Capabilities
Executable deny list
Block specific binaries by content hash. Rename-resistant and symlink-resistant — the check and the block happen in the same kernel call, so there’s no gap to exploit.
Learn more →
Datawall
Detect confidential data leaving the environment over the network. Fingerprints data in-kernel and monitors all egress — including through TLS.
Learn more →
Why kernel-level
When enforcement operates above the agent, the agent can discover and circumvent it. Path-based deny lists are bypassed by renaming binaries. Userspace sandboxes can be disabled. Proxy-based DLP is avoided by encoding data differently. Veto enforces at the syscall level. The agent cannot unload the LSM, modify its configuration, or observe whether an action was flagged. The kernel is the last trust boundary before hardware.See Veto in action
Leonardo walks through how Claude Code bypasses traditional guardrails and how Veto enforces controls from inside the kernel.Learn more
- How Claude Code Escapes Its Own Denylist and Sandbox — Leonardo’s research post that motivated Veto
- The enterprise agent problem Claude Code wasn’t built to solve — Matt Boyle on the platform layer enterprises need around coding agents
- Introducing Veto — announcement and technical overview