We're two cybersecurity students who read two research papers back to back, got annoyed that nobody had built the fix, and decided to build it ourselves. DynaTrust is runtime infrastructure that stops one compromised AI agent from quietly handing its permissions to another.
average attack success rate against LLM agents, even with current defenses in place — Agent Security Bench, ICLR 2025
Every serious defense we found protects one agent at a time — filtering what goes into it, checking what comes out. The moment Agent A tells Agent B to do something, that trust is assumed, not verified. A 2025 survey of trustworthy LLM agents (ACM KDD) confirmed it explicitly: nobody has shipped a runtime mechanism for enforcing trust between agents. That's the gap we're building into.
Sources: Zhang et al., Agent Security Bench (ICLR 2025) · Yu et al., A Survey on Trustworthy LLM Agents (ACM KDD 2025)
DynaTrust sits between agents, not inside any one of them. It doesn't care which framework you're on — AutoGen, LangGraph, CrewAI — it just watches what gets delegated and enforces what was actually agreed to.
Every task handoff between agents carries a signed, scoped, expiring token — like a visitor badge that only opens the doors it says it opens. No token, no access. Can't be re-shared to widen scope.
In developmentSits inline on every agent-to-agent message. Checks the token, checks the request against what the token actually allows, and blocks or logs anything that doesn't match — before it executes.
In developmentWatches behavior over time — not just "is this request in scope" but "is this agent acting like itself." An agent that starts behaving strangely gets its trust score turned down automatically.
Next upWe'd rather show you an honest three-month plan than a deck that pretends we're further along than we are.
Formal problem definition and architecture written up as a research paper. Delegation Token System + a minimal policy engine are being built and wired into a real AutoGen agent pipeline.
Reproducing three attack scenarios — peer injection, privilege escalation, cascading compromise — against our own build, and publishing the actual containment and false-positive rates. No hand-waving.
Open-source the token system and policy engine core. Get 3–5 teams building multi-agent systems to run it against real pipelines and tell us where it breaks.
Ship behavioral trust scoring on top of the audit data we've collected. Extend beyond AutoGen to LangGraph and CrewAI based on where the demand actually is.
As students we already have GitHub Student Developer Pack access — free domain, free CI/CD, free cloud credits. Our Phase 0 build costs us time, not money. We're asking for mentorship and a runway, not a rescue.
It started as a cybersecurity research proposal at NUTECH. The problem statement, architecture, and evaluation plan already exist on paper, peer-reviewed by our own department, before a single incubator saw it.
Multi-agent AI security barely exists as a category yet — no incumbent, no "the Okta of agents" already taken. Being early and being resourceful is our actual advantage, not a workaround for not having capital.
Cybersecurity undergraduate at NUTECH, ranked top 4% worldwide on TryHackMe. SOC Analyst–certified (LetsDefend & TryHackMe) with hands-on experience triaging real SIEM alerts, investigating malware, and exploiting live machines on Hack The Box. Holds CRTOM (Red Team Leaders). Leads the Delegation Token System and policy engine build.
Cybersecurity student at NUTECH focused on the intersection of computer networking, cloud architecture, and infrastructure defense. Certified Ethical Hacker (CEH), working on TCP/IP, routing & switching, network segmentation, and cloud security (IAM, IaC hardening). Drives DynaTrust's evaluation methodology and inter-agent policy design.
Here's specifically what would move us from "working prototype" to "something teams actually depend on."