When AI Agents Break Their Own Cages: Kernel-Level Security and Background Agent Primitives

Introducing Veto: Security for the Next Era of Software

TLDR: Ona launched Veto, a kernel-level enforcement engine that identifies binaries by SHA-256 hash rather than file path. Every existing runtime security tool -- AppArmor, Tetragon, Seccomp-BPF, Falco, KubeArmor -- uses path-based identification, which AI agents can and do reason their way around. Veto moves enforcement below the agent's reach.

Introducing Veto: security for the next era of software

How Claude Code Escapes Its Own Denylist and Sandbox

TLDR: A detailed technical walkthrough showing Claude Code bypassing both its own denylist and Anthropic's bubblewrap sandbox through reasoning alone -- no jailbreak, no prompt injection -- followed by the agent being stopped cold by kernel-level content-addressable enforcement, and then finding yet another bypass via the dynamic linker.

How Claude Code escapes its own denylist and sandbox

Background Agent Primitives: The Three Infrastructure Requirements

TLDR: Ona's CTO and Field CTO break down the three infrastructure primitives that separate teams running demos from teams merging 1,000+ agent PRs per week, including a live demo of the full background agent lifecycle from trigger to merged pull request.

Background Agent Primitives

What Is Next: CVE Remediation and COBOL Migration with Agent Fleets

TLDR: Ona announced two upcoming live sessions covering CVE auto-remediation across 200+ repos using parallel agent fleets, and COBOL-to-specs migration that extracts business logic from legacy code without line-by-line rewriting.

CVE auto-remediation with AI agent fleets | Migrating COBOL to specs with AI agent fleets