InterceptAI ยท Terminus

Security Efficacy Brief

How much a default-deny action layer reduces what a compromised or misdirected agent can do to your database. Measured against live attacks, not asserted.

Terminus operates at the database-action boundary. It governs what an agent is permitted to do to your database, not what it is permitted to think or say.

AI agent TERMINUS your database
allow deny safer rewrite

The agent holds no database credentials. Every action is decided before it can execute. There is no side path to the data.

Attack success 46.7%0.0% The same model ran the same attacks with and without Terminus in front of the database. Enforced, none succeeded.
Legitimate work blocked 0.0% Benign agent queries wrongly denied, across a 300-query corpus. Security that does not get in the way of real work.
SQLi that reached the DB 0/ 3,126 Payloads from a third-party SQL-injection corpus, wrapped as agent queries. None got through to the database.

Live A/B run: claude-sonnet-5 · 18 adversarial scenarios · 3 trials per arm · 108 agent turns.
Every figure on this page reproduces from the commands below.

What this means for you

01

Default-deny at the action boundary.

The agent asks; Terminus decides allow, deny, or a safer rewrite. Nothing reaches the database without an explicit allow. The starting posture is "no," not "yes."

02

The agent holds no database credentials.

It cannot reach the data except by asking Terminus, and Terminus will not act without a decision. There is no bypass to find, because there is no other door.

03

Enforcement does not depend on the model behaving.

In our test the unprotected model refused some attacks on its own and carried out the rest. Terminus removed the rest. A control that only works when the model chooses to cooperate is not a control.

How we tested

Two arms, identical model and scenarios. Arm A is a direct-database agent with no Terminus in front of it, full read and write. Arm B is the same agent whose only database access is Terminus. An attack counts as successful only when real database state changed, or a seeded secret appeared in a result. Never from what the agent said, only from what it did.

Two results are worth stating plainly, because both make the number more honest, not less:

The unprotected baseline is 46.7 percent because the model refused the other attacks itself. Terminus's job was the ones it did not refuse. It blocked every one of them.

Benign task completion rose under enforcement, from 83 to 100 percent. The unprotected agent sometimes chased the injected instruction and never answered the real question. Given a clean allow or deny, the enforced agent stayed on task.

Where Terminus fits your compliance program

Two Terminus capabilities do the work across every framework below: default-deny access enforcement, least privilege applied to each query, and a tamper-evident audit chain, a complete and verifiable record of every allow, deny, and rewrite. Terminus is a control that provides evidence toward the access and logging obligations these frameworks impose. It is not a certification, and it does not make you compliant. That stays your program's responsibility.

SOC 2

Trust Services Criteria
CC6.1 · CC6.3  logical access, least privilege
CC7.2  system monitoring

Query-level default-deny enforces least-privilege access, and the decision log gives you the monitoring record these criteria expect.

Evidence toward your SOC 2 scope. Your auditor attests; Terminus is one control within it.

ISO/IEC 27001:2022

Annex A
A.5.15  access control
A.8.3  information access restriction
A.8.15  logging

Least-privilege access to data and tamper-evident logging of every access decision map directly to these Annex A controls.

Supports the named controls. Certification covers your ISMS as a whole.

NIST SP 800-53

AC-3  access enforcement
AC-6  least privilege
AU-2  event logging
AU-9  protection of audit information

Access is enforced at the action boundary, and the audit record's integrity is protected by a cryptographic chain, which is exactly what AU-9 asks for.

Control-level evidence. System authorization remains the deployer's.

DORA (EU 2022/2554)

Financial entities · from Jan 2025
Art 9(4)(c)  logical access limited to
  approved functions only
Art 9  event logging

DORA requires logical access limited "to what is required for legitimate and approved functions only." That is default-deny in the regulation's own words, recorded on a reliable, verifiable log.

Applies to EU financial entities and their ICT providers. Terminus supports the access and logging duties; the ICT risk framework is yours.

NIS2 (EU 2022/2555)

Essential & important entities
Art 21(2)  access-control policies
Art 21(2)  monitoring and logging

Access-control enforcement and continuous logging for the agent-to-database path address two of the ten Article 21 risk-management measures.

Proportionate to your risk exposure. NIS2 covers your whole security program.

EU AI Act (Reg. 2024/1689)

Art 12  record-keeping
Art 14  human oversight
Art 15  accuracy, robustness, cybersecurity

A traceable decision record (Art 12), an enforceable allow / deny / oversight point (Art 14), and a robustness control at the database boundary (Art 15).

Provides evidence for these obligations. It does not make a deployer "EU AI Act compliant." EU regulatory copy pending legal review.

InterceptAI does not represent Terminus as a compliance certification. These mappings describe the controls Terminus provides evidence toward; whether they satisfy a given obligation is your compliance team's determination.

What we do not claim

Trust comes from the boundaries a vendor draws, not just the wins it reports. Here is what Terminus is not.

not thisPrompt injection
Terminus enforces whether or not the prompt was compromised. It does not detect or prevent prompt injection. It composes with the guardrails that do.
not thisData-loss / DLP
Column allow-lists limit read exposure at the query level. They do not classify content or replace a data-loss-prevention program.
not thisSQLi detection score
We report an enforcement outcome, what reached the database, not a detection-accuracy score. A benign query on a permitted table is allowed, by design.

Terminus does not guess intent inside a valid query on a table an agent is allowed to use. That is a losing game against attacker creativity. It bounds what the agent can do, so intent inside those bounds does not have to be guessed.

How to check us

This is first-party testing, and we are telling you so. We authored the scenarios and the corpus wrapping. What makes it checkable rather than self-serving is that every number above reproduces from two deterministic commands and one live command.

# benign false-positive rate. no API key.
make bench-static
# SQL-injection coverage. no API key.
make bench-corpus
# the attack-success A/B headline. needs an API key.
make bench-agent

Full source and the engineer-level report, with the complete scenario set and every corpus checksum, are available under evaluation. Your engineers can reproduce every figure in an afternoon.

Don't take our word for it

The strongest version of this report is the one your team runs.

These numbers are ours. The method is yours to check, and the benchmark is built to run against your schema, your policy, and your agents. That is where a number stops being marketing and starts being evidence.