The Smallest Blast Radius in AI

What Is a Blast Radius?

In infrastructure security, blast radius means one thing: the maximum damage a single compromised component can cause. It is the question every security engineer asks before signing off on a deployment. If this one piece fails, what else falls with it?

A compromised cloud VM might access every database on the network. A compromised admin credential might control every service in the organization. A compromised container with overly broad IAM permissions might read every secret in the vault.

The blast radius of a traditional cloud AI platform agent is, in most architectures, everything the platform can access. Every integration. Every file. Every conversation. Every other agent's data. One agent goes wrong, and the exposed surface is the entire platform.

That is not a theoretical concern. It is the default state of most multi-agent cloud deployments today. And it is the reason security teams block AI adoption for months while they try to scope risk they cannot quantify.

HeartBeatAgents was built around a different premise: the blast radius of an AI agent should be measurable. Not in abstract "risk levels" or compliance checkboxes, but in concrete, countable units. We measure it in folders, keys, and tunnels.

Folder-Level Containment

An agent's filesystem is the set of folders you explicitly mounted. Nothing more.

Agent "Sales Prep" sees ~/Documents/sales. That is its entire filesystem. Not ~/Documents. Not ~/. Not /etc. Not /var. The mounted folder IS the filesystem. There is no path traversal to a parent directory because, from the agent's perspective, no parent directory exists.

The blast radius for file access: exactly the folders you chose to share. You can count them. In the UI, you literally see a list. If you shared one folder, the blast radius is one folder. If you shared three, it is three. The number is not an estimate. It is a count.

This is not access control layered on top of a broad filesystem. It is architectural isolation. The agent does not have permissions to read other folders. The other folders are not present in its mounted environment. The distinction matters. Permission-based security can be misconfigured. A folder that was never mounted cannot be misconfigured into existence.

System directories are permanently blocked at the platform level. No agent, regardless of configuration, can access operating system files, application binaries, or system configuration. This is not a policy. It is a structural constraint that no user action can override.

Per-Agent API Key Isolation

Each agent gets its own set of API credentials for each integration. Not a shared pool. Not organization-wide tokens. Individual keys, scoped to individual agents.

Agent "Sales Prep" has HubSpot read access. Agent "Support" has Zendesk access. Agent "DevOps" has GitHub access. These credential sets are completely independent. If Sales Prep is compromised, the attacker has HubSpot read access for that one agent. They have zero access to Zendesk. Zero access to GitHub. Zero access to Jira. Zero access to Slack. The credentials do not exist in that agent's environment.

The blast radius for integrations: exactly the keys assigned to that specific agent. Not the organization's keys. Not the platform's keys. That agent's keys. You can list them. You can count them. You can revoke any one of them independently without affecting any other agent.

Compare this to the typical cloud platform pattern where a single OAuth connection grants all agents access to a service. One compromised agent inherits the full permission scope of the platform's integration. The blast radius is every agent's access combined into one exposed surface.

Cloudflare Tunnel Isolation

External connections route through Cloudflare tunnels. No ports are open on your machine. No inbound connections are accepted. The tunnel initiates outbound from your hardware to Cloudflare's edge network, and all traffic flows through that encrypted channel.

Each tunnel is individually provisioned. Each tunnel is individually revocable. You see every active tunnel in your dashboard. You can terminate any one of them in a single click. DDoS protection is automatic, handled at Cloudflare's edge before traffic ever reaches your hardware.

The blast radius for network access: a single encrypted tunnel that you control. Not an open port. Not a public endpoint. Not a load balancer with a broad security group. One tunnel. Encrypted. Monitored. Revocable.

If you suspect a compromise, you kill the tunnel. The agent is immediately disconnected from all external communication. There is no firewall rule to update, no security group to modify, no NAT table to reconfigure. One click. The connection is gone.

Local Memory Isolation

Each agent's memory lives on your local disk. Episodic memory, semantic memory, procedural memory. All of it stored on hardware you own, in files you control.

There is no shared cloud memory service. One agent's accumulated knowledge cannot be accessed by a different agent unless you explicitly configure memory sharing between them. The default is isolation. Sharing is the exception, not the rule, and it requires deliberate action.

The blast radius for data: the agent's own memory files on your own disk. A compromised agent cannot read another agent's conversation history, learned procedures, or stored context. That data is in a different memory store, on the same machine, but entirely separate.

Cloud platforms typically store all agent memory in a shared database. One compromised agent, or one compromised platform credential, exposes every agent's accumulated knowledge. Every conversation. Every learned pattern. Every piece of context that was supposed to be scoped to a single workflow. Gone.

