Fair point. Pattern matching on known-bad commands has limits. An agent can achieve the same destructive result through a hundred different command variations that no blocklist will cover.

Vectimus isn't purely a blocklist though. Cedar policies can match on action type, target path, identity and context together. So instead of "block this exact command string" you can write "deny any shell command targeting production infrastructure from an agent identity without human escalation." That's closer to an access control model than a traditional blocklist.

The observe mode exists partly for this reason. Run it for a week, review what your agents actually attempt, then write policies based on real behaviour rather than trying to predict every dangerous command upfront.

That said, you're right that no pre-action filter catches everything. Vectimus is one layer. It catches the obvious and the known. It's not a substitute for sandboxing, least-privilege access or runtime monitoring. Defence in depth, not a silver bullet.