AEBA: the missing observability layer for autonomous AI agents

The ten-minute test your platform will fail

Pick an autonomous AI agent in your infrastructure. Any one. A customer-support agent, a research agent, a payment agent, a code-reviewing agent. Now answer these five questions about what it did in the last twenty-four hours.

1. Which MCP tools did it invoke, in what order, and with what arguments?
2. Which LLM models did it call, how many tokens did it consume, and what did that cost?
3. Which of those tool calls returned error or denied, and what did it do next?
4. Did it delegate any authority to a child agent, and if so, under what scope?
5. Can you cryptographically prove, to an auditor, that the agent -- not someone impersonating it -- did all of the above?

If you can answer one or two of those from logs, you are above average. If you can answer all five with tamper-evident records, you are in a category that does not exist in production anywhere today.

That is the gap.

Why existing platforms do not close it

Every security and observability vendor you have heard of covers a layer.

• EDR / XDR covers the endpoint. It sees processes and system calls. It does not see inside a Python process running a LangChain agent.
• UEBA covers human users. It baselines @john.smith from HR. It has no idea what agent:acme-payments-01 should or should not be doing.
• NDR covers the network. It sees flows. It does not see inside TLS to your LLM provider, or read the MCP message the agent just sent its sub-agent.
• LLM observability tools like generic tracing and metrics dashboards cover cost. They do not sign events. They do not correlate across agents. They do not map to a regulator's evidentiary bar.
• AI firewalls cover prompt input. They do not observe the agent's own behaviour once it is running.

There is no dimension for the agent itself. And because agents are increasingly the business process -- not a tool a human uses, the business process -- the blind spot is enormous.

Agent Event Behaviour Analysis

User and Entity Behaviour Analytics (UEBA) was a category built for a human era. Agent Event Behaviour Analysis (AEBA) is the obvious next step.

The working definition:

AEBA is the continuous collection, signing, correlation, and behavioural analysis of every action performed by an autonomous AI agent -- tool calls, LLM prompts, MCP messages, skill loads, delegations, deployments, and compliance decisions -- producing cryptographically-verifiable telemetry suitable for detection, forensics, and regulatory audit.

Same SOC discipline as UEBA. Different subject. Different event types. Different adversary model.

Five properties the category needs

Any serious AEBA implementation should satisfy at least these:

1. Events are signed at source

Every event an agent emits is signed with a per-agent cryptographic key. The signature covers a canonical form of the event payload plus its position in a per-agent hash chain. This is the only way to make telemetry provably tamper-evident. Without it, an attacker who has compromised the agent has also compromised its audit trail.

The algorithm details are implementation-specific, but the property is not negotiable.

2. Events are crypto-chained with our patent supported approach

Each event includes the SHA-256 of the previous event's canonical form. A missing or rewritten event is detected at the receiver because the chain no longer closes. This is how you get "evidence" rather than "logs".

3. Detection is adaptive and peer-aware

Rules ship with the product. But rules always lag attackers. Adaptive detection -- learned from your own agent population and from peer behaviour -- catches drift before a rule author can write one.

Critically, the detector must be poisoning-resistant: it cannot be taught that the attack pattern is "normal" by the attacker themselves. The mechanism for this is the implementer's choice, but the requirement is categorical.

4. Findings are cost-aware

Agents are an economic surface, not just a security one. A £5,000 anomalous payment or a £200 runaway LLM burst deserves a different urgency from a £0.001 one. Scoring should weight by cost impact. Budgets should be per-agent. Breach alerts should be automatic.

5. Findings are mapped to regulation

Not "log management that might one day help compliance". Direct mapping: this alert satisfies EU AI Act Article 12 record-keeping. This alert evidences PSD2 Article 97 strong-customer-authentication. This alert is a Solvency II Pillar 2 material-action audit entry. This alert maps to MITRE ATT&CK technique T1566. That is the evidentiary bar auditors work from; telemetry that meets it is useful, telemetry that does not is not.

What an integration looks like

The developer story has to be one line. If it is not one line, agent teams will never turn it on.

In Python:

import aeba
aeba.autocapture(endpoint="https://<your-hub>/ingest", agent_id="agent:research-01")

In Node:

const aeba = require('aeba');
aeba.autocapture({ endpoint: 'https://<your-hub>/ingest', agentId: 'agent:research-01' });

Under the hood the shim monkey-patches the popular agent frameworks -- LangChain, AutoGen, CrewAI, LlamaIndex, OpenAI, Anthropic, and MCP client/server. Every tool call, LLM call, and delegation becomes a signed AEBA event transmitted over TLS to your collector.

No network tap. No inline proxy. No kernel hook. Just the agent process observing its own behaviour and signing the output.

For closed or legacy agents that cannot take an SDK, a host-side sensor reads process-local network metadata and produces the same signed events. The transport is identical.

Nothing surprising, once you think about it like UEBA for agents.

Standards and credibility

AEBA is not a single vendor's proprietary invention. The underlying event transport is specified in an open IETF Internet-Draft so anyone can implement it and interoperability is possible from day one. The draft defines:

• A canonical event schema with mandatory fields (agentId, hostRuntimeId, ts, seq,).
• A canonical signing string over that schema.
• Signature algorithm selection.
• A threat model with thirteen named threats and mitigations.
• Interoperability bindings to syslog RFC 5424, CEF, and LEEF.

The detection and scoring method we ship on top of the transport is patent supported. That is by design -- a moat only works if the commodity layer is open and the intelligence layer is protected.

On the security-hygiene side, AEBA aligns with:

• OWASP MCP Security Cheat Sheet (Section 7 -- Message Integrity and Replay Protection)
• OWASP MCP Top 10
• OWASP Agentic Skills Top 10
• NIST AI RMF
• EU AI Act Articles 12, 13, 14, 15, 50, 72

How to try AEBA-XDR

AEBA-XDR is our production implementation. Signed telemetry. Adaptive detection. Tool-call intelligence. LLM-spend governance. Delegation-chain visibility. Compliance pack. Ships to your XDR or SIEM.

Patent supported. A CyberSecAI company.

• Marketing site and demo: https://aeba.co.uk
• Family products:
  • https://cybersecai.co.uk (parent)
  • https://agentpass.co.uk (agent trust scoring)
  • https://agentsign.dev (zero-trust engine for agents)
  • https://mcpsaas.co.uk (managed MCP security)
  • https://mcp-secure.co.uk (signed MCP transport)
  • https://cybersecify.co.uk (MCP Security Scanner)
  • https://agentsearch.cybersecai.co.uk (agent registry)
  • https://dvmcp.co.uk (MCP vulnerability training)

Demo sandboxes are per-prospect, synthetic-data-only, NDA-gated, and auto-expire in 24 hours. Request one at contact@agentsign.dev and we will provision within one business day.

The uncomfortable question

If you are building, running, or governing AI agents right now, here is the sentence I keep saying to CISOs:

"When -- not if -- an agent does something your board needs to explain, what evidence will you hand the auditor?"

Today the honest answer is usually a chat log and a prayer. That is not a category of evidence that survives a regulator, a class action, or a Monday morning.

AEBA is what an acceptable answer looks like. The category is opening. The vendors who ship it fastest will define it.

We have started. Join us -- or build your own. But please do something. The exposure is growing by the quarter and the number of production agents is growing by the week.

Contact

• contact@agentsign.dev -- commercial enquiries, demo requests, partnership
• raza.sharif@outlook.com -- personal

-- Raza Sharif, FBCS CISSP CSSLP
Founder, CyberSecAI Ltd