Research and evidence
The evidence layer for AI-agent security.
CapitalGuard publishes the controls, schemas, test vectors, privacy boundary, and verification protocol. Scoring weights, threat intelligence, benchmark data, and signing keys remain protected.
Published by CapitalGuard Security Research · Updated July 12, 2026
Citable primary sources
Start with the source, not a marketing summary.
CapitalGuard Standard 1.0.0
The normative AI-agent repository security baseline and conformance model.
Open sourceControl catalog
Machine-readable definitions for authorization, inventory, secrets, data, injection, privilege, policy, drift, reporting, traceability, and attestation.
Open sourceTest vectors
Canonical examples for deterministic Guardprint material, output, and verification behavior.
Open sourceFree GitHub Action
A privacy-safe checker that runs on the repository owner's runner and links detected exposure to the full review path.
Open sourceEvidence boundary
Public enough to verify. Private enough to protect.
Public evidence contains aggregate categories, control status, scan limits, timestamps, cryptographic digests, and signatures. It excludes repository names, customer identity, source contents, and secret values.
Benchmark publication rule
CapitalGuard will not publish an exposure rate until at least 30 manually eligible assessments exist, and no reported segment will contain fewer than 10 records.
Until that threshold is met, the methodology is public and the benchmark remains unpublished. This prevents tiny samples, customer inference, and invented statistics.
Preferred citation
CapitalGuard. CapitalGuard Standard 1.0.0: AI-Agent Repository Security Baseline and Guardprint Protocol. 2026.
