Cloud Access Security Brokers redefined how enterprises control employee access to cloud services. Now, the same control model needs to extend to AI agents. Our 102 million domain categorization database provides the foundational data layer that enables CASB-equivalent policy enforcement for autonomous agents navigating the open web -- with the same category-based blocking, page-type awareness, and audit logging that security teams already expect.
Your CASB enforces web access policies on every employee in the organization. But AI agents bypass the CASB entirely because they do not route traffic through the proxy.
Traditional CASBs operate as forward or reverse proxies that intercept HTTP/HTTPS traffic from employee browsers and apply category-based filtering, DLP inspection, and access controls. AI agents do not use employee browsers. They make HTTP requests from server-side runtimes, cloud functions, or containerized environments -- none of which route through the CASB. This means every policy your security team has carefully configured for employee web access simply does not apply to agent web access.
An agent CASB applies the same control model -- category-based filtering, page-type blocking, reputation scoring, and audit logging -- directly within the agent runtime. Instead of routing traffic through a proxy, you embed a categorization lookup into the agent's middleware layer. Before every outbound request, the middleware queries our 102 million domain database and enforces the same policies your CASB applies to employees. The result is a consistent security posture across both human and machine web access.
The database provides the same data fields that CASBs use for policy decisions: content categories (mapped to IAB taxonomy), web filtering categories (Adult, Malware, Gambling, Phishing), page-type labels (login, checkout, admin, settings), and domain reputation scores. Your policy engine consumes this data and applies rules that mirror your existing CASB configuration -- creating parity between employee and agent access controls.
Every CASB capability has an equivalent implementation for AI agent governance
CASBs block employee access to categories like Adult, Gambling, and Malware. The agent equivalent uses our web filtering categories to apply the same blocks at the agent middleware layer. The category taxonomy is identical -- your security team can reuse existing CASB policy definitions without translation. Block Adult content for agents just as you block it for employees.
CASBs discover shadow IT by logging every cloud service employees access. The agent CASB logs every domain every agent visits, with full categorization data. This creates a complete inventory of external services your agents interact with -- enabling your security team to identify unauthorized SaaS usage, unsanctioned data sources, and domains that should be added to blocklists or allowlists.
CASBs generate compliance reports showing that employee web access adheres to regulatory requirements. The agent CASB generates equivalent reports for agent web access -- documenting which domains were visited, what categories they belonged to, which policy rules were applied, and what actions were taken. This audit trail satisfies SOC 2, GDPR, HIPAA, and ISO 27001 evidence requirements for AI agent governance.
Implement CASB-equivalent controls in your agent middleware using URL categorization
import http.client
import json
from datetime import datetime
class AgentCASB:
"""CASB-equivalent policy enforcement for AI agents."""
# Mirror your existing CASB category policies
CASB_POLICY = {
"hard_block": [
"Adult", "Malware", "Phishing", "Gambling",
"Illegal Content", "Weapons", "Drugs"
],
"soft_block": [
"Social Networking", "Streaming Media",
"Web-based Email", "File Sharing"
],
"monitor_only": [
"Financial Services", "Healthcare",
"Government", "Education"
],
"blocked_page_types": [
"login", "checkout", "admin", "settings"
]
}
def __init__(self, api_key, agent_id):
self.api_key = api_key
self.agent_id = agent_id
self.conn = http.client.HTTPSConnection(
"www.websitecategorizationapi.com"
)
self.session_log = []
def enforce_policy(self, target_url):
"""Apply CASB-equivalent policy to agent navigation."""
