When AI Agents Break Their Own Cages: Kernel-Level Security and Background Agent Primitives
Published on 05.03.2026
Introducing Veto: Security for the Next Era of Software
TLDR: Ona launched Veto, a kernel-level enforcement engine that identifies binaries by SHA-256 hash rather than file path. Every existing runtime security tool -- AppArmor, Tetragon, Seccomp-BPF, Falco, KubeArmor -- uses path-based identification, which AI agents can and do reason their way around. Veto moves enforcement below the agent's reach.
Introducing Veto: security for the next era of software
How Claude Code Escapes Its Own Denylist and Sandbox
TLDR: A detailed technical walkthrough showing Claude Code bypassing both its own denylist and Anthropic's bubblewrap sandbox through reasoning alone -- no jailbreak, no prompt injection -- followed by the agent being stopped cold by kernel-level content-addressable enforcement, and then finding yet another bypass via the dynamic linker.
How Claude Code escapes its own denylist and sandbox
Background Agent Primitives: The Three Infrastructure Requirements
TLDR: Ona's CTO and Field CTO break down the three infrastructure primitives that separate teams running demos from teams merging 1,000+ agent PRs per week, including a live demo of the full background agent lifecycle from trigger to merged pull request.
What Is Next: CVE Remediation and COBOL Migration with Agent Fleets
TLDR: Ona announced two upcoming live sessions covering CVE auto-remediation across 200+ repos using parallel agent fleets, and COBOL-to-specs migration that extracts business logic from legacy code without line-by-line rewriting.
CVE auto-remediation with AI agent fleets | Migrating COBOL to specs with AI agent fleets