Most security controls are static. You write a rule, the rule runs the same way on every request, and it only gets smarter after something goes wrong and a human updates it. That cadence — incident, review, patch — was tolerable when systems changed on a release schedule. It's too slow for agents that can be turned hostile in a single conversation.
The alternative is a control that adapts on its own: a classifier that watches how an agent behaves, raises its own level of scrutiny the moment something looks wrong, and relaxes again when the threat clears. We call the engine that does this Shashu, and the behavior is the point.
Why static scrutiny is the wrong default
Every inspection has a cost — latency, compute, occasionally a false positive. So static systems pick one scrutiny level and live with the trade-off everywhere. Inspect everything deeply and you tax every benign request. Inspect lightly and you miss the dangerous ones. Neither is right, because the right amount of scrutiny isn't a constant — it depends on how the agent is behaving right now.
A benign agent doing routine work doesn't need maximum scrutiny on every call. An agent that just tripped an injection signal needs much more — not just on that request, but on the ones that follow, because attacks play out over turns.
How self-healing works
The model is simple: scrutiny is a level, not a switch, and it moves with the threat.
Escalation. When Shashu sees something hostile — an injection attempt, an anomalous tool call, a pattern that doesn't fit the agent's normal behavior — it raises that agent's scrutiny: NORMAL to ELEVATED to STRICT. Subsequent requests get extra checking automatically. No ticket, no incident review, no human in the loop to slow the response down.
Recovery. Just as important, it stands back down. When the agent returns to behaving normally, scrutiny relaxes. This is what keeps the system usable: heightened defense is targeted and temporary, not a permanent tax on everyone because one agent misbehaved once.
The result behaves less like a tripwire and more like an immune response — it notices a threat, mounts a stronger reaction locally, and returns to baseline when the threat is gone.
Layered, with one mind on top
Self-healing doesn't replace defense in depth — it coordinates it. Deterministic layers (regex, DLP) still do their job underneath, catching the known patterns cheaply. Shashu is the layer that connects them: a purpose-built engine that watches every surface an agent touches — prompt, retrieval, tools, session, agent-to-agent, egress — and decides, in context, how hard to look. The deterministic layers are the muscle; the adaptive classifier is the judgment.
Why it matters for the buyer
Two practical consequences. First, you don't pay the false-positive and latency cost of maximum scrutiny on every request — heightened inspection is spent where it's warranted. Second, your defense doesn't wait for a postmortem to improve. The window between "an agent turned hostile" and "the system is checking it harder" closes to the next request, not the next sprint.
And because the threat landscape itself keeps moving, the engine has to keep moving with it — retrained against new injection, tool, and exfiltration techniques as they emerge, so the definition of "looks hostile" doesn't go stale.
The takeaway
Static rules get smarter on a human's schedule. A self-healing classifier gets stricter on the attacker's schedule — escalating scrutiny the moment an agent looks hostile, and recovering when it doesn't. Paired with deterministic layers underneath and continuous retraining on top, it turns defense in depth from a fixed wall into something that responds.
That adaptive engine is the heart of TrustGate's first pillar: agent security that watches every surface and tightens its own grip in real time.
