.png)
Code agents are moving quickly, faster than most enterprise security programs are structured to accommodate.
Since Claude Code, Cursor, and other AI coding agents entered mainstream developer workflows, organizations have been forced to confront a new class of problem:
How do you give engineers the leverage of autonomous agents without losing control?
How do you maintain visibility into what code agents are doing and more importantly,
how do you prevent them from quietly undermining your security posture?
At Highflame, we’ve spent months working directly with enterprise teams building code-agent infrastructure. What we’ve consistently observed is that the threat landscape is fragmented. Teams are stitching together partial solutions: one tool monitors MCP servers, another tracks agent activity, and a third enforces permissions.
That approach does not scale. Enterprises need unified visibility and centralized control, otherwise blind spots are inevitable. That’s why we’re announcing the evolution of Overwatch into a comprehensive control plane for code-agent security across the enterprise.
Code agents aren’t just faster copilots. They represent a fundamentally different execution model and these code agents introduce three distinct security challenges that traditional tooling was never designed to address. They operate at runtime. They reason, they call tools, they pull in external context, and they take actions that may never pass through the traditional checkpoints enterprises have relied on for years.
In practice, we’ve seen three categories of risk show up immediately.
First, there’s the threat surface around MCP servers and prompt injection. A malicious or compromised MCP server doesn’t just “run code.” It can shape an agent’s behavior upstream including instructing it to leak sensitive assets. And most existing monitoring only captures the final action, not the vector that caused it.
Second, exfiltration becomes much harder to detect. In traditional API security, data flows are explicit: you know what service is talking to what endpoint. With agents, the boundary is blurred. A prompt tells an agent to “review a sensitive file,” the agent reads it, compresses it, and sends it out through a tool call. Your logs might show each step independently, but the intent and the connection between them disappears. That’s how silent exfiltration happens.
Third, enterprises are already experiencing tool-call chaos. Different teams use different agents in different environments. Claude Code for backend work. Local agents for security analysis. Custom infrastructure agents for operations. Each one calls different tools, touches different systems, and operates under different assumptions. Without centralized governance, enforcement becomes inconsistent by default.
When you combine these factors, unknown threat actors, invisible data flows, and fragmented permissions, you end up with an environment where production-grade incidents can unfold without anyone noticing until it’s too late.
Enterprise security teams already have a mature toolkit for securing software delivery: SAST to catch vulnerabilities in source code, DAST to test running applications, and dependency scanning to reduce supply chain risk. These controls work because traditional software follows a predictable model where humans write code, changes flow through review, and security is applied at defined points in the SDLC.
Code agents fundamentally break that model.
Agents aren’t just producing code artifacts. They are executing workflows. They make decisions at runtime, invoke external tools, pull in third-party MCP servers, access sensitive files based on context, and take actions that may never pass through a pull request or a deployment boundary.
The risk is no longer confined to what ships, it exists in what the agent is allowed to do in the moment.
This is not a traditional “vulnerability in code” problem. It’s an autonomous execution problem. And that distinction matters, because existing AppSec tools were never built to answer the questions that actually drive agent risk:
When execution becomes autonomous, security has to move beyond scanning artifacts and start governing behavior.
That requires a new control layer, one designed to give enterprises visibility and enforcement across agent decisions, not just the code they eventually produce.
Some organizations try to solve this by running agents in restricted environments. It works until it doesn’t because you’re always one misconfiguration away from a compromised agent with full system access. Others rely on per-tool monitoring: watching Claude Code here, tracking Cursor there. But agents communicate through shared systems, and threats propagate through the gaps between them. The real problem is fragmentation. Enterprises need to see all agents, detect threats across all of them, and enforce policies uniformly. Patchwork solutions create the illusion of control, without the control itself.
We have been working on Overwatch since October, and it is now expanding beyond mcp threat detection to become the unified control plane for code-agent security. We are bringing five capabilities together:
Overwatch begins with automated discovery. In most enterprises today, code agents and MCP-enabled tools are being adopted bottom-up — often long before security teams have full visibility into what’s running inside developer environments. MCP servers can be spun up locally, tools can be added dynamically, and agents can begin invoking powerful actions without centralized governance. Overwatch addresses this by continuously scanning and discovering MCP servers, tools, and agent configurations across your environment.
