement cycle. It arrived through individual developers installing Claude, Cursor, Copilot, Cline, and Windsurf, then connecting them to MCP servers they found in a public registry that afternoon. Each connection is small and reasonable on its own. In aggregate, they form an entirely new attack surface that nobody approved, nobody inventoried, and nobody is watching.

We kept hearing the same admission from security leaders: they could describe the risk in the abstract, but they could not answer basic operational questions about it. Which machines are running agents? Which MCP servers are connected, and were any of them ever reviewed? Where are agents granted blanket permissions like Bash(*) or Write(*)? Are there plaintext secrets sitting in a config file on a developer's disk right now? The honest answer was almost always a shrug. That shrug is the problem we set out to solve.

The endpoint is the layer the stack was never built to cover

Most security teams assume their existing stack already covers this. It doesn't, and not because those tools are weak. They were designed for a different layer of the problem.

  • Network and gateway controls see traffic leaving the machine. They don't see the MCP server configuration, the trust level of that server, or the permission grant that let an agent call it.
  • EDR and XDR watch processes and binaries for malicious behavior. An AI agent reading a settings file and acting on a legitimate-but-overbroad permission is not malware, so it sails through.
  • DLP inspects content in motion. It doesn't know that an API key was sitting in plaintext inside ~/.claude/settings.json before anything moved at all.
  • GRC and manual audit produce a point-in-time snapshot. The agent layer changes daily, so a quarterly review is stale before it's published.

The common gap is the local AI layer: MCP config, agent permission grants, and the inventory of plugins, extensions, skills, and hooks living on each endpoint. Anomity is built to complement these tools, not replace them. They cover what they were designed for. We cover the layer none of them can reach.

What we believe: visibility, then governance, then proof

Our principle is simple, and it orders everything we build: you can't govern what you can't see. So we sequenced the product in exactly that order.

First, visibility. A lightweight, unprivileged daemon runs on every managed endpoint across Windows, macOS, and Linux. It discovers and inventories the full set of AI artifacts on the machine: agents, MCP servers, extensions, skills, plugins, secrets, hooks, and CLIs. A multi-signal trust classifier looks at vendor, command, and fingerprint to mark each MCP server as official, community, or unknown, infers what capabilities it actually has (filesystem, shell, network, credentials), and flags dangerous combinations. The flow is deliberately boring: endpoint to daemon to Anomity Cloud over HTTPS, where artifacts are classified, evaluated, and stored, then surfaced to the security team.

Second, governance. Visibility on its own becomes a dashboard nobody reads. So you define rules in plain terms: no blanket Bash(*) or Write(*) grants, only approved MCP servers, no plaintext secrets in config. Policies evaluate continuously, and violations route to where your team already works: SIEM, Slack, email, Jira.

Third, proof. We keep a 90-day audit trail of every AI artifact added, removed, or modified. The question that used to trigger a forensics engagement, 'what changed last Thursday?', becomes a single query.

Zero friction, or it won't work

Developers and employees don't even notice. The moment security gets in the way of the work, the work routes around security.Anomity design principle

We learned this from watching every heavy-handed control get bypassed by the exact engineers it was meant to protect. So the daemon is unprivileged and stays out of the way. It collects metadata, not source code and not prompts. Secrets never leave the machine; they are redacted on the endpoint before anything is sent. The design is tenant-isolated, uses per-device credentials stored hashed with bcrypt at rest, and is built to SOC 2 Type II. Trust is a precondition for the kind of access we ask for, not a feature we bolt on later.

Why now

The agentic layer is no longer experimental. It is where real work happens, which means it is where real credentials, real permissions, and real data exposure now live. The coverage gap between how fast teams adopt agents and how fast security can see them is widening every week, and the ecosystem of agents, MCP servers, and extensions keeps growing. We built Anomity to close that gap at the place it actually opens up: the endpoint. If you've ever shrugged at the question 'what AI is running on our machines right now?', that's the question we exist to answer.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok