Mar 23, 2026
Syscon: Kernel-Level Syscall Monitoring for AI Agent Control in Sandboxed Environments
Jade Sheffey, Joyce Levine, Joyce Werhane, Willow Taylor
Many existing AI control protocols rely on a trusted monitor to evaluate an untrusted agent's actions, but these monitors generally access tool call invocations and context, not what the agent actually does at the system level. We identify this as a fundamental information gap in the control stack and present Syscon, the first system to close it. Syscon is a supervisor-side auditor daemon that monitors agent activity at the Linux kernel syscall boundary, leveraging seccomp-bpf audit logging from outside the agent's container to observe all process creation, network connections, and filesystem operations, all without running any code inside the container and without the agent's knowledge. The system produces compressed, per-action receipts designed for consumption by a trusted monitor LLM. We evaluate Syscon on 234 attack trajectories across 9 attacker models in the LinuxArena control evaluation framework. Our qualitative analysis confirms that receipts surface behavioral signals (credential file reads, payload staging, reverse shell listeners, data exfiltration) that are invisible in tool call text, covering multiple side task categories. However, a first-pass integration with a Gemini 2.5 Flash monitor did not improve detection rates, establishing that observability and detection are distinct research problems: Syscon receipts carry signal, but monitors must be taught to use it.
No reviews are available yet
Cite this work
@misc {
title={
(HckPrj) Syscon: Kernel-Level Syscall Monitoring for AI Agent Control in Sandboxed Environments
},
author={
Jade Sheffey, Joyce Levine, Joyce Werhane, Willow Taylor
},
date={
3/23/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