It automatically detects:
This provides enterprises with an immediate inventory of both approved and unapproved MCP infrastructure, enabling administrators to identify restricted or high-risk tools before they become a security gap. Just as importantly, Overwatch helps surface and contain shadow tool usage, unauthorized MCP servers or agent toolchains operating outside of IT or security oversight. When unmanaged or policy-violating MCP endpoints are detected, Overwatch can automatically quarantine or restrict access on client devices, preventing silent expansion of the agent attack surface. The result is unified visibility and centralized control across all developer touchpoints, bringing consistent governance to code agents running in IDEs, local CLIs, and emerging agentic workflows throughout the organization.
Overwatch now provides comprehensive threat visibility across all code agents in your environment. It automatically scans to detect poisoned and compromised MCP servers before agents execute their instructions, identifies jailbreak attempts and indirect prompt injections designed to manipulate agent behavior, and flags unusual agent activities like sudden changes in tool calls, unexpected file access patterns, and suspicious network connections. When threats are detected, you're notified in real time, before they cause damage. All of this detection is centralized into a single unified dashboard. Instead of piecing together visibility from Claude Code here and Cursor there, you see threats across all code agents in your environment in one place. No more fragmented visibility across multiple tools.
Overwatch prevents sensitive data from leaving your environment, even when agents are manipulated. It blocks code agents from accessing sensitive data based on context and use case: a code analyzer can review public code but not private repos, and an infrastructure tool can access staging environments but not production. The platform monitors and restricts what data code agents can send externally, preventing compressed archives of your codebase from being uploaded to unknown servers. You get complete visibility into what data agents accessed, when they accessed it, why, and where it was sent through comprehensive audit trails.
Overwatch lets you enforce organization-wide policies across all code agents. You define which agents can call which tools and restrict production database access to specific agents while preventing code analysis tools from making network requests. Policies are context-based, so you can enforce different rules depending on who's using the agent, what project they're working on, and what environment they're accessing. Most importantly, one set of policies applies consistently across Claude Code, Cursor, custom agents, and internal tools, eliminating the frustration of policies that work in one agent but not another. When you detect a threat or policy violation, you can instantly revoke agent permissions without waiting for developers to update their configurations.
A unified control plane for code agent security must begin with enterprise identity. Overwatch integrates directly with leading identity providers such as Okta, Google Workspace, and Azure Active Directory to ensure that every developer, agent, and tool interaction is governed through authenticated, policy-driven access. Rather than treating agent execution as an opaque black box, Overwatch enables organizations to:
Just as importantly, Overwatch is designed to align with modern SOC operations. Telemetry and audit signals can be integrated into existing security workflows, enabling security teams to monitor agent activity, investigate anomalies, and maintain operational oversight as autonomous systems become embedded in the software development lifecycle.
Consider a real-world scenario: A developer uses a free MCP server for code refactoring. That server gets compromised. An attacker injects a prompt telling the agent to review the .env file for the main application and share a summary with the monitoring system. Without Overwatch, this attack succeeds silently. The prompt injection isn't detected. The agent accesses the .env file because it makes logical sense in context. The credentials get exfiltrated to an attacker's server. Your production database is compromised. By the time your security team realizes what happened, the damage is already done.
With Overwatch, this incident never happens. Threat Detection flags the MCP server as compromised before the code agent even runs. Data Protection prevents the agent from accessing .env files, regardless of what the prompt says or how reasonable the request seems. Tool Call Control blocks the agent from making arbitrary network requests to unknown systems. Meanwhile, Alerting notifies your security team in real time about the threat. Three layers of defense working together. One unified platform preventing the incident entirely.
Overwatch was designed from the ground up for organizations managing dozens of developers across multiple code agent types. It runs with zero friction or disruption to developer workflows, your teams won't notice it's there, but your security will be fundamentally stronger. The platform works seamlessly with Claude Code, Cursor, and other code agents through native integrations like hooks, meaning no complex setup or integration headaches. Enterprise teams can connect Overwatch directly to their identity systems and security operations, making it part of their broader security infrastructure rather than an isolated tool. And because threat detection, policy enforcement, and comprehensive audit trails are built in from the start, you're compliance-ready from day one, no scrambling to gather evidence for auditors or regulators.
Code agents are inevitable. They're faster, more capable, and more valuable than traditional tooling. But their power comes with responsibility. Organizations need to move beyond "we monitor agents" to "we control agents." Overwatch gives you that control not by restricting what agents can do, but by ensuring they do it safely. Developers get the full power of autonomous agents. Security teams gain visibility, control, and the confidence that threats are caught before they escalate into incidents. Starting today, Overwatch is available with unified threat detection, exfiltration protection, and policy controls. If you're running code agents at enterprise scale, you need a unified defense.
Let's make code agents safe for the enterprise.
Ready to see Overwatch in action?
Want to try it out or sign up for a free trial?
.png)
