The Zero-Trust Framework for Autonomous AI Agents
Define, schedule, and run AI agents with built-in policy enforcement, cryptographic identity, and sandboxed execution. Written in Rust.
agent security_scanner(target: Endpoint) -> ScanReport { capabilities = [ "network_scan", "vuln_detection", "report_generation" ] policy security_policy { allow: scan(target) if user.clearance >= "confidential" deny: export(data) if data.contains_pii require: [ session.secure_connection, audit_trail = true ] } with memory = "encrypted", security = "high" { let results = scan_endpoint(target); let report = generate_report(results); return report; } }
Everything You Need to Ship Secure Agents
From declarative DSL definitions to production observability, Symbiont covers the full agent lifecycle.
DSL & Policy Engine
Define agents declaratively with inline policy enforcement. Capabilities, permissions, and security constraints live in the same file.
policy hipaa_compliance { allow: analyze(data) if user.medical_license.valid deny: export(data) if data.contains_identifiers require: [ user.hipaa_training.completed, session.secure_connection, audit_trail = true ] conditions: { data_classification: "medical", retention_period: 7.years } }
Cron Scheduling
First-class cron engine with dead-letter queues, heartbeat monitoring, and ephemeral sessions.
schedule { cron: "0 9 * * *" session_mode: "ephemeral" }
AgentPin Identity
ES256 cryptographic identity anchored to your domain via .well-known. Verify any agent's origin before trusting it.
Session Isolation
Each agent run gets its own sandboxed session. Choose ephemeral, persistent, or ephemeral-with-summary modes per job.
Delivery Routing
Route agent output to stdout, log files, webhooks, or Slack. Multiple delivery targets per job with structured output.
Observability
Prometheus-compatible metrics out of the box. Track run counts, durations, failures, and in-flight jobs.
# Prometheus metrics symbiont_cron_runs_total{ job_name="daily-report", status="succeeded" } 450 symbiont_cron_execution_duration_seconds{ job_name="daily-report" } 1.234 symbiont_cron_in_flight_jobs 3 symbiont_cron_dead_letter_total{ job_name="flaky-job" } 2
RAG & Vector Search
Retrieval-Augmented Generation with Qdrant integration. Give agents persistent knowledge and semantic search capabilities.
Sandboxed Execution
Docker and gVisor isolation tiers. Agents run in containers with configurable resource limits and network policies.
$ symbi cron list JOB ID NAME AGENT CRON STATUS NEXT RUN cron-001 daily-report reporter-agent 0 9 * * * active 2026-02-08 09:00 cron-002 hourly-metrics metrics-agent 0 * * * * active 2026-02-07 22:00 cron-003 weekly-scan security-scanner 0 0 * * 1 paused — cron-004 backup-nightly backup-agent 0 2 * * * active 2026-02-08 02:00 4 jobs (3 active, 1 paused)
symbi cron add
Register a schedule from DSL
symbi cron run-now
Trigger an immediate run
symbi cron history
View past run results
The ThirdKey Trust Stack
Three layers of cryptographic trust, from tool integrity to agent identity to runtime execution.
SchemaPin
Tool Integrity
Cryptographic verification that the tools an agent calls haven't been tampered with.
- Schema signing & pinning
- DNS-anchored trust
- MCP tool verification
AgentPin
Agent Identity
Domain-anchored ES256 identity for AI agents. Verify who an agent is before you trust it.
- ES256 key pairs
- .well-known discovery
- Identity certificates
Symbiont
Secure Runtime
The execution layer that enforces policies, isolates sessions, and schedules agent work.
- DSL & policy engine
- Cron scheduling
- Sandboxed execution
SchemaPin verifies tools → AgentPin verifies agents → Symbiont enforces everything at runtime
Schedule Agents, Not Scripts
Symbiont's built-in cron engine treats agents as first-class scheduled workloads. Each run gets its own isolated session with policy enforcement and delivery routing.
Heartbeat Monitoring
Automatic health checks detect stuck or failed jobs and trigger alerts.
Dead-Letter Queues
Failed runs are captured with full context for debugging and retry.
Policy Gates
Every scheduled run enforces the agent's policy block before execution.
AgentPin Verify
Scheduled agents are identity-verified via AgentPin before each run.
schedule { name: "daily-report" agent: "reporter-agent" cron: "0 9 * * *" session_mode: "ephemeral_with_summary" delivery: ["stdout", "log_file"] policy { require_approval: false max_runtime: "5m" } }
Built for Critical Applications
From regulated industries to multi-agent platforms, Symbiont provides the foundation for secure AI.
Security & Compliance
HIPAA, SOX, PCI-DSS compatible audit trails. Cryptographic signatures on every agent action. Policy enforcement at the language level.
- Immutable audit logs
- Data classification rules
- Retention policies
DevOps & Automation
Schedule agents for monitoring, reporting, backups, and incident response. Full CLI control with Prometheus metrics.
- Cron-based scheduling
- Webhook delivery
- Container isolation
AI Platforms & Multi-Agent
Run fleets of agents with verified identities, isolated sessions, and centralized observability. Built for multi-tenant deployments.
- AgentPin identity
- Session isolation
- Multi-SDK support
Get Started in 60 Seconds
Cargo
$ cargo install symbi
Docker
$ docker pull \
ghcr.io/thirdkeyai/symbi:latest
SDK
// JavaScript import { SymbiontClient } from '@symbiont/sdk-js'; # Python from symbiont import \ SymbiontClient
Ready to Deploy Secure Agents?
Get started with Symbiont today. Read the documentation or contact us for enterprise support.