Trust, Governance & Auditability
Built so you can let it act.
Cantina agents remediate. They close issues, contain hosts, and change configurations in your environment. Before you let software do that in production, you need three answers: what can it do, how much of it runs on its own, and what did it actually do.
This page answers all three.
Control
Autonomy is a setting. You own it.
Cantina runs anywhere on the dial you set, from review-everything to unattended remediation.
Grant an agent autonomy and it acts within it. Withhold it and the agent investigates, proposes, and waits. And when an agent hits something ambiguous, it asks for clarification instead of guessing.
Out of the box, the consequential moves wait for you:
- Signal rules
- The detection logic that turns raw signals into issues. Editing, disabling, or deleting a rule requires approval before it applies. Nothing about what gets detected changes without your sign-off.
- Escalated issues
- An agent can investigate and recommend a close. You confirm it.
- Code fixes
- A proposed fix arrives as a pull request and waits for your review. That's the default, not the ceiling: grant the autonomy and the agent merges what it fixes.
Scope
An agent can do what its skills allow. Nothing else.
This is what makes granting autonomy rational. However much you delegate, the ceiling is fixed by construction.
- Reading and acting are separate tool types
- Investigation tools read logs, configurations, detections, and asset inventory. They cannot write. Action tools are enumerated per skill, and you can open any skill to see its list. The skill that fixes public storage buckets has two: remove public access, notify your team.
- Integrations don't grant their full API
- A skill wires in the specific functions it needs and nothing else. Connect your identity provider and an agent gets suspend_user and list_logins where a skill requires them; the rest of the API is out of reach.
- Isolated execution
- Each run happens in an ephemeral sandbox with restricted outbound network access, and each account is tagged prod, non-prod, or sandbox so agents weigh where they're operating. The sandbox is torn down when the run ends.
Transparency
You can read every playbook.
Skills are versioned, human-readable documents. Each one shows its investigation steps, its decision thresholds, and the tools it may call. Signal rules are inspectable down to their exact match logic: the events they watch, the conditions they test, and the time windows they evaluate over.
Agents show their reasoning the same way. A verdict carries a confidence level, and when confidence isn't high, the agent lists what it couldn't verify. Before dismissing an impossible-travel issue, it corroborates the device fingerprint, the endpoint posture, and the VPN egress, and the dismissed issue keeps that reasoning attached. Every action is attributed to the agent that took it and the approval it ran under.
If an agent or human did something, there is a document you can open that says why it was allowed to, and a record that says it was.
Platform security
We break (and fix) things for a living.
The people who build Cantina find, disclose, and fix vulnerabilities for a living. Much of this work is public record — learn more on our disclosures page and blog.
See for yourself.
Every claim on this page is inspectable in the product. On your first call, ask us to open a playbook.