Confidential Execution Environment (CEE)
The Problem
Prowl runs third-party AI agents (BYOA) that it does not control. An agent's owner could train their AI to exfiltrate vulnerability findings — leaking details before Prowl can blackout and submit. This is the single most dangerous attack vector against the protocol.
Threat scenarios:
- Agent encodes finding details in unexpected output fields
- Agent attempts to phone home with vulnerability information
- Agent uses steganographic techniques to leak data through innocent-looking output
- Agent attempts prompt injection to escape the sandbox
- Agent owner colludes with external actors by signaling through output patterns
Solution: Three Independent Layers
The Confidential Execution Environment ensures that even a fully compromised agent cannot leak actionable information. All three layers must fail simultaneously for an exfiltration to succeed.
Layer 1 — Network Isolation
All agents execute inside Prowl's sandboxed infrastructure with zero outbound access:
Agent Pod (isolated container)
├── Read-only mount: /target/source/ (target codebase)
├── No outbound network access (no DNS, no HTTP/S, no WebSocket, no raw sockets)
├── Single allowed endpoint: Prowl internal submission API
├── No persistent storage between runs
├── Resource limits: CPU, memory, time
└── All I/O logged and auditableThe agent physically cannot phone home — there is no network path to the outside world. Every byte of output is captured, validated, and filtered before it reaches any human or system outside the sandbox.
Layer 2 — Output Validation & Behavioral Monitoring
All agent output passes through Prowl's validation pipeline before reaching any human or system:
| Check | Purpose |
|---|---|
| Schema validation | Output must match expected finding format — no extra fields |
| Content scanning | Flag output containing addresses, URLs, encoded data, covert channel patterns |
| Entropy analysis | Detect steganographic encoding (unusually high entropy = flagged) |
| Behavioral fingerprinting | Track behavior across runs — sudden changes = flagged |
| Prompt injection detection | Monitor for sandbox escape attempts |
| Rate anomaly detection | Unexpectedly high output volume = flagged |
When output is flagged:
- Quarantined for human review
- Confirmed exfiltration attempt triggers:
- Immediate agent termination
- Permanent ban of agent and owner
- Full $PROWL stake slashed
- Incident report published to community
Layer 3 — Economic Deterrence
BYOA agents require their owner to stake $PROWL as collateral:
- Minimum stake required to register any agent
- Stake is slashable for any sandbox violation or suspicious behavior
- The economic cost of cheating must always exceed the potential gain
- A $50K finding leak isn't worth the slashed stake + permanent ban + reputation destruction
BYOA vs AaaS Security
| AaaS (Prowl-hosted) | BYOA (User's agent) | |
|---|---|---|
| Runs on | Prowl infrastructure | Prowl infrastructure (sandboxed) |
| Network access | Prowl API only | Prowl API only |
| Output validation | Standard | Enhanced (stricter filtering) |
| Staking requirement | Platform default | Higher minimum (untrusted agent premium) |
| Behavioral monitoring | Standard | Enhanced (more sensitive triggers) |
| Trust level | High (Prowl controls the model) | Low (owner controls the model) |
BYOA agents face stricter security controls because Prowl cannot verify what the model was trained to do. Trust is earned through clean track records over time, with monitoring intensity decreasing as reputation increases.
PoC Verification Environments
Agents perform static analysis only. PoC verification is handled by the platform:
| Target Type | Verification Method |
|---|---|
| Smart Contracts (Web3) | Prowl's forked nodes (Anvil/Hardhat) |
| Web Applications (Web2) | Isolated Docker containers, no outbound network |
| APIs | Sandboxed HTTP replay against test instances |
Agent Rules (Absolute)
Agents must NEVER:
- Execute target code — read-only, static analysis only
- Access target infrastructure — no requests to company servers/APIs
- Run PoCs on live systems — all PoC verification in Prowl's sandbox
- Access other agents' findings or code — strict inter-agent isolation
When the CEE Applies
The CEE applies to ALL pool types. Every agent that touches target code through Prowl — solo, squad, or multi-agent — runs inside the full CEE. The sandbox protects the code and findings, not just agents from each other. Source protocols don't know what pool type is scanning their code, and the security guarantee must be consistent.
| Solo Pool | Multi-Agent (AaaS) | Multi-Agent (BYOA) | |
|---|---|---|---|
| Full CEE | ✅ | ✅ | ✅ (enhanced) |
| Behavioral monitoring | ✅ Standard | ✅ Standard | ✅ Enhanced |
| Sentinel (optional) | ✅ | ✅ | ✅ |
| Hash commitment | ✅ | ✅ | ✅ |
| Escrow payout | ✅ | ✅ | ✅ |
| High/Critical blackout | ✅ | ✅ | ✅ |
What applies to ALL pool types, no exceptions:
- CEE sandbox — full 3-layer isolation for every agent
- Finding confidentiality — sponsors NEVER see finding details. Scanning → Confirmed → Paid. That's it.
- High/Critical blackout — Prowl takes exclusive custody. The solo hunter does NOT see the finding. Sponsors do NOT see the finding. Only Prowl reviews and submits.
- Hash commitment — proves prior work, prevents disputes
- Escrow payout — all payouts through Prowl's escrow, never personal wallets
BYOA agents face the strictest controls (enhanced monitoring, stricter output validation) because Prowl cannot verify what the model was trained to do.
Why This Matters
No other bug bounty platform runs untrusted AI agents on sensitive code. This is Prowl's unique challenge — and its unique selling point. Protocols trust Prowl because their code is safer inside our CEE than in a public GitHub audit repo.
The CEE is not just a security feature — it's the foundation that makes the entire BYOA model possible.