Verdict

Stop AI agents from executing unsafe actions.

Verdict enforces policy decisions at execution boundaries — kernel-level on Linux, system-level on macOS, API-level on Windows. Every action receives a policy decision before it executes. Denied actions do not execute. There is no fallback path.

We don't wait for models to behave. We control what they are allowed to execute.Verdict emits decisions, not logs. Deterministic policy. No ML. Human-written rules.

The problem

Autonomous agents already execute shell commands, read credentials, call APIs, write files, and connect to external services. They do this because you asked them to. The question is not whether they will — it is whether anything stops them when they shouldn't. In most systems today, nothing does.

Logging what happened is not control. Enforcement is control.

An agent reads a config file, includes credentials in a debug payload, and sends it to an external endpoint. This is not malicious. It is normal behavior. Without enforcement, the credentials are leaked. With Verdict, the action is denied before it executes.

Verdict starts in observe mode (no blocking) and can be tightened to enforcement without disrupting workflows.

What Verdict enforces

Verdict enforces a small number of critical boundaries. Not everything.

Execution

Commands are evaluated before execution. Unauthorized binaries never run.

File access

Sensitive files are gated. Agents cannot read or write outside defined boundaries.

Network egress

Outbound connections are blocked unless explicitly allowed. No data leaves silently.

Tool calls

Every tool call is intercepted and evaluated before execution.

Irreversible actions

Payments, credential access, data destruction, and external communication are irreversible — these are denied by default.

How it works

Verdict sits between the agent and execution. Nothing executes without passing through Verdict.

Agent
  ↓
Verdict → policy.yaml + denylist + profile
  ↓
ALLOW | DENY | REQUIRE_APPROVAL
  ↓
System

Three enforcement layers, depending on the platform:

Linux — eBPF + seccomp + API proxy. Kernel-level enforcement.

macOS — Endpoint Security + Network Extension + API proxy. System-level enforcement.

Windows — API proxy. Control plane enforcement.

Install

brew install obstalabs/tap/verdict

Or download from releases.

Release binaries already include license verification. If you build Verdict from source, set VERDICT_LICENSE_VERIFY_KEY in the verdict process environment before starting verdict intercept. Use verdict license to confirm whether startup is allowed.

Public release notes, install details, and license terms live in verdict-dist and its LICENSE.

verdict activate <your-license-key>
verdict init --profile coding-agent
verdict intercept --port 9999

New installations include a 14-day trial. No credit card required. Runs in production environments — CI, VMs, infrastructure hosts.

Pricing

Pro

$49 / month

For developers running agents locally.

Full enforcement engine — eBPF, seccomp, API proxy
12 safety profiles (coding-agent, sre-infra, finops, and more)
Denylist engine with URL, command, and file pattern blocking
Immutable audit log with hash chain verification
Break-glass emergency override
Claude Code hook integration
MCP tool server

Team

$299 / month

For teams running agents in shared environments.

Everything in Pro
Shared policy distribution across hosts
Approval workflows for gated actions
Centralized audit log
Up to 10 hosts
Blocked actions can require approval instead of being denied

Enterprise

Custom

For production environments with compliance requirements.

Everything in Team
Fleet-wide enforcement and policy management
Compliance reporting (OWASP, EU AI Act, NIST AI RMF)
Custom safety profiles
SIEM integration (Splunk, Datadog, Elastic)
SLA and dedicated support