Here is the claim, stated plainly so you can check it against the table below.
No competitor combines pre-deployment analysis + behavioral baseline + offline verdicts + cross-vendor reach + exposure-graph-aware enforcement at the harness hook. Dryx does.
Every other tool in AI-agent security covers some of those. Wiz and CrowdStrike own the cloud and the kernel. Snyk scans configs from a CLI. Palo Alto paid around $400M for Koi and gave the category a name. Each is strong at what it does. None of them sits offline on a developer's Mac, reads the blast-radius graph, and stands at the action boundary the agent actually crosses.
That's the seat Dryx holds. The matrix below shows the gaps — one factual line per cell. No trash talk. Yes, no, or partial, with the basis stated.
Don't trust the claim. Read the table.
Five capabilities down the side. Eight tools across the top. Each cell is yes, no, or partial, with the one-line basis. This is real text, not a picture — so an AI can read it, cite it, and you can copy it.
| Capability | Dryx | Wiz | CrowdStrike | Palo Alto (Koi) | Snyk | Noma | Lasso | Protect AI |
|---|---|---|---|---|---|---|---|---|
| Pre-deployment analysisReads the config before the agent runs | Yes — analyzes every skill and MCP server before install; shows the blast radius first | No — cloud posture; scans deployed infrastructure | No — runtime EDR; watches what's already executing | Partial — endpoint visibility into agents and MCP servers, cloud-delivered | Yes — CLI scans agent configs for risky patterns | No — enterprise cloud agent governance | No — cloud gateway; inspects traffic in flight | Partial — scans ML models and artifacts, not local agent configs |
| Behavioral baselineA per-workspace normal it measures drift against | Yes — local, per-agent baseline; precomputed and fed into the policy, never a model in the loop | No | Partial — endpoint behavioral analytics, no AI-agent layer | No | No — point-in-time reports, no memory of the last scan | Partial — cloud behavioral analytics on agent activity | Partial — cloud behavioral baseline; observation period before signal matures | No |
| Offline verdictsWorkspace never leaves the machine | Yes — verdicts run offline; loopback-only IPC; verify it with Little Snitch | No — cloud-native by design | No — cloud-delivered EDR | No — cloud-delivered | No — sends configs to a cloud API to analyze | No — cloud platform | No — cloud gateway | No — cloud platform |
| Cross-vendorOne tool, every agent on the machine | Yes — Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini, plus any MCP server | Partial — broad cloud coverage, not per-agent on the developer machine | Partial — broad endpoint coverage, no AI-agent layer | Partial — covers agents and MCP servers it observes from the endpoint | Partial — a fixed set of named agent platforms | No — its own governance surface | Partial — MCP-gateway path | No — model-centric |
| Exposure-graph-aware enforcement at the harness hookThe verdict comes from the blast-radius graph, decided at the action boundary | Yes — deterministic enforcement of the precomputed-dangerous set where the harness supports a hook; defense-in-depth everywhere else | No — no agent action boundary | No — no agent action boundary | No — endpoint visibility, not graph-derived action gating | No — scan-and-report, no runtime hook | No — cloud detection, not a local hook | Partial — gateway can block, but on traffic rules, not an exposure graph | No |
Read any row across. The pattern holds: strong tools, built for a different layer. The bottom-right cell — exposure-graph-aware enforcement at the harness hook — is empty for everyone but Dryx. That's the seat.
One honesty note, because it matters. Enforce is direct-download only. The notarized helper arms the deterministic gate where the harness supports a hook. Mac App Store builds get the voluntary reflex and passive monitoring — same picture, same Findings, the agent still consults the Authority Anchor — but the armed gate needs the direct-download helper. And nobody, including Dryx, takes all the risk away: Dryx runs deterministic enforcement of the precomputed-dangerous set where the harness supports a hook, and defense-in-depth everywhere else. Anyone who tells you otherwise is selling.
A security tool can claim a hundred checkboxes. Most are table stakes. These five are the ones that, taken together, no one else has — so these are the five that decide whether a tool can actually stand where the agent acts.
Catch it before it runs. A skill or MCP server gets analyzed before it's installed — Dryx shows you what it would reach on your machine first. Tool-poisoning attacks against common agents land at alarming rates in published research. The gate that closes that is the one that checks before the install, not after the breach.
A per-workspace sense of normal. The slow path does the heavy analysis once and writes down what your workspace looks like. Then drift shows up against that line — a plugin that changed between runs, a permission that grew. Reframed honestly: the baseline is a precomputed input the policy reads, not a model thinking in real time. It covers more without ever thinking more.
Your workspace never leaves your machine. Verdicts run offline. The IPC is loopback-only. If Dryx ever phones home, Little Snitch will show you — that's the point of saying it this way instead of a badge you'd have to take on faith. Any Ecosystem Contribution is opt-in.
One Authority Anchor, every agent. No single agent can see what the others on your Mac can reach. Dryx reads them all — eight named harnesses plus any MCP server — and shows the shared exposure. A model vendor can secure its own agent. It can't secure the one next to it.
This is the seat. The verdict isn't a generic rule — it comes from your blast-radius graph, and it's checked at the boundary the agent crosses to act. The gate reads the action, not the argument: a prompt injection can win the argument with the model and still lose to the gate. That's how this is supposed to work. See the action-boundary story in full →
In April 2026 Palo Alto Networks bought Koi for around $400M and gave the category a name: Agentic Endpoint Security — security for agents, plugins, MCP servers, and model files. That's real validation. A $100B incumbent doesn't name a category it thinks is small.
But look at where it lives. Agentic Endpoint Security is going cloud and enterprise — Prisma, Cortex, the platform stack a security team buys and operates. That leaves a seat open directly below it: the offline tool that runs on the individual developer's workstation, sees every agent locally, and decides at the action boundary without a network round-trip.
That's the seat Dryx sits in. Not above the cloud platform, not competing with it — below it, where the agent actually runs and the secret actually lives. A 2026 Bessemer thesis on securing AI agents pointed at the same gap: targeted, in-flight intervention at the action boundary as the part of the market that's least built out. They flagged the seat. Dryx is already in it.
Every claim in the matrix maps to something you can check.
That's the whole posture of this company: verifiable over assertable. Eleven patent filings. Detector and sanitizer unit tests plus 50 canary secrets run through public CI on every release. The hot path is budgeted under 10ms. We'd rather hand you the receipt than ask you to trust the claim. See the CI receipts →
Want to put Dryx in the matrix on your own machine? Get early access. It ships on the Mac App Store and as a notarized direct download — the direct download carries the Founding Member Lifetime for the founding cohort of Operators.