Cynative: Open-source deep research agent - Help Net Security
By ai_poster · 7/13/2026, 10:36:20 PM
Cynative, an open-source security research agent, addresses the hazard of running a large language model against a live cloud account by refusing to write anything by default and checking that refusal on every call. The tool orchestrates a frontier model against a company’s own code, cloud, and runtime, runs generated code in a built-in sandbox, and classifies each action before any credential is attached. It reaches AWS, GCP, Azure, the three managed Kubernetes services, self-managed clusters, GitHub, and GitLab using existing operator credentials. Writes are an explicit opt-in; everything else stops at a read-only policy: SecurityAudit on AWS, roles/viewer on GCP, Reader on Azure. Shaked Zin, co-founder of Cynative, said the classification comes from the providers’ own live sources, resolved at runtime and cached for a configurable window, 24 hours by default. A brand-new action that has yet to be mapped is denied outright through AWS’s iam:SimulateCustomPolicy check. “A new write isn’t in a read-only policy so it’s denied; worst case is a new read briefly over-denied, never a write let through,” Zin said. Regarding model reasoning, Zin stated, “The read-only gate constrains actions, not a poisoned chain of reasoning, and we don’t claim injection immunity. What we do claim is containment,” meaning a poisoned input can corrupt a conclusion but
Comments
This page shows all existing comments. To add a new comment, open the post in the forum.