data = self._classify(target_url)
page_type = data.get("page_type", "unknown")
filter_cat = self._extract_filter_category(data)
verdict = {"action": "allow", "category": filter_cat,
"page_type": page_type, "url": target_url}
if page_type in self.CASB_POLICY["blocked_page_types"]:
verdict["action"] = "block"
verdict["reason"] = f"Page type blocked: {page_type}"
elif filter_cat in self.CASB_POLICY["hard_block"]:
verdict["action"] = "block"
verdict["reason"] = f"Hard block: {filter_cat}"
elif filter_cat in self.CASB_POLICY["soft_block"]:
verdict["action"] = "block"
verdict["reason"] = f"Soft block: {filter_cat}"
elif filter_cat in self.CASB_POLICY["monitor_only"]:
verdict["action"] = "allow"
verdict["reason"] = f"Monitored: {filter_cat}"
else:
verdict["reason"] = "Default allow"
self._audit_log(verdict)
return verdict
def _classify(self, url):
payload = (
f"query={url}&api_key={self.api_key}"
f"&data_type=url&expanded_categories=1"
)
headers = {"Content-Type":
"application/x-www-form-urlencoded"}
self.conn.request("POST",
"/api/iab/iab_web_content_filtering.php",
payload, headers)
return json.loads(
self.conn.getresponse().read().decode("utf-8"))
def _extract_filter_category(self, data):
cats = data.get("filtering_taxonomy", [[]])
if cats and cats[0]:
return cats[0][0].replace(
"Category name: ", "")
return "Uncategorized"
def _audit_log(self, verdict):
verdict["timestamp"] = datetime.utcnow().isoformat()
verdict["agent_id"] = self.agent_id
self.session_log.append(verdict)
casb = AgentCASB(api_key="your_key", agent_id="agent-7")
result = casb.enforce_policy("https://gambling-site.com")
print(f"CASB verdict: {result['action']} - {result['reason']}")
class AgentCASBProxy {
constructor(apiKey, casbConfig) {
this.apiKey = apiKey;
this.config = casbConfig;
this.accessLog = [];
}
async evaluateAccess(targetURL, agentContext) {
const classification = await fetch(
"https://www.websitecategorizationapi.com" +
"/api/iab/iab_web_content_filtering.php",
{
method: "POST",
headers: {
"Content-Type":
"application/x-www-form-urlencoded"
},
body: new URLSearchParams({
query: targetURL,
api_key: this.apiKey,
data_type: "url",
expanded_categories: "1"
})
}
).then(r => r.json());
const filterCat =
classification.filtering_taxonomy?.[0]?.[0]
?.replace("Category name: ", "") || "Unknown";
const verdict = {
url: targetURL,
category: filterCat,
pageType: classification.page_type,
action: "allow",
agentId: agentContext.agentId,
timestamp: new Date().toISOString()
};
if (this.config.hardBlock.includes(filterCat)) {
verdict.action = "block";
verdict.reason = `CASB hard block: ${filterCat}`;
}
this.accessLog.push(verdict);
return verdict;
}
}
Purpose-built domain databases for AI agent filtering. Includes IAB categories, 20+ page types, reputation scores, and popularity rankings. One-time purchase with perpetual license.
10 Million Domains with Page-Type Intelligence
One-time purchase: Perpetual license | Optional Updates: $1,599/year
20 Million Domains with Full Intelligence Suite
One-time purchase: Perpetual license | Optional Updates: $2,999/year
50 Million Domains with Complete Intelligence Suite
One-time purchase: Perpetual license | Optional Updates: $4,999/year
Also available: Enterprise URL Database up to 102M domains from $2,499. View all database tiers →
Search any IAB or Web Filtering category to see how many domains are in our 102M Enterprise Database -- the same categories your agent CASB policy will reference.
How 102 million domains from our main Enterprise Database are distributed across IAB v3 taxonomy classifications
Spanning Tier 1 through Tier 4 classifications from our 102M Enterprise Database
Charts display domain counts for the top 50 out of 700+ categories in our 102M Enterprise Database. To check the number of domains for the remaining 650+ categories, use the Category Counter tool above .
The Cloud Access Security Broker market exists because enterprises recognized that employees accessing cloud services from corporate devices needed centralized visibility, control, and compliance enforcement. The exact same recognition is now emerging for AI agents. Agents accessing the open web from corporate infrastructure need centralized visibility (which domains are they visiting?), control (which domains should they be allowed to visit?), and compliance enforcement (can we prove to auditors that our agents operate within policy boundaries?).
The architectural difference between an employee CASB and an agent CASB is where the enforcement point sits. An employee CASB is a network proxy -- it sits between the user's browser and the internet. An agent CASB is a middleware component -- it sits between the agent's runtime and its HTTP client. The policy logic is identical; only the interception mechanism changes.
Every major CASB feature has a direct equivalent in the agent governance space. Forward proxy mode, which intercepts outbound employee traffic, maps to agent middleware that intercepts outbound HTTP requests from the agent runtime. Reverse proxy mode, which controls access to sanctioned SaaS applications, maps to API gateway rules that control which external services the agent can call. API mode, which connects to cloud services via API to monitor activity after the fact, maps to agent audit logging that records every domain visited with full categorization context.
