Agents
Agents for Every Issue
Cantina agents are reasoning systems that work across your whole stack, taking each issue from raw signal through to validated remediation. Start from a prebuilt agent, adapt one to your environment, or build your own.
Replace manual security work with agents.
A Cantina agent does the work of a security analyst, not the scripted steps of a bot or workflow. It reads each issue, reasons across every system you've connected to decide whether it's real, and then acts to resolve it, bringing in a person only when the situation genuinely calls for one.
Start with a prebuilt agent, fork the one that's closest, or build your own from scratch.
Start in minutes.
Connect your tools and prebuilt agents cover your security surface from day one.
-
Identity
- Okta
- Entra ID
- JumpCloud
-
Cloud
- AWS
- Google Cloud
-
Code
- GitHub
- Dependabot
-
Endpoint
- CrowdStrike
- SentinelOne
-
SIEM & XDR
- Sentinel
- Defender
-
Edge
- Cloudflare
- Vercel
The library
Prebuilt agents, each a specialist on your team. Every skill is readable, so you can see exactly what an agent does before it runs.
- GCP Security Command Center active · last run 2026-06-30
Cloud Posture Agent
Catches posture drift — public buckets, over-permissive IAM — grades it by real data sensitivity and usage, and shuts it down before it's abused.
- Public bucket exposure
- IAM right-sizing
- Key rotation handoff
Consequential changes route through human approval.
- Okta + Google Workspace active · last run 2026-06-30
Identity & SaaS Agent
The account-takeover specialist. Correlates device, network, and posture signals to kill false-positive pages before it suspends anyone.
- Impossible travel
- Phishing → takeover
- OAuth grant review
- BEC mailbox rules
- CrowdStrike Falcon active · last run 2026-06-30
Endpoint Agent
The host-containment specialist: confirm true-positive, isolate fast — stopping C2 while keeping the box up for forensics.
- Malware containment
- Suspicious process triage
- Apex code findings active · last run 2026-06-30
AppSec Agent
The code-and-secrets specialist, built to cut CVE noise by proving real exposure — reachability, not scanner hits.
- Dependency reachability
- Leaked secret response
- Cantina BBP active · last run 2026-06-30
Bug Bounty Agent
The external-report validator. Grounds every inbound claim in your real code and live cloud config before anyone spends time on it.
- Claim validation
- Exploit correlation
- Fix PR
- RSS feed monitor inactive
Threat Intel Agent
The noise filter for external intel — surfaces only what touches your stack, retro-hunts named CVEs against your assets, suppresses the rest.
- Intel triage
- CVE/KEV retro-hunt
-
Identity & Access playbook library
reference · 22 skills · no monitor boundA full identity kill-chain runbook library — impossible travel, brute force, admin compromise, OAuth abuse, MFA attack, federation abuse, exfiltration, MDM — to fork skills from when you're adapting or building your own agent.
Adapt it to your environment.
Fork a default and make it yours.
Most teams take the default that's closest to what they need and adjust its logic, thresholds, and workflow until it fits their environment.
Build your own.
Fully programmable agents, built from skills, playbooks, and tools.
When you need something specific, build an agent from the ground up: compose its skills, connect each one to only the tools it needs, and orchestrate complete workflows across your systems.
Borrow what already works.
An agent proven and shared from the Cantina Customer Community.
Bring in an agent another team has already proven, with its skills and thresholds intact, then connect your own tools and set your own level of autonomy. Because every skill is readable, you can see exactly what it does before it runs.
Control
Run autonomously. Stay in control.
Autonomy is a setting, and you own it.
Run any agent anywhere from reviewing everything to fully unattended. The consequential moves wait for your sign-off, and every action an agent takes is logged and attributed to the approval behind it.
Put an agent on it.
Start prebuilt, adapt it, or build your own. Either way, you're directing agents, not chasing alerts.