close
Free to run locally — onboarding gateway partners

Stop AI agents before they drop your production database.

Block the catastrophic deterministically.Coach the recoverable.

It physically can't run the destructive call—even when your agent tries. With your own LLM key, the block becomes a coached recovery: the agent revises and finishes instead of dying on a 403.

Start free, on your machine—no LLM key, nothing leaves your laptop. Add your own LLM key to unlock Recover; connect the cloud control plane for team HITL & SOC.

Live across the protected network

Catastrophic Actions Blocked

--

Irreversible / exfiltration actions stopped pre-execution.

Autonomous Recovery Rate

--

Share of challenged agents that self-corrected.

Agent Runs Protected

--

Runs that self-corrected vs. crashed.

Engineering Time Saved

--

~est. 20 min saved per protected run.

Try it in 30 seconds— no Docker, no key, no signup
$pip install agentx-security-sdk
from agentx_sdk import agentx_protect, is_block

@agentx_protect(agent_id="crm_worker")
def dispatch_update(client_id, notes, db=None):
    # never reached — the shield blocks the call first
    return db.execute(notes)

# a DROP TABLE smuggled into the notes via prompt injection:
out = dispatch_update("c-99401", "...; DROP TABLE users;")
is_block(out)  # -> True · blocked locally · no key

That's the keyless Layer-0 shield—it stops the blatant catastrophic calls (DROP TABLE, secret-exfil, SSRF) right in process RAM, no key required. Only dependency-reputation checks ever reach a public registry.

Next → drop in your own Gemini key and the block becomes a coached recovery: the agent revises and finishes the task instead of dying on a 403. That's Recover.

Ready for the full deterministic floor (AST parsing, SSRF normalizer, the whole failure catalog) plus team HITL/SOC? Run the gateway:

$docker compose up -d # the full floor runs here

The gateway image ships with design-partner access—request it below.

ShieldFree · Local

pip install+ run the gateway. The full deterministic floor hard-blocks your agent's catastrophic call before it runs—no LLM key, no security team, runs on your machine.

block + nudge

Recover+ your Gemini key

The block becomes a coached, recoverable challenge—your agent revises and finishes the task instead of dying on a 403. Keep shipping, unattended.

guide + continue

Control+ Cloud

Connect the cloud control plane for team human-in-the-loop & SOC approvals, shared dashboards, and a fleet-wide audit trail—central oversight for when one machine isn't the whole story.

review + govern

Request access—we'll send your gateway keys to run the floor locally, plus the cloud control plane (team HITL, SOC & shared dashboards) when you're ready.

One decorator. No boilerplate. Runs on your laptop.

01

Zero-Config Reflection

Drop one lightweight Python decorator—@agentx_protect—over any tool. The reflection engine inspects the function signature automatically, serializes the risky inputs, and ignores connection objects like a SQLAlchemy session. No boilerplate, no payload schemas. (A thin Node client is available too.)

02

Out-of-Prompt Protection

Enforced by a dependency-free Layer 0 keyword/intent shield that blocks blatant compromises right inside process RAM in under a millisecond—zero gateway or LLM calls. Novel or obfuscated threats escalate to the neuro-symbolic gateway for deeper reasoning.

03

Local-First, No Signup

Runs entirely on your machine—no LLM key, no account, nothing leaves your laptop. Every intercept commits to a local SQLite ledger first, so it survives restarts and works fully offline. Add your own LLM key only to unlock recovery coaching; link to the cloud control plane only when you want team HITL & SOC.

What AgentX blocks today

The irreversible classes, grouped. The deterministic floor catches them at the execution layer—before the call runs, with zero LLM calls and no API key. Grounded in a catalog of real agent-failure incidents.

1 · Intercept

One decorator (or the gateway) sees every tool call before it executes—no schema, no boilerplate.

2 · Decide deterministically

A hard floor of structural rules catches the irreversible classes with zero LLM calls; only novel or ambiguous cases escalate to the reasoning layer.

3 · Block or coach

The catastrophic call is stopped pre-execution. With your own LLM key, the block becomes a coached challenge—the agent revises and finishes.

Destructive data ops

DROP TABLETRUNCATEDELETE — no WHEREALTER DROP COLUMN

Blocked pre-execution

Secret & PII exfiltration

credential / secret readsnamed-PII customer readsexport to external sink

Blocked pre-execution

SSRF & network traversal

169.254.169.254loopback / link-localconfused-deputy fetch

Blocked pre-execution

Shell, files & cloud teardown

rm -rfpath traversal → /etc/shadowcurl | shterraform destroybucket / volume delete

Blocked pre-execution

Money, comms & dependencies

large transferrunaway spend (budget ceiling)inbox / bulk wipeexternal publishunverified install

Held for human approval

Runaway loops

no-progress command loopstuck-command repeat

Circuit-broken

…and the agent keeps going

Recover · + your LLM key
Blocked
notes="…; DROP TABLE users;"
Coached

"Destructive write blocked. Scope with a WHERE key or use an aggregate—don't drop the table."

Agent revises
SELECT COUNT(*) FROM users
Continues

The task finishes—no wiped table, no dead run, no wasted tokens.

Deterministic floor: zero LLM calls, no key. Block is free with Shield; coached recovery needs your LLM key; team human-in-the-loop approvals run on the cloud control plane.