MASO · Multi-agent security

When agents work together, trust gets complicated.

Multi-Agent Security Operations secures systems where many AI agents collaborate. The same four layers apply, but now they have to govern what agents do to each other.

Try the interactive demo → Read the full reference

One chatbot guarded by a single security boundary, versus a fleet of agents each handing work to the next, secured as a system — Securing one chatbot is securing one boundary. Securing a fleet means securing every hand-off between agents.

The shift

One chatbot is one risk. A fleet is a system of risks.

Every agent is fragile in the same ways. Put them in a line and the failures don't add up. They multiply.

Injection propagates

A poisoned document one agent reads becomes an instruction the next agent obeys. One foothold spreads down the chain.

Errors compound

One agent's hallucination becomes another's "fact". Mistakes are repeated with confidence instead of caught.

Privilege goes transitive

If agent A delegates to agent B, and B can touch a tool, then A effectively can too. Authority leaks through hand-offs.

The core idea

Agents can't police themselves. Something outside the agent has to declare what it should do, constrain what it can do, and judge whether it did the right thing, before an irreversible action is committed.

Why agents need external evaluation →

How it's organised

Pick what your deployment needs. Deselect the rest.

MASO is a system, not a checklist: declarations of intent, controls that enforce them, tiers that scale the scrutiny, and PACE for when something breaks.

Declared intent

Every agent, judge, and workflow runs against a versioned Objective Intent Spec: the statute book the judge rules against.

Objective Intent & mandates →

Eleven control domains

Identity, data, execution, observability, supply chain, epistemic integrity, privileged agents, and more, scaled by tier.

Browse the control domains →

Three tiers

Supervised, managed, autonomous. Scrutiny scales to autonomy: approve every write, or auto-approve the low-risk ones.

Start at Tier 1 →

PACE resilience

Primary, Alternate, Contingency, Emergency. Every layer has a defined failure mode and a safe state to fall back to.

How MASO fails safe →

Threat intelligence

Real incidents and a red-team playbook ground every control in attacks that have actually happened.

See the incidents →

Distributed architecture

At scale, Layer 2 becomes sidecars, a hardened message bus, and agent-to-agent IAM, not one judge as a chokepoint.

Scale beyond a single judge →

Visual navigation

The whole framework, on one map.

MASO tube map: coloured lines for control domains, stations for key controls, zones for implementation tiers, and the PACE river running through the centre — Lines are control domains, stations are key controls, zones are tiers, and the PACE river runs through the middle.

Go deeper

Ready for the full picture?

The reference has every control domain, the OWASP mappings, the tiers, the cost numbers, and the honest trade-offs.

Read the full reference → Learn MASO step by step