Abstract editorial illustration of a glowing security monitor scanning a stream of AI agent interactions, with a tamper-proof ledger icon and behavioral baseline graph.

Codenotary's AgentMon 3 builds security from 5M daily interactions

AIntelligenceHub
··7 min read

Codenotary shipped AgentMon 3, an enterprise AI runtime security platform that replaces static allow-lists with self-refining policies learned from more than five million AI agent interactions per day.

AgentMon moves from static allow-lists to learned behavioral baselines

Codenotary shipped AgentMon 3 today, the third generation of the enterprise AI runtime security platform the company has been running in production for more than two years. The new release replaces manually written allow-lists with adaptive security policies that continuously learn from how AI agents actually behave inside each customer environment. AgentMon is now also listed on the AWS Marketplace, which removes a procurement hurdle for security teams already running on Amazon Web Services.

What changed between AgentMon 2 and AgentMon 3 is the assumption underneath the policy engine. Earlier generations applied static rules that an enterprise security team would have to maintain by hand, the same way a traditional endpoint protection product encodes signatures. AgentMon 3 watches more than five million AI agent interactions per day across Codenotary's customer base and builds a live behavioral baseline for each tenant, then uses that baseline to flag actions that fall outside normal operations for that specific organization in real time. Every software upgrade, every new prompt pattern, every new tool integration the agent picks up shifts the baseline, and the policy moves with it without an analyst having to revise a rule.

Moshe Bar, Codenotary's CEO, framed the shift in the announcement as a direct response to how agents actually run inside enterprises today. Coding assistants, autonomous software engineering agents, business automation platforms, customer support agents, and custom orchestration frameworks all share one trait, he said: they evolve constantly through new prompts, model upgrades, tool integrations, memory expansion, and workflow changes. Static security rules built for any single one of those deployments are obsolete within weeks. AgentMon 3 is built to absorb the rate of change as the default rather than treating it as a maintenance burden the customer has to absorb.

The behavioral approach and where it fits in the stack

The runtime agent monitor is one piece of a stack that includes coding assistants, autonomous software engineering agents, internal AI systems, orchestration frameworks, cloud-native services, and distributed multi-agent architectures, and Codenotary's pitch is that AgentMon 3's behavioral detection layer is independent of whatever permission prompts or built-in safeguards the underlying tool ships with. In practice that matters because enterprise AI deployments routinely weaken or disable native allow-lists in the name of developer velocity, and that is exactly the configuration where the most consequential agent actions end up unsupervised. By evaluating the actual runtime behavior of the agent rather than the policies the agent's own vendor applies to itself, AgentMon 3 keeps detecting high-risk actions even when the native safeguards are bypassed, misconfigured, or turned off.

The contextual model the runtime monitor evaluates every action against is rich. Each decision pulls in agent identity, the permissions attached to that identity, historical patterns of behavior for that agent in that environment, the sensitivity of the data the action will touch, the resources the action is requesting, prior human approvals for comparable actions, and live threat intelligence feeds. Codenotary argues this context-rich evaluation is what cuts false positives relative to a text-only or signature-based detector, and it is what lets the platform catch attacks that try to obfuscate intent through prompt manipulation, multilingual attacks, or evasion techniques that bypass conventional content filters. The detection is anchored on observed file access, network activity, credential use, process execution, and system connections rather than on whatever the agent itself reports it is doing, which makes the runtime behavior hard to spoof.

Every runtime decision AgentMon 3 makes is recorded in Codenotary's immutable tamper-proof ledger, which gives enterprise security teams an audit trail for compliance reviews and forensic investigation after an incident. The ledger is signed so post-hoc tampering is detectable. For organizations running under the EU AI Act, ISO 42001, the NIST AI Risk Management Framework, or any internal governance regime that requires evidence of how an autonomous system was monitored, the ledger export is the line that satisfies the auditor.

AgentMon 3 lands on a market that has been fragmenting fast over the past three months. Endpoint vendors have started shipping agent-aware policy layers that govern which tools an agent can invoke from a developer workstation. Identity platforms have shipped agent credentials so agents can be authenticated, authorized, and audited the same way human users are. Network controls have started treating agent-to-tool traffic as a category that needs its own policy plane. What AgentMon 3 adds to that mix is the runtime behavior layer: it observes what the agent is doing even when the rest of the governance stack lets the call through, and it produces the evidence chain that maps to enterprise compliance frameworks.

