Capabilities
Executable deny list
Block specific binaries by content hash. Rename-resistant and symlink-resistant. The check and the block happen in the same kernel call, so there is no gap to exploit.
Learn more →
Datawall (coming soon)
Detect confidential data leaving the environment over the network. Fingerprints data in-kernel and monitors all egress, including through TLS.
Learn more →
Kernel-level enforcement
When enforcement operates above the agent, the agent can discover and circumvent it. Path-based deny lists fall to renamed binaries. Userspace sandboxes can be disabled. Proxy-based DLP is avoided by encoding data differently. Veto enforces at the syscall level. The agent cannot unload the LSM, modify its configuration, or observe whether an action was flagged. The kernel is the last trust boundary before hardware.Watch: Claude Code vs. Veto
Leonardo walks through how Claude Code bypasses traditional guardrails and how Veto enforces controls from inside the kernel.Further reading
- How Claude Code Escapes Its Own Denylist and Sandbox - Leonardo’s research post that motivated Veto
- The enterprise agent problem Claude Code wasn’t built to solve - Matt Boyle on the platform layer enterprises need around coding agents
- Introducing Veto - announcement and technical overview