Free to run locally — onboarding gateway partners

Stop AI agents before they drop your production database.

Block the catastrophic deterministically.Coach the recoverable.

It physically can't run the destructive call, even when your agent tries. With your own LLM key, the block becomes a coached recovery: the agent revises and finishes instead of dying on a 403.

Start free, on your machine. No LLM key, nothing leaves your laptop. Add your own LLM key to unlock Recover; connect the cloud control plane for team HITL & SOC.

Watch AgentX block a live attack

Four agent attacks blocked, then the live policy-coverage suite.

Live across the protected network

Catastrophic Actions Blocked

--

Irreversible / exfiltration actions stopped pre-execution.

Autonomous Recovery Rate

--

Share of challenged agents that self-corrected.

Agent Runs Protected

--

Runs that self-corrected vs. crashed.

Engineering Time Saved

--

~est. 20 min saved per protected run.

Add the Shield in 30 secondskeyless · no Docker · no signup
$pip install agentx-security-sdk
from agentx_sdk import agentx_protect

@agentx_protect(agent_id="crm_worker")
def dispatch_update(client_id, notes, db=None):
    return db.execute(notes)        # blocked before this line runs

# a prompt-injected DROP TABLE, blocked keyless and in-process:
dispatch_update("c-99401", "...; DROP TABLE users;")

That's the keyless Shield: it blocks the blatant catastrophic calls (DROP TABLE, secret exfiltration, SSRF) before they run, no key required.

Two ways to add it: a decorator on a Python tool, or one line in your mcp.json to wrap any MCP server (Claude Code, Cursor).

Full quickstart for both stacks → pick your stack, protect, handle a block, and run the gateway.

ShieldFree · Local

pip install, then one decorator on a Python tool or one line in your mcp.json to wrap any MCP server. The keyless Shield blocks the blatant catastrophic calls (DROP TABLE, secret exfiltration, SSRF) before they run. No LLM key, no signup, runs on your machine.

block + nudge

RecoverGateway + Gemini key

The block becomes a coached, recoverable challenge: your agent revises and finishes the task instead of dying on a 403. Runs the full deterministic floor through the gateway with your own Gemini key.

guide + continue

Control+ Team

Connect the cloud control plane for team human-in-the-loop and SOC approvals, shared dashboards, and a fleet-wide audit trail. Central oversight for when one machine isn't the whole story.

review + govern

Request access—we'll send your gateway keys to run the floor locally, plus the cloud control plane (team HITL, SOC & shared dashboards) when you're ready.

One decorator. No boilerplate. Runs on your laptop.

01

Zero-Config Reflection

Drop one lightweight Python decorator—@agentx_protect—over any tool. The reflection engine inspects the function signature automatically, serializes the risky inputs, and ignores connection objects like a SQLAlchemy session. No boilerplate, no payload schemas. (A thin Node client is available too.)

02

Out-of-Prompt Protection

Enforced by a dependency-free Layer 0 keyword/intent shield that blocks blatant compromises right inside process RAM in under a millisecond—zero gateway or LLM calls. Novel or obfuscated threats escalate to the neuro-symbolic gateway for deeper reasoning.

03

Local-First, No Signup

Runs entirely on your machine—no LLM key, no account, nothing leaves your laptop. Every intercept commits to a local SQLite ledger first, so it survives restarts and works fully offline. Add your own LLM key only to unlock recovery coaching; link to the cloud control plane only when you want team HITL & SOC.

What AgentX blocks today

The irreversible classes, grouped. The deterministic floor catches them at the execution layer—before the call runs, with zero LLM calls and no API key. Grounded in a catalog of real agent-failure incidents.

1 · Intercept

One decorator (or the gateway) sees every tool call before it executes—no schema, no boilerplate.

2 · Decide deterministically

A hard floor of structural rules catches the irreversible classes with zero LLM calls; only novel or ambiguous cases escalate to the reasoning layer.

3 · Block or coach

The catastrophic call is stopped pre-execution. With your own LLM key, the block becomes a coached challenge—the agent revises and finishes.

Destructive data ops

DROP TABLETRUNCATEDELETE — no WHEREALTER DROP COLUMN

Blocked pre-execution

Secret & PII exfiltration

credential / secret readsnamed-PII customer readsexport to external sink

Blocked pre-execution

SSRF & network traversal

169.254.169.254loopback / link-localconfused-deputy fetchmass port scan (nmap)

Blocked pre-execution

Shell, files & cloud teardown

rm -rfpath traversal → /etc/shadowcurl | shterraform destroybucket / volume delete

Blocked pre-execution

Money, comms & dependencies

large transferrunaway spend (budget ceiling)runaway provisioning (fleet ceiling)inbox / bulk wipeexternal publishunverified install

Held for human approval

Runaway loops

no-progress command loopstuck-command repeat

Circuit-broken

…and the agent keeps going

Recover · + your LLM key
Blocked
notes="…; DROP TABLE users;"
Coached

"Destructive write blocked. Scope with a WHERE key or use an aggregate—don't drop the table."

Agent revises
SELECT COUNT(*) FROM users
Continues

The task finishes—no wiped table, no dead run, no wasted tokens.

Deterministic floor: zero LLM calls, no key. Block is free with Shield; coached recovery needs your LLM key; team human-in-the-loop approvals run on the cloud control plane.