The most relevant comparison in that mix is Keeper's endpoint governance layer, which extends existing endpoint privilege manager controls to AI agents running on developer machines. Keeper is enforcing OS-level policy before the agent calls a tool. AgentMon 3 is enforcing behavioral policy after the agent has called the tool and is in the middle of an action. The two are complementary rather than competitive, and they converge on the same problem from different points in the request chain. Enterprises that have already deployed endpoint-level agent governance can still benefit from a runtime behavior monitor that catches actions the endpoint policy allowed but that look anomalous for the specific agent in the specific context. Enterprises without an endpoint agent policy layer will find AgentMon 3 useful on its own because the runtime monitor handles a set of risks the endpoint layer does not see, particularly around agent-to-agent orchestration calls that never touch a controlled endpoint at all.

The broader question AgentMon 3 leaves open is the same one every adaptive runtime monitor has to answer: how much behavioral drift is acceptable before the policy has effectively normalized the agent doing things the security team would not have allowed if it had been asked. Behavioral models learn from what they observe, and what they observe in a healthy production deployment is the steady state of every action the agent is currently permitted to take. The platform's promise is that the policy adjusts faster than the threat surface evolves. The risk is that a slow drip of incremental permission creep becomes part of the baseline before anyone notices. Codenotary's posture here is that the immutable ledger makes every policy shift observable to a human reviewer, so the closed loop is one the customer can audit rather than one the AI is running on its own. That posture is the difference between adaptive security and adaptive compliance failure.

Operational scale and the integration surface

AgentMon 3 monitors more than five million AI agent interactions per day across the customer base, which makes it one of the larger production-scale observability surfaces for autonomous AI agents in the industry today. That volume is part of the pitch. Static rule sets that are written for a few hundred agents do not generalize when the workload grows to a few thousand agents across many teams; behavioral baselines that have already absorbed the diversity of millions of real interactions absorb new customers without a cold-start penalty that the customer has to feed manually for the first few weeks. Codenotary reports that customers running AgentMon 3 see up to an 80 percent reduction in policy maintenance work relative to static rule sets, with the savings concentrated on the analyst time that would otherwise go to revising allow-lists after every model or tool change.

The platform covers the set of integration surfaces enterprise AI deployments actually use. Coding assistants, autonomous software engineering agents, internal AI systems, cloud-native services running agents on behalf of users, distributed multi-agent orchestration frameworks, and custom workflow tools all get the same behavioral observation and audit trail. For security teams that already maintain a separate EDR, a separate CSPM, and a separate identity policy layer, AgentMon 3 slots in as the agent-specific runtime observability layer rather than competing with the others, which is part of why Codenotary was able to ship an AWS Marketplace listing on the same day as the AgentMon 3 release. The procurement motion is the same as any other enterprise security tool an AWS-native customer already buys through the marketplace.

Enterprise architects reading the announcement should treat the runtime monitor as the third leg of a stack that already has the endpoint policy layer (Keeper, similar products) and the agent identity layer (Beyond Identity Ceros, AppViewX, Cisco/WideField, the broader identity stack). All three legs matter, and any single leg is not a substitute for the others. The enterprise AI governance checklist resource page lays out the same structure as a planning artifact for teams building toward a multi-layer agent governance posture, and the endpoint agent governance piece from earlier this week covers the layer above AgentMon 3 in the same chain. For teams that already have identity and endpoint in place, AgentMon 3 is the runtime observability leg that closes the loop on what the agent actually did once the policy allowed it through.

Pricing, regional availability, and the formal SLA tiers for AgentMon 3 in AWS Marketplace were not disclosed in the Help Net Security announcement.

Weekly newsletter

Get a weekly summary of our most popular articles

Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.

One weekly email. No sponsored sends. Unsubscribe when you want.

Comments

Every comment is reviewed before it appears on the site.

Comments stay pending until review. Posts with more than two links are held back.

Related articles