AgentPay: what we built at the Anthropic × Kaszek hackathon
Team Octopus won the Anthropic × Kaszek × Digital House hackathon with AgentPay, a prototype that puts deterministic security checks in front of the payments an AI agent tries to execute.
- Team Octopus won the Anthropic × Kaszek × Digital House hackathon with AgentPay, a working prototype built during the event. The prize was USD 150,000 in Anthropic credits plus USD 2,000 cash, an event prize, not an investment.
- AgentPay puts a deterministic security pipeline in front of the payments an AI agent executes, checking amount limits, recipient changes, exposed credentials and signs of manipulation before an action runs.
- Security decisions don't rely on asking another model. They use auditable rules and leave a hash-chained record of what was attempted and why it was allowed, blocked or sent for approval.
Our team, Octopus, won the main prize at the Anthropic × Kaszek × Digital House hackathon. Five of us built a prototype called AgentPay over the course of the event: Ignacio Aracena, Nicolás Spagnuolo, Mauro Proto Cassina, Sebastián Buffo Sempe and me.
The hackathon had more than 200 participants. AgentPay took the main prize: USD 150,000 in Anthropic API credits for the team, about USD 30,000 per person, plus USD 2,000 in cash from Kaszek. To be clear, that was an event prize, not an investment or a funding round.
It was a mixed team. Three of us were students from UdeSA: Ignacio, Nicolás and Mauro. The other two were senior profiles, Sebastián from the business, fintech and startup side, and me from tech, product, fintech and cybersecurity. The three students carried a lot of the weight. They came prepared for a demanding format with little time to explore long paths, and they shaped both the build and how we framed the problem. To use the time well, we split into fronts: Ignacio, Nicolás and Sebastián on business, value proposition and the pitch, Mauro and I on the technical prototype.
What AgentPay is
AgentPay is a functional prototype we built during the event. It shows how to add a security layer over AI agents when they take sensitive actions: payments, credentials, files, connections to external services.
The idea came out of a problem I've been working on since February, when I started building Oktsec. Agents no longer just answer questions. They read files, run commands, use APIs, connect to internal tools, install dependencies and operate with credentials. That opens a concrete question for companies and technical teams: how do you control what an agent does before it executes something risky.
This isn't a future risk
It's already happening. Between late April and May 2026, a few cases showed where this is heading. In Cursor, researchers showed how a repository that looked normal hid instructions inside its README, so the agent ended up reading and sending private keys from the local environment just by opening the project. Google reported it already finds web pages with hidden instructions meant to manipulate agents that browse or process external content. And Microsoft published vulnerabilities in agent frameworks where a prompt injection went from a manipulated response to remote code execution on the host. The point is the same in all three. Once the model is connected to tools, files or commands, a malicious instruction stops being text and becomes a concrete action.
That's the real shift. The old risk was that AI gave a wrong answer. Now that agents can read files, use tools, reach data or run commands, an attack can do real damage: steal sensitive information, execute orders, compromise systems. A lot of companies are going to have to treat these agents like identities with privileged access. Limit what they can do, review their actions, keep evidence, and not let them operate with full permissions unsupervised.
How it worked
AgentPay took that problem to one concrete case: the payments an AI agent executes. We built a Claude Code plugin that ran inside the agent's flow and inspected every action the agent tried to take before letting it through. We didn't start from zero. We reused part of my open-source work in Oktsec on risk detection, agent-environment analysis and control of sensitive actions.
The prototype ran a security pipeline before executing a sensitive operation. It checked for exposed credentials, amount limits, frequency, recipient changes, altered parameters and signs of external manipulation. If the agent wanted to pay USD 50 to someone but a compromised MCP server changed the recipient or inflated the amount before the operation ran, AgentPay could catch the change, block the action, or ask for human approval.
One decision mattered more than the rest. We did not base the security on asking another model whether something was safe. AgentPay used deterministic rules, which are more predictable and auditable, to decide whether an action could proceed, be blocked, or be flagged as risky. In financial flows that's the whole point. You don't want a hallucination or a malicious instruction to be what enables a transaction. It also left auditable evidence. Each decision was recorded with a hash chain, so you can go back and see what was attempted, which rule applied, and why it was allowed, blocked, or sent for approval.
The pattern behind it
What matters about AgentPay isn't only the payments case. It's the pattern underneath. As agents start operating on real tools, companies need a control layer before, during and after each sensitive action. More and more teams are exploring AI agents, but to use them in sensitive environments they need visibility into what agents do, clear rules, traceability, and evidence to review afterward.
That line of work continues past the hackathon. AgentPay was a prototype applied to payments, but the problem is broader: how do you let agents help scale operations without losing control, traceability or security. That's where Oktsec sits, the project I'm building now. The idea isn't to replace the models or compete with AI tools. It's to add a security layer around the agents: what they can do, under what rules, with what permissions, and what evidence their actions leave behind.
The approach is local-first, so sensitive data and actions stay in the company's or developer's environment, and the security layer adds visibility, rules, control and evidence that tech, security, compliance or leadership can review. In short, Oktsec is about letting a company adopt AI agents with more confidence and scale faster, without giving up control, traceability or security.
The relationship between the two is simple. AgentPay was the working hackathon prototype, applied to the payments agents execute. Oktsec is the continuation of that line, as a security layer for AI agents in real environments.