Norton Wants to Be Your AI Agent's Bodyguard — Gen's Sage Security Framework Explained
Gen Digital open-sources Sage, a security framework for AI agents. Part of the Gen Agent Trust Hub with Skill Scanner. Here's what it actually does — and what it doesn't.
Gen Digital, Norton's parent company, open-sourced Sage on March 9, 2026 — a security layer for AI agents that scans skills before installation and monitors agent behavior at runtime. Sage is part of the broader "Gen Agent Trust Hub" alongside Skill Scanner, which vets agent skills pre-install. Together they cover the full lifecycle: supply chain and runtime. Gen and OpenClaw are co-hosting an RSA 2026 event today (March 26) in San Francisco to demo the framework (SecurityWeek).
My first reaction: finally. My second: they're open about its limits — Gen acknowledges Sage is "not a full antivirus product."
Why Norton is betting on agent security now#
The timing is not accidental. Gen's research found approximately 18,000 OpenClaw instances exposed to the internet with minimal security, and 400 malicious skills on ClawHub — roughly 12-15% of all available skills (Gen Digital Blog). As Gen CTO Siggi Stefnisson put it: "Security failures are no longer just one bad click, but trusted AI assistants quietly turning into persistent insider threats" (Help Net Security).
Norton's parent company is looking at a market that barely exists yet and trying to own it before Palo Alto, CrowdStrike, or some well-funded startup does. That's a defensible move. Gen Digital has 500 million users across its consumer brands. If even a fraction of those users start running AI agents — and they will — having the security layer already installed is a massive distribution advantage.
The bet makes business sense. Whether Sage is actually good is a different question.
What Sage actually does#
Sage is open-source (github.com/avast/sage) and works across Claude Code, Cursor/VS Code, and OpenClaw. The Gen Agent Trust Hub has two components: Skill Scanner (pre-install vetting) and Sage (runtime protection). Here's what each does.
Skill Scanner (pre-install). Scans agent skills before installation using URL reputation checking (cloud-based), local YAML-based heuristics, and supply-chain integrity checks. This is the layer that catches the ClawHub-style supply chain attacks before they land.
Runtime detection rules. Sage ships with 200+ detection rules covering command injection, persistence mechanisms, credential exposure, and obfuscation techniques. This is meaningfully different from relying on the agent itself to respect boundaries — a distinction that matters given recent research on how agents coordinate to bypass guardrails.
Three verdicts. Every intercepted action gets one of three outcomes: Allow (proceed normally), Ask (user decides), or Deny (blocked automatically). The Ask tier is the interesting design choice — it acknowledges that security tools can't always make the call.
Action logging. Immutable audit trail for every agent action. Most self-hosted setups have zero structured logging of what agents actually do versus what they're asked to do.
How it compares to existing approaches#
Most agent security today is DIY. You write system prompt guardrails, maybe add some tool-level access controls, hope for the best. Here's how Sage stacks up against the current landscape.
| Approach | Permission enforcement | Runtime monitoring | Audit trail | Kill switch | Cost |
|---|---|---|---|---|---|
| System prompt guardrails | Agent-enforced (bypassable) | None | None | Manual | Free |
| Custom middleware | Developer-built | Basic logging | Partial | Manual | Engineering time |
| Sage (Gen Digital) | Pre-install scanning + runtime rules | 200+ detection rules | Full immutable log | Allow/Ask/Deny | Free (open-source) |
| Managed platform (e.g., RapidClaw) | Container isolation + proxy | Built-in monitoring | Full log | Automated | Included in hosting |
The gap Sage fills is real. Being open-source means no vendor lock-in and community-auditable rules. But if you're already on a managed platform with built-in isolation, Sage is redundant overhead.
The trade-offs nobody is talking about#
Being open-source is a strong move — detection rules are auditable, community-extensible, and free. But open-source also means Gen isn't monetizing Sage directly. The business model likely funnels users toward Norton's paid security products, which is fine until the open-source version stagnates.
Gen is upfront that Sage is "not a full antivirus product." The YAML-based local heuristics and URL reputation checks are useful but not comprehensive. Sophisticated obfuscation or novel attack vectors will slip through the 200+ rules until the community or Gen updates them.
The supply chain story is stronger than expected. Skill Scanner's pre-install checks — URL reputation, supply-chain integrity, local heuristics — directly address the ClawHub malware incident where 400 malicious skills (~12-15% of ClawHub) were found. That's a real improvement over "catch it at runtime."
The ~18,000 exposed OpenClaw instances Gen found (Gen Digital Blog) suggest the real problem isn't missing security tools — it's that self-hosters don't configure basic protections. Sage helps, but only if people install it.
What this means for self-hosters and small teams#
For self-hosters, Sage is worth installing today — it's free and open-source. The 18,000 exposed instances Gen found are overwhelmingly solo setups where the operator is also the developer and the security team.
But the right solution for most small teams isn't bolting another tool onto a self-hosted stack. It's choosing infrastructure that bakes security in. RapidClaw runs every agent in a sandboxed container behind Cloudflare, with monitored tool calls and skill vetting built in. You don't need a third-party security framework because the hosting layer is the security framework.
The bigger picture#
Norton getting into agent security legitimizes the category. When a company with 500 million users says "AI agents need dedicated security," CISOs who couldn't get budget suddenly have a name-brand vendor to point to.
But antivirus is passive — scan files, block threats, run in background. Agent security is active — mediating between an autonomous system and real infrastructure in real time. Different failure modes, different performance requirements, different trust model. Sage being open-source gives it a real shot at community adoption. The question is whether Gen Digital maintains momentum or if a startup or cloud provider builds something better on top of the same open codebase. As Constellation Research noted at RSAC, everyone is trying to secure AI agents right now — Gen just got there first with an open-source play.
Frequently asked questions#
What is Gen Digital's Sage framework?#
Sage is an open-source security framework for AI agents, part of Gen Digital's Agent Trust Hub. It includes Skill Scanner (pre-install vetting via URL reputation, YAML heuristics, and supply-chain checks) and runtime protection with 200+ detection rules. Actions get one of three verdicts: Allow, Ask, or Deny.
Does Sage work with OpenClaw agents?#
Yes. Sage supports Claude Code, Cursor/VS Code, and OpenClaw at launch.
How much does Sage cost?#
Sage is free and open-source, available at github.com/avast/sage.
Is Sage necessary if I use a managed hosting platform?#
Probably not. Managed platforms like RapidClaw include container isolation, permission enforcement, runtime monitoring, and audit logging as part of the hosting infrastructure. Sage is most valuable for self-hosted deployments that lack these built-in protections.
Does Sage prevent supply chain attacks from malicious agent skills?#
Yes — this is a key strength. The Skill Scanner component of the Agent Trust Hub scans skills before installation using URL reputation checking, local YAML-based heuristics, and supply-chain integrity checks. Gen found 400 malicious skills on ClawHub (~12-15% of all skills), which Skill Scanner is designed to catch pre-install. Sage's runtime rules provide a second layer if something slips through.
Ready to build your own AI agent?
Deploy a personal AI agent to Telegram or Discord in 60 seconds. From $19/mo.
Get StartedStay in the loop
New use cases, product updates, and guides. No spam.