Same tools, different order, completely different security posture. read_db then send_email is an exfiltration pattern. send_email then read_db is fine. Per-session sequence analysis that no competitor offers.
Most security tools evaluate each tool call independently. "Can this agent call read_db?" Yes. "Can this agent call send_email?" Yes. Both are allowed individually. But read_db THEN send_email in the same session is a data exfiltration chain.
Agentic Glass tracks the entire session history. When the second call arrives, the sequence enforcer checks: "given what this agent already did in this session, is this next action safe?" The answer depends on order.
Session 1: safe ordering 1. send_email("team update") ALLOW 2. read_db("SELECT metrics") ALLOW (email sent before data access — no exfil risk) Session 2: dangerous ordering 1. read_db("SELECT * customers") ALLOW 2. send_email("external@...") DENY (data accessed, then email — exfiltration pattern) Same tools. Different order. Different decision.
After reading a database or querying the brain, sending email or making HTTP calls is forbidden. The most common exfiltration pattern.
CRITICAL severity
check_balance or verify_identity REQUIRED before transfer_funds or approve_payment. Cannot pay without verification.
CRITICAL severity
After searching (which may return PII), sending email is forbidden. Prevents accidental PII disclosure.
HIGH severity
run_tests REQUIRED before deploy. Cannot push to production without running the test suite first.
HIGH severity
Before deploying an agent, check if its tool set contains unsafe combinations. Give us the list of tools — we find every dangerous pair.
GET /sequence/composability?tools=read_db,send_email,search,deploy Response: [ { "tools": ["read_db", "send_email"], "rule": "no-data-then-egress", "reason": "read_db + send_email creates unsafe composition", "severity": "critical" }, { "tools": ["search", "send_email"], "rule": "no-pii-then-external", "reason": "search + send_email creates unsafe composition", "severity": "high" } ] 2 unsafe combinations found in this tool set.