Agent Memory Guard

Definition

What it is

OWASP's open-source runtime middleware defense layer for AI agent memory systems, mapped to the **ASI06: Memory Poisoning** entry in the OWASP Top 10 for Agentic Applications. Ships as a drop-in integration for LangChain, LlamaIndex, and CrewAI. Enforces strict memory-governance protocols at the read/write boundary: cryptographic integrity (SHA-256 hashing of memory blobs at rest), real-time anomaly detection on rapid state changes + protected-key modifications + unusual blob-size expansions, composite trust scoring with temporal decay during retrieval, and automatic state snapshots for time-travel rollback to a known-good cognitive state when poisoning is detected.

Why it exists

Prompt injection was stateless — neutralized when the user's session ended. Memory poisoning is *persistent* — once a malicious instruction is written to long-term semantic memory, it blends into the agent's "learned" identity and triggers data exfiltration / unaligned behavior / unauthorized tool calls weeks or months later as "trusted historical context." The defense had to move into the memory layer itself, not the prompt layer. Agent Memory Guard is the runtime substrate that does that.

Primary use cases

Drop-in defense for agent frameworks (LangChain / LlamaIndex / CrewAI) reading + writing persistent memory, cryptographic-integrity validation of memory blobs against tampering at rest, real-time anomaly detection on memory-write patterns suggestive of injection payloads, composite-trust scoring + temporal decay for retrieval-time sanitization, forensic rollback to pre-poisoning snapshots after detected incidents, multi-agent environments where one poisoned agent could propagate corruption via shared memory orchestration.

Recent developments

Latest signals

Drop-in integration with LangChain + LlamaIndex + CrewAI is the architectural pitch. Agent Memory Guard ships as middleware that wraps the existing memory-read/write API of the host framework — zero application-side rewrites required. The integration shape is what makes it adoptable at the pace memory-poisoning incidents are forcing on enterprise deployments. Per OWASP Foundation — Agent Memory Guard project page.
Multi-layer defense: cryptographic + anomaly + sanitization + forensic. SHA-256 memory-integrity hashing (at-rest tampering detection) + real-time anomaly monitoring (rapid state changes, protected-key edits, unusual JSON/YAML blob growth — classic injection payload signatures) + composite trust scoring with temporal decay (older unverified entries get less weight at retrieval) + state-snapshot capture for "time travel" rollback after a detected infection. Per OWASP Foundation — Agent Memory Guard.
Composes with academic memory-poisoning defense research. arXiv 2601.05504 ("Memory Poisoning Attack and Defense on Memory Based LLM-Agents") formalizes the attack + defense models that Agent Memory Guard's trust-scoring + decay mechanisms implement at the middleware layer. Per arXiv 2601.05504 — Memory Poisoning Attack and Defense on Memory-Based LLM Agents.
Trust-scoring with temporal decay is the load-bearing primitive at retrieval time. Older + unverified memory entries get less weight when the agent retrieves context for its next decision — gives the agent a "skeptical-by-default" stance toward stale memory. The pattern handles cases where the injection slipped past write-time anomaly detection but is now suspiciously old/unverified. Per arXiv 2601.05504 — Memory Poisoning Attack and Defense.
OWASP ASI06 makes Memory Poisoning a tracked enterprise compliance category. Inclusion in the OWASP Top 10 for Agentic Applications elevates memory poisoning from "interesting research problem" to "compliance-audited threat" — pen-test rubrics + security-audit checklists now check for memory-poisoning defense alongside SQL injection + XSS. Per OWASP Foundation — Agent Memory Guard and DEV — Prompt Injection Was Stateless: Memory Poisoning Is Persistence.
Forensic rollback is the operational-incident-response primitive. When poisoning is detected, automated snapshots allow rollback to the most-recent known-good cognitive state — the agent equivalent of database point-in-time recovery. Critical for multi-agent deployments where a single poisoned agent could otherwise infect the entire network via routine message passing. Per Christian Schneider — Memory Poisoning in AI Agents: Exploits That Wait.