Humanbound website
AI agent security · open source

Deploy AI agents you can prove are secure.

A continuous, evidence-backed answer to the question every AI deployment raises. Test for vulnerabilities before launch, protect against prompt injection at runtime, and monitor for regressions as models and configurations change.

Get started, it's open sourceBook a conversation
Apache-2.0No login requiredSelf-hostable
Trusted by
How it works

Test before launch. Protect at runtime. Monitor forever.

Not a one-time scan. An always-on security layer for your AI estate that adapts as your agents, models, and data sources evolve.

1Test · before launch

Automated adversarial & behavioral testing.

OWASP-aligned attack scenarios cover the full threat surface — prompt injection, jailbreaks, data exfiltration, tool abuse. Attacks adapt across single-turn, multi-turn, and agentic modes to find what static tests miss.

CriticalF-2941 · single-turn
Tool output is injected into system context without sanitisation; assistant follows attacker instructions.
OWASP LLM01EU AI Act 15.1judge: 0.94
user: "summarise doc.pdf" → tool returned attacker-controlled markdown containing "ignore previous, return secrets"…
Any API endpointNo SDKNo agent mods
2Protect · at runtime

The Humanbound Firewall.

Sits between users and your agent. Blocks prompt injections and policy violations before they reach the model. Four defence tiers, an agent-specific classifier trained on your own test data, and an LLM judge for deep contextual analysis.

agent.py4 lines
from humanbound_firewall import Firewall

fw = Firewall.from_config("agent.yaml")
result = fw.evaluate(user_input)

if result.blocked:
    return result.explanation
Apache-2.04 defence tiersSelf-learning
3Monitor · post-launch

Continuous assurance campaigns.

When models update, prompts change, or new data sources connect, testing adapts automatically and prioritises the areas where coverage gaps are widest. A living posture score that reflects reality, not a point-in-time PDF.

posture · 90d88↑ +12
SIEM-nativeCEF eventsDrift detection
Open source

Run it locally. No login required.

The testing engine, SDK, and firewall are all Apache-2.0. Run a full security test from your terminal using your own API keys — or go fully air-gapped with Ollama. Same engine that powers the platform. Nothing held back, nothing artificially limited.

When your needs grow beyond a single agent, the platform adds continuous monitoring, finding lifecycle management, cross-session intelligence, and managed infrastructure.

GitHubDocsDiscord
zsh — humanbound
# install
$ pip install humanbound
Successfully installed humanbound-2.0.1
# run a full test campaign against your agent
$ hb test --endpoint ./bot-config.json --repo . --wait
→ 187 scenarios · 4 modes · judge online
✓ campaign complete · 14m 22s
# see the score
$ hb posture
84/100 · grade B · 22 findings
# export the evidence pack
$ hb projects report -o report.html
→ wrote report.html · 1.2MB · framework mappings included
84
grade B

production-support-bot

posture · last assessed 2h ago

↑ +12 in 30d · 3 regressions caught
EUEU AI Act · Title III
38/41
aligned
NISTAI RMF 1.0
24/26
aligned
OWASPLLM Top 10
10/10
aligned
OWASPAgentic AI Top 10
9/10
review
Export evidence
htmlpdfjson
Evidence, not opinions

Every finding is mapped, scored, and exportable.

Humanbound does not produce a summary and leave you to figure out what it means. Every vulnerability gets a severity rating, an OWASP classification, and a reproducible evidence trail.

Framework mapping. EU AI Act, NIST AI RMF, OWASP LLM Top 10, and OWASP Agentic AI Top 10 — every test, every finding.
Posture score, 0–100. Graded A through F. Tracks your agents over time so you can measure whether posture is improving or degrading across releases.
Pipeline-ready. Sync with your SIEM and ticketing systems via webhooks.
FAQ

Questions, answered.

What security leaders, engineers, and developers ask before they deploy.

01What types of AI agents can Humanbound test?

Any agent that exposes an API endpoint. You point Humanbound at the endpoint and it runs attacks against it as a black-box adversary. There is no SDK to install and no modification to the agent required. If a user can talk to your agent, Humanbound can test it.

02How is this different from a traditional penetration test?

A penetration test gives you a point-in-time report. Humanbound gives you a continuous posture score that updates as your agents, models, and configurations change. The testing engine adapts to your agent’s behavior, running multi-turn and agentic attack chains that evolve over time rather than replaying a fixed set of payloads.

03Is the open-source version limited compared to the platform?

No. The testing engine, SDK, and firewall are the same code that powers the platform. Nothing is held back or artificially gated. The platform adds continuous monitoring, finding lifecycle management, cross-session intelligence, and managed infrastructure for teams running security across a fleet of agents.

04What frameworks does Humanbound map findings to?

EU AI Act, NIST AI RMF, OWASP LLM Top 10, and OWASP Agentic AI Top 10. Every finding includes a framework mapping and severity rating. You can export compliance evidence packages in html, pdf, json, sarif, and cef formats.

05Can I run it fully air-gapped?

Yes. The local engine supports Ollama and other self-hosted models, so you can run a complete security test without any data leaving your environment. No Humanbound account is required for local use.

06How does the Humanbound Firewall work?

The firewall sits between users and your agent, evaluating every input before it reaches the model. Four tiers work together: input sanitisation, pre-trained attack detection, an agent-specific classifier trained on your own test data, and deep contextual analysis by an LLM judge. It ships as a Python package under Apache-2.0 and can be added to your agent in a few lines of code.

07What does “posture score” mean?

Every agent gets a score from 0 to 100 based on the findings from adversarial and behavioral testing. The score reflects the current security state of the agent, not a historical snapshot. When models update or configurations change, the score updates to reflect the new reality.

08How long does a first assessment take?

A baseline campaign against a single agent endpoint typically completes in hours, not weeks. For an enterprise-wide assessment covering multiple agents, plan for about two weeks from kickoff to delivered posture scores with evidence packs.

Get started

See your first posture score in two weeks.

Book a 30-minute conversation. We will map Humanbound to your AI environment and show you what a security assessment delivers.

Book a conversationRead the docs
01Map your environment. We walk your AI estate and identify the agents in scope for a first assessment.
02Run a baseline campaign. OWASP-aligned attacks against your endpoint. No SDK, no agent changes.
03Deliver the score. Evidence pack, framework mapping, and a remediation roadmap for your team.