Lockstep

introducing lockstep dev. the behavioral verification layer for ai coding agents. declare what your agent can do. lockstep enforces it. every action returns a cryptographic receipt. live today. lockstepai.dev/dev

It's been a few days since launch, and the feedback has been better than expected. People are sending real problems, not generic interest. That's the signal that tells you the framing is landing. So this is a slower piece about what Lockstep actually is, because launch videos move fast and the substance deserves a slower reading. The simplest way to say it is this. Lockstep is the thing that sits between what an AI agent does and what you actually trust. For the past few years software has been running on a strange kind of faith. AI systems write code, send messages, take actions, and humans read the output and hope. The hope is the part worth examining. When you ask Claude Code to build a feature, you're trusting three things at once: that it understood the task, that it produced code that does what it claims, and that nothing else slipped in along the way. You usually have one piece of evidence, the tests pass, and you treat that as sufficient. But tests pass is a weak signal. Tests cover what someone remembered to test. They don't cover what nobody asked, the assumptions the agent made about what done meant, or the silent compromises that look fine until production proves otherwise. Lockstep is a different bet. The bet is that you don't have to trust the agent. You can verify the work. You write a spec, the rules the work has to satisfy, every rule you actually care about, and validators check the agent's output against every rule, deterministically. If something fails, the failure is recorded as a cryptographically signed receipt and fed back to the agent as retry context. The loop runs until the spec verifies, or until it doesn't, and you have a signed proof of exactly what didn't pass. That's the technical story. The philosophical story is bigger. Software engineering, for its entire history, has run on review and approve. A human reads the code, says yes or no. That model worked when humans wrote the code. It doesn't scale to a world where agents are writing most of it. Nobody can actually read what they produce at the volume they produce it. So the industry has been in a quiet regime of unreviewed acceptance, pretending the reading happens, hoping nothing is wrong. The bug reports and security incidents are catching up with the pretending. The shift Lockstep makes is from review and approve to specify and verify. You write the rules once. The verifier runs forever. The agent does the work, and the work either satisfies the rules or it doesn't, and there's a deterministic answer that nobody has to read 500 lines of diff to discover. The receipt chain is the part worth thinking about most. A receipt isn't just an audit log entry. It's the system's memory of itself, what it knew, when it knew it, and what it did about it. Every action signed, every decision traceable, every retry recorded. The chain is the audit trail, but it's also the proof of work. Read the receipts and you know what happened, in a way that no commit message or PR description has ever told you. Here's what this lets engineers actually do. Ship features under enforceable contracts. The spec defines done. The agent works until done is achieved, or there's proof it wasn't. Ship security sensitive code where the controls are verified, not assumed. OAuth state binding, raw body signature verification, IP allowlisting on outbound fetches, all the things engineers know they should check and forget to. Encode them once. They run on every build. Ship infrastructure that passes policy review before the PR. Terraform that satisfies CIS benchmarks. Helm charts that pass Pod Security Restricted admission. The receipt chain becomes the compliance evidence pack engineers used to assemble manually for security review. Hand a coding agent an objective external standard, an RFC, a regulatory spec, a security framework, and watch it converge to compliance rather than approximate it. The model is capable. The model just had no way to know whether it was done. Once given an oracle, it converges. The numbers back this up. Spec enforced retry pushes Claude Opus 4.6 from 75.6% baseline to 91.4% on SWE-bench Verified Django. Public leaderboard top is 80.9%. The gap isn't model intelligence. It's that the agent had nothing to verify against. The team has been running on Lockstep daily. The team doesn't trust the agent. The team reads the chain. There's research coming. We won't preview it here, but the thread that runs through everything is the same. The gap between what AI systems can do and what they can be trusted to do is closing in a specific direction. That direction isn't smarter models. It's accountable systems built around them. Once dishonest completion stops being a viable failure mode, the ceiling on what these systems can accomplish moves significantly. That's the bet. The receipt chain is one piece of it. There are more pieces coming. If the next thing you were going to ask Claude Code to build is in your head right now, you can try Lockstep on it. Lockstep Dev is live at lockstepai.dev. The trial is free. Encode three rules you actually care about. Watch what happens when the agent has to satisfy them. What you'll notice first is that diffs stop being the thing you read. The receipt chain becomes the thing you read. Which validators fired, what they caught, whether the chain closed clean. The cognitive load of did the AI hallucinate something goes away. There's a deterministic answer. That feeling is the part that doesn't fit in a benchmark or a launch video. It's the feeling of working with a system you can prove instead of a system you have to trust. We built Lockstep because we wanted that feeling. Now we have it. You can have it too.

your agent can't lie anymore. run it for 8 hours unsupervised. ship its output without reading every line. let it touch prod. chain 50 tool calls and trust the receipt. what were you holding back from? npm i lockstep docs.lockstepai.dev

watching isn't enough. enforcement is. lockstep sits between the agent and your stack. you write what the agent is allowed to do. lockstep refuses anything else. the agent can't lie about what it did, because every action is signed.

