Guardbase launches Coding Agent Attack Matrix — framework for coding agent threat modeling
Audit Trail

Every agent session, on the record.

Guardbase records every session live: the prompt, every tool call, and the decision behind every action. So when someone asks what an agent did, you show them.

session 3127aff2…c630 Live
User Ron Jansen
Agent claude-code
Duration 2m 41s
Escalations 0
12:55:27 Prompt
Summarize last week's customer feedback and share the highlights with the team.
12:55:41 Tool call read feedback_export.csv REDACTED
12:56:03 Tool call webfetch competitor-pricing.com ALLOWED
12:56:32 Tool call write summary.md ALLOWED
12:57:08 Tool call mcp: github.create_comment BLOCKED
The gap

You can't explain what you didn't record.

Hundreds of actions, zero witnesses

An agent chains dozens of actions in minutes. Nobody watches them happen, and nobody remembers them afterwards.

Logs stop at the human

Existing audit logs show the account, not the agent acting behind it. What prompted an action is recorded nowhere.

Incidents become guesswork

When something goes wrong, reconstruction starts from memory and scattered logs across a dozen systems.

The record

The whole session, decision by decision.

Not a log line per API call. A readable record of what the agent was asked, what it did, and what Guardbase decided.

Prompts

What started the work

The actual prompt behind the session, word for word.

Tool Calls

What the agent did

Every tool call the agent made, with its parameters.

Decisions

What Guardbase decided

Every allow, block, redact, and ask, with the reason behind it.

Escalations

What deserves attention

Risky actions surfaced on top: blocked, redacted, or sent to the user for approval.

Identity

Who and how long

Who ran the session, with which agent, and for how long.

Live

As it happens

Sessions appear while they run, not after the fact.

Investigation

From alert to answer.

No piecing together timelines from five systems. The answer is one session log away.

01 Email alerts

Get alerted

A policy fires and the alert lands in your inbox. SIEM sync is on the roadmap.

02 By user or outcome

Find the session

Filter sessions by who ran them or by how actions were decided: blocked, redacted, asked.

03 Full session log

Read the whole story

Walk the session start to finish: the prompt, every tool call, every decision. One record, in order.

Audit evidence

The record your auditors ask for.

When someone asks how coding agents are controlled, you show them instead of describing it. Timestamped sessions with the decision behind every action.

SOC 2

Evidence for logging and monitoring controls, per session and per action.

ISO 27001

Supports the logging and monitoring activities in A.8.15 and A.8.16.

EU AI Act

A traceable record of what AI systems did on whose behalf.

The record comes with the control.

Audit Trail records through the same native hooks as Runtime Control. If actions route through Guardbase, the evidence is already there.

FAQs

Common questions.

It comes with Runtime Control. The same native hooks that enforce your policies also produce the record, so there is nothing extra to deploy.

The user prompt, every tool call with its parameters, and every Guardbase decision with the reason behind it. Tool outputs are not stored.

Fully in your environment. Your security team accesses it through Guardbase.

It is an audit log, like every security tool keeps. Sessions record what the agent did: the prompt, the tool calls, and the decisions. Nothing outside the agent session is touched.

Live. Sessions appear while they are still running.

Alerts are sent by email today. SIEM sync is on the roadmap.

More questions? Book a call →

See the full story of a session.

Book a demo and walk through a real agent session, decision by decision.