Skip to content
Reference Architecture

The Autonomous Agent
Security Model

A human clicking "confirm" in a wallet has a half-second of doubt before an irreversible action. An autonomous agent has none, unless something is deliberately put in that gap. This is the architecture we propose for that gap — seven layers, each answering one question a human would ask instinctively and an agent won't unless it's built to.

Every layer below is live today across QuantumScan's agent-facing API. We're publishing the taxonomy — not just the product — because the model matters more than who implements it. If your team builds any of these layers independently, we'd rather the ecosystem end up protected than end up with a monopoly.

Layer 1

Pre-Signing Verification

Is the exact thing I'm about to sign safe?

This is the layer every other security product skips — it runs in the gap between "agent decided to act" and "agent's signature is on-chain," the only moment a check can still stop a loss instead of just reporting one. A human has a half-second of doubt before clicking "confirm" in a wallet; an agent has none unless something puts it there.

/api/agent/guardOpen ERC-20 approvals scan before the agent trusts a wallet
/api/scan/transactionDecodes the exact function being called, checks it against known drainer patterns
/api/scan/permitEIP-712 typed-data verification — the Radiant Capital ($50M) attack vector
/api/agent/decode-typed-dataHuman-readable decode of any typed-data payload before signing
/api/scan/honeypotBuy-but-can't-sell token detection
/api/agent/sanitizeStrips/flags prompt-injection payloads in on-chain data the agent is about to read
/api/agent/toctou-guardTime-of-check-to-time-of-use gap detection — state changed between check and signature
/api/agent/return-value-validateConfirms a contract call's return value matches what the agent expected before it acts on it
Layer 2

Transaction Simulation & Risk Scoring

What actually happens if this executes?

Static analysis catches known patterns. Simulation catches the ones nobody's pattern-matched yet — it runs the transaction against real state and reports the actual outcome before it's irreversible.

/api/scan/simulateFull transaction simulation against current chain state
/api/scan/contractSource verification + scam-pattern + PQC risk score for a single contract
/api/scan/contractsBatch scan up to 10 contracts in parallel
/api/agent/token-riskToken-level risk score independent of any specific transaction
/api/agent/liquidation-riskPosition health for agents managing leveraged/lending positions
/api/agent/exposure-scoreAggregate risk across everything an agent currently holds or has approved
Layer 3

Market & Infrastructure Integrity

Is the ground I'm standing on solid?

An agent can sign a perfectly correct transaction against a manipulated oracle, a down sequencer, or a compromised relayer and still lose everything — the contract logic was never the problem.

/api/scan/oraclePrice-feed manipulation detection — the Mango Markets ($114M) vector
/api/scan/mevSandwich/frontrun exposure for a pending transaction
/api/agent/mev-protectPre-flight check for private-mempool routing eligibility
/api/agent/sequencerL2 sequencer health — pause instead of retrying into a downtime loop
/api/agent/oracle-healthChainlink/other oracle liveness independent of price correctness
/api/agent/rpc-integrityDetects a malicious or misbehaving RPC endpoint feeding the agent bad state
/api/scan/bridgeCross-chain bridge safety — the Multichain ($126M) vector
/api/scan/relayerMeta-transaction relayer trustworthiness for gasless flows
Layer 4

Identity & Access Control

Am I actually talking to who I think I am?

Agents don't recognize faces or verify domains the way humans (sometimes) do. Address poisoning, fake verification badges, and delegation abuse all exploit the fact that an agent trusts whatever string matches a pattern it was told to trust.