Data Loss Prevention scanning, which inspects employee uploads for sensitive data, maps to agent output filtering that checks whether the agent is about to submit sensitive data to an external form or API. Shadow IT discovery, which identifies unsanctioned cloud services employees are using, maps to agent domain inventory that identifies all external domains agents interact with and flags those not on the approved list.
Some teams ask whether they can simply route agent traffic through their existing CASB. In theory, this is possible -- you could configure the agent's HTTP client to use a forward proxy. In practice, this approach has severe limitations. First, it introduces network latency: every agent HTTP request must traverse the CASB proxy, adding 50-200ms per request. For agents that visit 100+ domains per task, this adds 5-20 seconds of overhead. Second, it creates capacity planning challenges: agent traffic volumes can be 10-100x human traffic volumes, potentially overwhelming the CASB infrastructure.
Third, CASBs lack agent-specific context: they see the HTTP request but do not know which agent sent it, what task the agent was performing, or why the agent chose that destination. Without this context, CASB logs are a wall of undifferentiated HTTP requests that provide no actionable insight. Fourth, CASBs cannot enforce stateful policies: they evaluate each request independently, but agent governance often requires session-level rules (e.g., "block this agent if it has visited more than 10 financial domains in this session").
The goal of an agent CASB is not to create a separate policy framework from scratch. It is to extend your existing CASB policies to cover agent traffic, ensuring consistent security posture across all web access -- human and machine. This means your agent CASB should consume the same category taxonomy, enforce the same blocking rules, and generate the same audit events as your employee CASB.
Our database makes this straightforward because it uses standard web filtering categories that map directly to CASB policy categories. If your employee CASB blocks the "Gambling" category, your agent CASB blocks the "Gambling" category using the same label from the same taxonomy. No translation layer, no category mapping table, no reconciliation between incompatible taxonomies. The same category name in your CASB config works in your agent policy config.
One of the most valuable CASB features is shadow IT discovery -- identifying cloud services that employees are using without IT approval. For agents, the equivalent feature is even more critical. An agent operating autonomously may interact with SaaS APIs, web services, and data providers that your organization has no relationship with. Each interaction creates a data sharing relationship that may violate procurement policies, data processing agreements, or regulatory requirements.
The agent CASB's domain inventory function logs every unique domain the agent visits, classifies it by IAB category and web filtering category, and flags domains that are not on the organization's approved service list. This gives IT and procurement teams real-time visibility into the external services their agents are consuming -- enabling them to establish formal vendor relationships, negotiate data processing agreements, and ensure regulatory compliance before the agent's usage creates binding obligations.
Enterprise compliance frameworks increasingly require evidence that AI systems operate within defined boundaries. SOC 2 Type II audits require continuous monitoring controls. GDPR requires documentation of data processing activities. HIPAA requires access controls on systems that handle protected health information. An agent CASB generates the evidence artifacts that satisfy these requirements -- timestamped audit logs showing every domain visited, the categorization data used for policy decisions, and the action taken (allow, block, or review).
The audit trail should be exportable in standard formats (JSON, CSV) and queryable by time range, agent ID, domain, category, and action type. This enables compliance teams to generate on-demand reports for auditors without requiring engineering support, reducing the compliance burden on development teams and accelerating audit cycles.
Platform providers building agent orchestration services for multiple customers need a multi-tenant CASB architecture where each customer can define independent policy rules while sharing the underlying categorization database. Our database supports this pattern natively -- the domain categorization data is universal (it does not change per customer), while the policy rules are per-tenant. Deploy one instance of the database and N instances of the policy engine, each configured with the customer's specific allow/block rules.
Enterprise CASBs are typically priced per-user per-month, with costs ranging from $5 to $15 per user per month. For a 10,000-employee organization, this translates to $600,000 to $1.8 million per year. An agent CASB built on our domain categorization database costs a fraction of this: $7,999 for the 10M domain database, $14,999 for the 20M database, or $24,999 for the 50M database, as a one-time purchase with a perpetual license. Optional annual updates are $1,599, $2,999, or $4,999 per year respectively. There is no per-agent pricing, no per-query pricing, and no volume tier restrictions. Deploy the data across as many agents as your architecture requires at no additional cost.
Extend your enterprise web filtering policies to AI agents with the same categorization data CASBs rely on. One-time purchase, perpetual license, 102 million classified domains.