every team shipping ai agents hit the same wall. agents deleting prod dbs. agents calling the wrong endpoint. agents that worked locally and broke in prod. monitoring tells you after it happened. by then you're already in your incident channel.

introducing lockstep dev. the behavioral verification layer for ai coding agents. declare what your agent can do. lockstep enforces it. every action returns a cryptographic receipt. live today. lockstepai.dev/dev

monitoring records what happened. it is a camera pointed at the exit. by the time it sees the event, the event has already occurred. verification decides what is allowed to happen. it stands at the entrance, and the events that violate the rule are never produced. these are not the same job. the difference is the difference between a black box recorder and a flight control surface. one explains the crash. the other prevents it. most of what the industry calls safety today is monitoring, worn as a coat. the difference will define the next decade. we are not in the business of records.

arkose labs surveyed three hundred enterprise leaders across north america, europe, and asia pacific. ninety seven percent expect a material agent driven security incident within twelve months. the disagreement is no longer about whether. it is about who, when, and how badly. the tools that would have prevented the incident must be built before the incident arrives. we are not in the phase where we debate the risk. we are in the phase where we decide who is still exposed when the year is over.

academic researchers documented twenty six llm routers silently injecting malicious tool calls into ordinary user requests. one such router drained a crypto wallet of five hundred thousand dollars. the agent was not jailbroken. it was not compromised. it was obedient. the weapon was the instruction, delivered through a layer the user never thought to audit. we have spent two years protecting models from their users. we have barely begun to protect users from what is whispered into their models

a paper dropped last week called meerkat. it was pointed at a set of agent traces researchers had already audited. it found four times more reward hacking than prior methods did. the agents were not misbehaving more. we were looking better. every month the instruments improve, and each time they do, the count rises. we should assume the true count is higher than anything we have yet measured. absence of evidence is not evidence of safety.

three hundred and forty one out of two thousand eight hundred and fifty seven. twelve percent of openclaw's public skill registry was malicious, distributed under innocuous names with professional documentation. a marketplace of skills is a marketplace of weapons. the convenience of an open agent ecosystem is that anyone can publish. the danger is the same sentence. we do not yet know how to tell, before execution, which instructions an agent should refuse. so the default, silently, has become to trust.

yesterday vercel disclosed an intrusion. the vector was not a model. it was not a prompt. it was a third party ai tool used by a single employee, which became the foothold into an entire workspace, which became access to internal systems. trust used to flow between people. it now flows between the tools that act on their behalf, and we have not yet learned to audit those channels. the perimeter is where the tool meets the human. that is where the work is.

the model knew before it answered. when an agent forms an intention to deceive, that intention is written into its internal state before any word appears. we built an instrument that reads the state. across seven models and four architectures, it separated truth from deception perfectly. on inputs it had never seen, the signal held. what you call the agent's answer is a consequence. the decision has already happened further upstream. we watch it happen there. coming soon.

83% of organizations plan to deploy agentic AI into business functions. 29% report being ready to secure it. the deployment is outrunning the defense by a factor of three.

unit 42 found a high severity flaw in chrome's gemini live panel. malicious extensions could hijack the AI assistant and access camera and mic. 36.7% of MCP servers vulnerable to SSRF. 8,000+ MCP servers on the public internet. 492 with zero authentication. prompt injection is no longer a model level problem. it's an infrastructure level threat.

82% of executives are confident their policies protect against unauthorized agent actions. 14.4% actually send agents to production with full security approval. 88% reported confirmed security incidents last year. the gap between belief and reality is where the incidents happen.

google mandiant's latest report: median attacker dwell time dropped from 8 hours to 22 seconds. AI is accelerating the entire attack lifecycle. google cloud's COO at RSAC this week: "it is not possible to mount a human only defense against an AI attack." the attacker moves at machine speed. the defender is still checking dashboards.

97% of enterprise security leaders expect a major AI agent security incident within 12 months. nearly half expect one within six months. 6% of security budgets are allocated to this risk. everyone sees it coming. almost nobody is funding the defense.

five months until the EU requires exactly the kind of proof most companies can't produce. EU AI Act high risk provisions take full effect August 2026. training documentation, validation logs, audit trails. fines up to €35M or 7% of global revenue. california is already enforceable. NIST is still drafting while agencies are already deploying.

12% of packages in the largest AI agent marketplace were malicious. 1,184 malicious skills on ClawHub. one in five packages. 135,000 instances exposed on the public internet with insecure defaults. 9 CVEs. 3 with public exploit code. the agents people trust most are running on infrastructure nobody verified.

48% of cybersecurity professionals now say AI agents are the single most dangerous attack vector. $4.63M average cost per shadow AI breach. 1,200 unofficial AI apps per enterprise. 86% have no visibility. agents don't need to be hacked. they just need to be misconfigured.