Skip to content
Built for the EU AI Act · Article 12

The agent doesn't just say it found a bug. It proves it.

Opviva is a security agent you talk to — and every exploit it finds is reproduced, not asserted, on a tamper-evident Evidence Canvas. Under the hood, that's the Flight Recorder: hash-chained, retained, reconstructable, and exportable, built to satisfy the EU AI Act's Article 12 requirement that high-risk AI systems automatically log events over their lifetime, from August 2, 2026.

  • We prove vulnerabilities by reproducing them — not guesses
  • Tamper-evident record of what your AI agents do
  • We never store your source code

Watch it prove the exploit — every agent action captured, hash-chained, and reconstructable to an audit-grade standard.

Session reconstructedcheckout-agent
Hash-chain verified

One agent's session, replayed newest first. It handled a refund normally — then quietly overstepped. Opviva caught it and sealed an unforgeable record.

  • Opviva flagged the action and sealed the sessionCaught & sealed

    2026-06-20T14:02:56Z

  • checkout-agent ran DELETE FROM users — outside its allowed scopeThe violation

    2026-06-20T14:02:55Z

  • checkout-agent issued a ₹4,200 refund to the original method

    2026-06-20T14:02:44Z

  • checkout-agent queried the orders table for order #80421

    2026-06-20T14:02:43Z

  • checkout-agent received a refund request from a customer

    2026-06-20T14:02:41Z

Session
sess_8f21a9c4
9f2a1c4e0a8f
Sealed
2026-06-20 14:02:56 UTC
Chain head
block #1,284
a17be93cd80b
1,284
sessions recorded · chain intact

Every step is sealed and linked to the one before it — edit or delete any of them and the record visibly breaks, so it can't be forged. Illustrative reconstruction.

Why the agent needs a record, not just a verdict

“There's a vulnerability here” isn't proof — it's a claim. So when Opviva's agent finds an exploit, it reproduces it and records every step on the Evidence Canvas: automatically logged, to a degree that gives you real traceability of what the agent did and why. The hard part isn't storing lines of text; it's producing a record you can trust and reconstruct. That matters doubly for AI agents themselves — they leave no trace by default, logging in as themselves with valid credentials while a bad decision hides inside a chain of tool calls.

The EU AI Act's Article 12 requires high-risk AI systems to keep exactly this kind of log. Opviva provides the technical record-keeping capability. Whether your system is “high-risk” and how you meet your obligations is a determination for you and your counsel — we give you the evidence layer to build on.

How the agent builds the record

Automatic capture

One line of SDK lets the agent record every prompt, tool call, decision, and outcome — across LangChain, the Vercel AI SDK, OpenAI/Anthropic, in TS and Python.

Tamper-evident

Events are hash-chained and append-only, so any alteration or deletion is detectable — the integrity that turns a log into proof.

Retention

Configurable per-account retention keeps the record for as long as your obligations require.

Sealed deletion

When data expires, a signed tombstone records what was removed and that its chain was intact — so even deletion is auditable.

Reconstruction

The agent rebuilds any incident into a step-by-step timeline with a verifiable integrity check — this is how it proves the exploit, not just claims it.

Auditor export

Export a session as a signed evidence bundle or an auditor-ready PDF for a regulator, insurer, or internal review.

Start recording your agents

The Flight Recorder is live. One line of SDK — TypeScript or Python — lets the agent capture every prompt, tool call, and outcome, so it can reconstruct any session to an audit-grade standard.

Already a customer? Find the recorder in your dashboard under Settings → SDK install, or follow the setup guide.