< back to blog

Introducing Prempti: Runtime security for AI coding agents, powered by Falco

Jonas Rosland
Introducing Prempti: Runtime security for AI coding agents, powered by Falco
Published by:
Jonas Rosland
Introducing Prempti: Runtime security for AI coding agents, powered by Falco
Open Source and Technical Marketing Director
@
Introducing Prempti: Runtime security for AI coding agents, powered by Falco
Published:
May 12, 2026
Table of contents
falco feeds by sysdig

Falco Feeds extends the power of Falco by giving open source-focused companies access to expert-written rules that are continuously updated as new threats are discovered.

learn more
Green background with a circular icon on the left and three bullet points listing: Automatically detect threats, Eliminate rule maintenance, Stay compliant, with three black and white cursor arrows pointing at the text.

AI coding agents like Claude Code and Codex have become a natural part of the developer workflow. You give them a task and they read your files, run commands, make network requests, and write code, all on your behalf and all with your permissions.

That shift is powerful, but it also introduces a new layer of risk and a visibility gap.

Today, we’re introducing Prempti, a new open source project that brings Falco's real-time detection engine and runtime security directly into the AI agent tool-call lifecycle. It gives developers a programmable policy boundary at the moment the agent decides to act.

Why this matters

When an agent operates in your terminal, it acts within your user session, which means it can touch your credentials, your SSH keys, and your cloud config files. Researchers and developers have documented cases where AI coding agents, whether through prompt injection, unexpected instructions embedded in parsed files, or simply overly broad tool use, have read files well outside the project scope, exfiltrated environment variables, or attempted to make network calls to external hosts. Most developers have no structured visibility into any of that activity beyond the agent's chat output. There's no policy layer, no audit trail, and no straightforward way to mark certain things as off limits.

Prempti changes that.

What it does

Prempti’s focus is on that visibility gap. It intercepts agent tool calls before they execute and evaluates them against Falco rules, returning one of three verdicts: Allow to let the action proceed, Deny to block it with an explanation sent back to the agent, or Ask to prompt you for interactive approval. That means credential files stay protected, out-of-scope reads get caught before they happen, and you have a full audit trail of everything your agent touched during a session.

Here's an example of what that looks like in practice. If you ask your agent to store a file under ~/.ssh/, Prempti will block the write before it ever happens and send a structured message back to the agent explaining why:

● Write(~/.ssh/random_number.txt)
  ⎿  Deny writing to sensitive paths: Falco blocked writing to
     /home/jonasrosland/.ssh/random_number.txt because it is a sensitive path

How it works

Prempti runs as a lightweight user-space service with no root, kernel modules, or containers required. The default ruleset covers many common risk areas out of the box, including working-directory boundaries, sensitive path protection, credential access, destructive commands, pipe-to-shell attacks, exfiltration attempts, MCP server config poisoning, and persistence vectors like hook injection and git hooks.

By default, Prempti runs in guardrails mode, where rules produce verdicts that actively shape what the agent does. When a tool call is blocked or flagged, the agent receives an LLM-friendly explanation and adapts. If you're not ready to enforce on day one, monitor mode lets you observe everything your agent touches without blocking anything; a sensible place to start for organizations that take a conservative approach to new tooling.

When you need something more tailored, rules are plain YAML using the same syntax Falco users already know. You can block git push, restrict reads to just your project tree, or flag any attempt to pipe content to a shell interpreter, which is often used as a common prompt injection vector. A Claude Code skill is also included to help you draft and validate custom rules interactively, directly from your agent.

A new kind of visibility for AI-driven development

AI coding agents are increasingly trusted with real work on real machines, and the need for visibility at the agent layer is becoming hard to ignore. The threat models are still being defined and the right default policies are still being worked out, but Prempti offers an early, practical step in that direction. It's open source, built on Falco's proven rule engine, and designed to grow with input from the developers and security engineers actually running these agents day to day.

Read the full technical deep-dive on the Falco blog: Introducing Prempti: Falco meets AI coding agents

Explore the project, try it out, and contribute: Prempti on GitHub

Come chat with us about Prempti on the Sysdig Open source Community!

About the author

Jonas Rosland is a community builder, open source advocate, blogger, author and speaker at many open source focused events. As Director of Open Source Programs at Sysdig, he is focused on the growth and sustainability of the Falco and larger Sysdig open source community efforts. Jonas is also the Executive Director for Hit Save!, a non-profit dedicated to the preservation of video games, their history, and related physical and digital materials.
Security for AI
Cloud detection & response
Cloud Security
featured resources

Test drive the right way to defend the cloud
with a security expert

GET A DEMO