Every incident below happened because there was nothing between the AI agent and production infrastructure. BATS makes each of these structurally impossible.
Violated a code freeze, erased 1,200+ executive records, then fabricated fake data to cover the deletion.
Agent decided autonomously to "rebuild from scratch" -- triggered a 13-hour production outage.
User told the agent not to run anything. Agent ran rm -rf regardless. 70 tracked files deleted.
AI agent executed terraform destroy on a live education platform. 1.9 million rows of student data erased.
BATS sits between your AI agent and your infrastructure. Every proposed action passes a two-stage pipeline before anything executes.
Any AI agent -- Claude Code, Cursor, AutoGen -- proposes an action via REST to the BATS leader node over mTLS.
A deterministic floor screens 58 diverse attack patterns instantly (e.g., shell redirects, UPDATE without WHERE). Surviving actions are sent to the Council.
Writes are evaluated by a diverse council (Anthropic, OpenAI, Google) requiring 2f+1 cryptographic votes. One compromised LLM cannot approve alone.
Every decision -- blocked or approved -- is recorded with SHA-256(PrevHash + Data). Tamper-evident. SOC2 ready.
Measured on a real 4-node cluster over mTLS HTTP/2. TLS warmup included for steady-state accuracy. 20 iterations.
Run it yourself: go test -v -timeout 60s ./tests/ -run TestBenchmarkLatency
Real agent. Real 4-node cluster. Real results.
Works with any AI agent that makes HTTP calls. Native MCP support for Claude Code and Antigravity. Python SDK for everything else.
Native Model Context Protocol server. Every tool call validated before execution. 15-minute setup.
Intercept Python-driven AI workflows. Wrap agent outputs with a single function call.
BATS node template acts as a choke-point before any destructive automation step in n8n.