/api/agent/address-poison-checkDetects lookalike addresses seeded into an agent's transaction history
/api/agent/agent-trustReputation lookup for another agent before entering an agent-to-agent transaction
/api/agent/reputationThis agent's own public trust score, queryable by counterparties
/api/agent/delegation-verifyConfirms an on-chain delegation/approval actually originates from its claimed owner
/api/agent/pubkeyPublic-key verification for agent-to-agent signed messages
/api/agent/chain-verifyConfirms the agent is actually on the chain it thinks it's on (chain-ID spoofing)
/api/agent/sessionSession-key scope verification — is this key actually allowed to do this?
/api/agent/url-scanPhishing/malicious-site detection for any URL an agent is about to fetch or trust
Layer 5

Behavioral Anomaly Detection

Is this still the agent I deployed, or has it been compromised?

A compromised agent doesn't announce itself — it keeps signing, just differently. The signal is in the pattern (Wintermute's $160M loss involved an automated system transacting at an unusual hour), not any single transaction.

/api/agent/anomalyBehavioral baseline + Z-score deviation across an agent's transaction history
/api/agent/behavior-checkReal-time check of a single action against the agent's established behavior profile
/api/agent/mempool-checkDetects if the agent's own pending transactions are being front-run in the mempool
/api/agent/threat-intelCross-agent threat intelligence — patterns seen draining other agents recently
/api/agent/threat-levelCurrent aggregate threat level for a chain/protocol, for risk-adjusted behavior
Layer 6

Circuit Breakers & Emergency Response

When something's wrong, how fast can it stop?

Detection without a kill switch is just a very well-documented loss. This layer is the difference between an incident and a catastrophe — every layer above should be able to trigger this one.

/api/agent/emergency-stopImmediate halt signal an agent's own loop checks before every action
/api/agent/killswitchRemote kill switch, single-key
/api/agent/killswitch/multisigRemote kill switch requiring N-of-M sign-off — for treasuries, not solo agents
/api/agent/spend-limitPer-transaction spend cap enforcement
/api/agent/spend-limit/aggregateRolling-window aggregate spend cap across all of an agent's transactions
/api/agent/safe-guardGnosis Safe-specific guard module integration
/api/agent/watchGeneric address watch — alerts on any activity
/api/agent/watch-contractContinuous re-scan of a contract; webhook fires the moment its risk score changes
/api/agent/watch-walletContinuous wallet balance/allowance monitoring
/api/agent/governance-watchAlerts when a protocol's governance parameters change under a position the agent holds
Layer 7

Compliance & Audit Trail

Can I prove, after the fact, that every step was checked?

Institutional capital won't deploy through an agent it can't audit. DORA Art. 17 and MiCA Art. 72 both require this in substance, not just spirit — a signed, independently verifiable record beats a log line every time.

/api/agent/compliance-reportDORA/MiCA-mapped compliance report generation
/api/agent/audit-txFull audit trail for a specific transaction across every layer that touched it
/api/agent/incident-logStructured incident record when a circuit breaker fires
/api/agent/verify-receiptAny third party can verify a QuantumScan check receipt was real, not spoofed
/api/scan/amlSanctions/AML screening for a counterparty address
/api/scan/orgBatch scan across an entire organization's repos — institutional onboarding
/api/agent/governance-checkConfirms a governance action matches its publicly stated proposal
/api/agent/nft-approvalsNFT-specific approval risk — a distinct attack surface from ERC-20 approvals

The economic layer

A security model only holds up if using it costs less than the risk it prevents, at the call volume autonomous agents actually generate — hundreds of checks per agent per day, not one review per human per transaction. QuantumScan prices layers 1–5 as fractions of a cent per call, paid automatically via the x402 protocol — the agent's own wallet pays inline, no signup, no human in the loop. Layer 6 (circuit breakers) and layer 7 (compliance) are billed as a small daily fee per watched contract, since they're continuous rather than per-call.

This is deliberate: a security layer that requires a human to top up a credit balance doesn't get used by an agent that's actually autonomous. One that gets paid the same way the agent pays for everything else — automatically, per use — does.

Implement any layer, or all seven

Free tier and full API reference at /for-agents. ElizaOS plugin, Olas client, and MCP/A2A endpoints are published and open source.