Skip to main content
Oso helps developers secure agents across integration platforms, coding agents, and in-app agents by classifying tool risk, tracking session-level behavior, and enforcing or alerting on dangerous combinations of data access and actions to prevent data leaks.

Integration Platforms

Integration platforms want customers to build agents on top of many third-party connectors, without creating data leaks between apps. Oso helps you ship secure-by-default connectors by classifying tool risk and enforcing runtime controls whenever an agent tries to use them.

How Oso Prevents Data Leaks Between Connectors

Most real-world agent data leaks come from combining these capabilities in a single session:
  • Untrusted content: the agent reads externally authored data which may contain prompt injection attacks (emails, tickets, docs, web pages).
  • Private data: the agent can fetch sensitive customer data from connected systems.
  • External communication / state change: the agent can overwrite or change state through mutative actions or transmit data to a threat actor through web requests or tool calls.
Oso detects risky combinations (often referred to as the “Lethal Trifecta” / “Rule of Two”) and gives you the ability to enforce based on your preference: allow, deny, or requires_approval.

Step 1: Register a Third-Party Application and Its Tools

When an integration is created inside the platform, send Oso the tool catalog (and schemas when available). Oso classifies tools and stores the results for runtime decisions. 
app = {"id": "slack", "version": "1.0.0", "title": "Slack"}

tools = [
    {"name": "chat.postMessage", "description": "...", "schema": {...}},
    {"name": "conversations.list", "description": "...", "schema": {...}},
]

oso.for_application(app).classify_tools(tools)
Notes:
  • Include OpenAPI specs / MCP manifests when you have them; richer schemas improve classification.
  • You can provide manual overrides for edge cases.

Step 2: Allow Agent Authors to Choose Their Preferred Behavior

Agent authors pick how they would like to handle a risky sequence. Keep production defaults conservative. 
agent_id = "..."

oso.for_agents(agent_id).configure_behavior(
    {"on_rule_of_two_violation": "requires_approval"}  # or "deny" (default), "ignore"
)

Step 3: Send Session Events

Oso’s decisions are contextual: whether a tool call is safe often depends on what happened earlier in the session. Send a lightweight event stream per agent_id + session_id:
  • tool_call_request (minimum needed to gate execution)
  • tool_call_response, message_from_user, message_to_user (recommended for higher-quality decisions and investigations)

Step 4: Gate Tool Execution at Runtime

Before you run a tool, ask Oso. Then enforce the decision in your tool runner. 
agent_id = "..."
session_id = "..."
tool_parameters = {...}

decision = oso.for_agents(agent_id, session_id).tool_request(
    "chat.postMessage",
    tool_parameters,
    application_id="slack",
)
  • If allow: run the tool normally and return the result to the agent.
  • requires_approval: pause, show a review screen (tool, parameters, reason), and resume only after approval.
  • deny: block the call and return a safe error to the agent.

Coding Agents

During local development using coding agents like Cursor or Claude Code, teams move quickly. Engineers experiment with agents, connect new tools, and iterate without always thinking through security implications. Even if you trust your employees and they have no malicious intent, it’s likely that they will let agentic tools access more than they should. Oso integrates with tools like Tailscale Aperture to give security teams early visibility into how agents are being used during development, without requiring custom tooling or constant log analysis. The goal is to surface the few events that matter, early enough to respond.

How Oso Delivers High-Signal Security Alerts for Coding Agent Usage

Continuous Tool Inventory

As developers build and run agents locally, Oso discovers the MCP tools and integrations those agents use. You can see:
  • Which integrations are being used
  • Which tools each integration exposes
  • Which agents are using them
  • A suggested risk level per tool
This makes it easy to spot:
  • New or unreviewed integrations
  • Unexpected tool usage
  • Early signs of supply-chain risk
When a new integration appears, Oso can notify you automatically so you can review.

Monitoring: Abnormal Usage Patterns

Risk is not always about a single event and could show up as a change in behavior. Oso aggregates activity across agents and users and surfaces alerts when usage patterns diverge sharply from what’s expected:
  • Sudden spikes in tool usage
  • Unusual bursts of destructive actions
  • Activity inconsistent with prior behavior
This helps security teams identify issues worth investigating without manually inspecting every session.

Alerts: Centralized and Explainable

All alerts surface in a single view, designed for quick triage. Each alert includes:
  • What happened
  • Why it was flagged
  • The relevant agent, tool, and integration
  • Clear visual indicators to aid prioritization
This allows security teams to review alerts one by one and decide whether further investigation or follow-up is needed.

Content and Risk: Sensitive Data Exposure Controls

During local runs, agents may ingest:
  • Secrets
  • Proprietary IP
  • PII
  • Other sensitive data
Often this happens unintentionally, like when copying credentials into a prompt or allowing an agent to pull internal data and pass it to an external service. Oso detects sensitive data using common patterns and custom definitions and alerts when this data is ingested into an agent’s context window. Alerts are designed to be high signal and explainable, so you can quickly understand what happened and why it matters.

How It Works

This section describes how the integration works end-to-end. 1. Connect Oso to Tailscale Aperture Log into your Tailscale Aperture account and click the “Get security alerts in Oso” button to start streaming across your coding agent session data to Oso. Once connected, Oso can observe:
  • Agent sessions
  • Tool calls
  • Integration metadata
  • User and agent identifiers
This connection does not require changes to developer workflows. Agents continue to run locally as they do today. 2. Discover tools and integrations automatically As agents run, Oso continuously inventories the MCP tools they use. Discovered tools are:
  • Grouped by integration
  • Associated with the agents that invoke them
  • Assigned a suggested risk level based on tool behavior
This produces a live view of:
  • All integrations currently in use
  • New or previously unseen tools
  • Which agents are interacting with them
Security teams can review this inventory at any time and enable alerts to surface previously unseen integrations. 3. Observe agent activity in context Agent risk is contextual. A single tool call is often safe in isolation but risky when combined with other actions. Oso observes agent activity across a session, including:
  • Tool calls
  • Inputs and outputs
  • Message flows
4. Analyze risk signals Oso analyzes activity along several dimensions:
  • Sensitive data exposure: Detects common and custom patterns that indicate secrets, PII, or proprietary data entering an agent’s context.
  • Unreviewed integrations: Flags newly added tools and services that have not yet been reviewed or verified.
  • Abnormal usage patterns: Aggregates activity across agents and users to identify sharp deviations from expected behavior. Signals are intentionally conservative to keep alert volume low.
5. Surface explainable alerts When Oso detects an event worth attention, it generates an alert. Each alert includes:
  • What occurred
  • Why it was flagged
  • The relevant agent, tool, and integration
  • Visual indicators to support prioritization
Alerts appear in a centralized view so security teams can quickly triage and decide whether further investigation is needed.

In-app Agents

In progress.