> ## Documentation Index
> Fetch the complete documentation index at: https://atcyrus.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Agent Security

> How Cyrus protects your organization from prompt injection, tool abuse, and autonomous agent risks.

Cyrus is designed for teams that care deeply about **security, predictability, and control**.

Modern AI agents introduce new attack surfaces — especially around prompt injection, tool execution, and autonomous behavior. Cyrus is built to **reduce those risks by design**, not by policy alone.

This page explains how Cyrus protects your organization, and how those protections align with enterprise security expectations.

***

## Our security philosophy

Cyrus follows three core principles:

1. **No hidden autonomy**
2. **No privileged instruction sources**
3. **No silent tool execution**

Cyrus does not attempt to “outsmart” or override the underlying AI model’s safety mechanisms. Instead, it **inherits and preserves them**, adding additional structural guardrails at the system level.

***

## We do not override Claude’s system prompt

Cyrus **does not replace or weaken** Claude Code’s native system prompt.

Instead:

* Claude’s built-in **prompt injection defenses remain fully intact**
* Cyrus only **appends contextual guidance**, never overrides safety rules
* All instruction hierarchy, trust boundaries, and verification logic remain Claude-native

This means Cyrus benefits directly from Claude’s strongest protections, including:

* Instruction origin tracking
* Untrusted content isolation
* Mandatory user verification for action-like content
* Rule immutability

***

## Protection against prompt injection attacks

### Indirect & zero-click prompt injection

**Threat:**\
Malicious instructions embedded in emails, documents, web pages, logs, or tool outputs.

**Cyrus Protection:**

* Instructions from tools, documents, MCP servers, and web content are treated as **untrusted data**
* Claude is required to **stop execution** and surface the content to the user
* Explicit user approval is required before any action

Cyrus never executes instructions simply because they *appear relevant*.

***

### Web & RAG-based injection

**Threat:**\
Malicious instructions hidden in search results, scraped pages, or retrieved documents.

**Cyrus Protection:**

* Web and retrieval results are always treated as **data, never authority**
* Claims of “system”, “admin”, or “developer” instructions from content are ignored
* Conflicting instructions always defer to safety rules

Cyrus will surface suspicious content rather than act on it.

***

## Defense against goal drift & silent behavior changes

**Threat:**\
Subtle prompt changes over time that steer an agent toward unintended goals.

**Cyrus Protection:**

* Cyrus does not allow background or scheduled prompt mutation
* All work is triggered by **explicit Linear issues**
* Instructions are not persisted or compounded across runs unless explicitly restated

There is no concept of “quiet mode”, recurring hidden prompts, or silent objective reweighting.

***

## Tool & MCP execution safety

### Explicit tool allow-listing

Cyrus enforces a strict allow-list for all tools, including MCP servers.

* Tools must be explicitly permitted per repository
* MCP tools require both:
  * A defined server (`.mcp.json`)
  * An allow-listed namespace (`mcp__servername`)

If a tool is not allowed, Cyrus will refuse to call it — even if instructed.

***

### No silent tool execution

Cyrus does not:

* Auto-discover tools
* Execute tools opportunistically
* Escalate permissions dynamically

All tool use is:

* Explicit
* Traceable
* Bounded by configuration

***

## Instruction source isolation

Cyrus enforces a clear instruction hierarchy:

| Source                       | Trust Level |
| ---------------------------- | ----------- |
| User messages (Linear issue) | Trusted     |
| System prompt (Claude)       | Trusted     |
| Tool results / MCP output    | Untrusted   |
| Web content / documents      | Untrusted   |

Only **user-authored instructions** can trigger actions.

Claims of authority from any other source are treated as malicious by default.

***

## Social engineering & authority impersonation defense

Cyrus inherits Claude’s protections against:

* Fake “admin” or “system” messages
* Urgent or emergency manipulation
* Claims of pre-authorization
* Attempts to redefine agent roles or permissions

If encountered, Cyrus will:

1. Stop execution
2. Quote the suspicious content
3. Ask the user for explicit confirmation

***

## Auditability & transparency

Cyrus is designed to be inspectable:

* Actions map directly to Linear issues
* Tool calls are explicit and permission-bound
* No background or autonomous behavior outside declared workflows

This makes Cyrus suitable for:

* Security reviews
* Internal audits
* Regulated environments

***

## Compliance & controls

Cyrus complements its agent-level protections with organizational controls:

* SOC 2 compliant infrastructure
* Principle of least privilege
* No secret material committed to repositories
* Environment-scoped credentials

Security is enforced at **both the system and agent levels**.

***

## Summary

Cyrus is not a “black box autonomous agent”.

It is a **controlled, auditable, and safety-first system** that:

* Preserves Claude’s strongest defenses
* Adds explicit tool and instruction boundaries
* Prevents silent escalation or drift
* Makes all meaningful actions user-directed

***

<Card title="Cyrus Community" href="https://discord.com/invite/prrtADHYTt" img="https://mintcdn.com/ceedaraiinc/75NMRUlNh03-gDHX/images/cyrus-f1.png?fit=max&auto=format&n=75NMRUlNh03-gDHX&q=85&s=947d2de0018937ce613572349bc91f06" width="1120" height="928" data-path="images/cyrus-f1.png">
  Ask security questions or talk directly with the team on Discord
</Card>