The Math

Consider a concrete scenario. You run 4 agents. Each has 2 shared folders and 3 integration keys.

Agent "Support" is compromised.

The blast radius: 2 folders (~/Documents/support and ~/Templates/responses). 3 API keys (Zendesk read, Slack post to #support, Knowledge Base read). 1 Cloudflare tunnel. 0 access to other agents' memory.

That is it.

Your sales data: untouched. Your financial records: untouched. Your code repositories: untouched. Your other agents' integrations: untouched. Your CRM: untouched. Agent "Sales Prep" continues operating with its own folders, its own keys, its own tunnel, completely unaware that anything happened to Agent "Support."

This is not because of a security policy that could be bypassed. It is because the paths, credentials, and memory stores do not exist in the compromised agent's universe. You cannot access what does not exist in your environment.

The maximum damage from a compromised agent: 2 folders, 3 API keys, 1 tunnel, 0 access to other agents. Countable. Auditable. Bounded.

Now run the same scenario on a cloud platform with shared credentials and a shared data layer. Agent "Support" is compromised. The blast radius: every integration the platform has access to, every file in the shared data store, every other agent's conversation history, every API key the platform manages. The blast radius is the platform.

Why CISOs Care About Countability

Security teams do not want to hear "we have robust security measures." They have heard that sentence from every vendor that has ever been breached. It is meaningless. It communicates nothing about actual risk exposure.

Security teams want to hear: the maximum damage from a compromised agent is 2 folders, 3 API keys, 1 tunnel, 0 access to other agents.

That sentence passes security review. It is specific. It is bounded. It can be verified by looking at a configuration screen. The CISO can count the folders, count the keys, verify the tunnel configuration, and confirm agent isolation. The entire risk assessment takes minutes, not months.

When a security team evaluates a cloud AI platform, the question is: what is the worst case? And the answer, if the platform shares credentials across agents or stores data in a common layer, is: the worst case is everything. That answer triggers a full vendor security review. Penetration testing. SOC 2 documentation requests. Legal review of data processing agreements. The timeline stretches to months.

When the answer is "2 folders and 3 read-only API keys," the conversation is different. The risk is bounded. The scope is clear. The approval process is short because the exposure is small and verifiable.

Regulated Industries

Healthcare organizations operating under HIPAA need demonstrable containment of protected health information. An agent that processes patient scheduling data cannot have a path, even a theoretical one, to billing records or clinical notes outside its scope. Folder-level mounting makes this containment architectural. The scheduling agent mounts the scheduling folder. There is no HIPAA-covered data outside that mount. The audit trail is the mount configuration itself.

Financial institutions under SOC 2 and PCI-DSS require evidence of least-privilege access and network segmentation. Per-agent API keys with explicit scope provide least-privilege by default. Cloudflare tunnel isolation provides network segmentation without complex firewall topologies. The evidence is the configuration: here are the keys, here is their scope, here is the tunnel, here is the access log.

Law firms handling matters protected by attorney-client privilege cannot risk cross-contamination between client files. An agent working on the Acme Corp matter mounts ~/Cases/acme-corp. It has no path to ~/Cases/globex-industries. Privilege is maintained through architectural isolation, not through access control lists that an administrator might misconfigure.

Government agencies evaluating AI tools against FedRAMP-adjacent requirements need data sovereignty and access control that can be documented and audited. Local-first architecture with per-agent isolation provides both. The data never leaves the agency's hardware. The access boundaries are visible and countable.

In each of these contexts, the difference is the same. "We have a security policy" does not pass audit. "The attack surface is 2 folders and 3 read-only API keys" does.

Measuring What Matters

The security industry has spent decades building frameworks for risk assessment. Most of them operate on qualitative scales. High, medium, low. Red, yellow, green. These scales are useful for executive summaries. They are inadequate for evaluating the actual exposure of an AI agent with access to your business systems.

HeartBeatAgents replaces qualitative risk with quantitative surface. The blast radius is not "low." It is 2 folders, 3 keys, 1 tunnel. The isolation is not "strong." It is structural: separate mounts, separate credentials, separate memory stores, separate network paths.

Every component of the security posture can be listed, counted, and independently verified. Every component can be independently revoked. The security model does not depend on correct configuration of a complex policy engine. It depends on a simple, visible list of what each agent can access.

The smallest blast radius in AI is not a marketing claim. It is a measurable property of the architecture. Count the folders. Count the keys. Count the tunnels. That is the surface. There is nothing else to count.