Skip to content
Runtime protection for AI agents

Let AI agents touch real infrastructure. Safely.

Prompt filters control what it says. InnerWarden controls what it does.

One poisoned file, PR, or web page can turn your agent into an attacker on your own machine. InnerWarden stops that below the agent, in the operating system, where a hijacked agent can't reach. Self-hosted on Linux, macOS, and Windows. Your machines, your data, your rules.

Runs on Linux · macOS · WindowsLocal-first, signed binaries
Install free · one command
curl -fsSL https://www.innerwarden.com/install | sudo bash
Monitor-only by default · No cloud account, evidence stays on your machine
Works with Claude Code · Cursor · OpenClaw · any MCP client
Live from productionWatch live
attackers blocked · 7d
autonomous decisions today
0humans in the loop
Two-minute overview

An AI agent stops being a chatbot when it can act.

Files, tickets, web pages, and tool output can all contain hidden instructions. InnerWarden supervises the runtime outside the agent, where a compromised prompt cannot simply switch it off.

Why enforcement below the agent

Sandboxes keep agents safe by keeping them useless.

The value of an agent is that it can touch real systems: your repos, your servers, your data. There are three ways to live with that, and only one keeps the agent useful without trusting it to police itself.

Safe, but isolated

Sandboxes

Lock the agent in a disposable VM and it cannot touch your repos, your servers, or your data. That is the work you wanted done.

Useful, but self-policed

Prompt guardrails

System-prompt rules trust the agent to police itself. One poisoned file or tool output can talk the model out of its rules.

Useful and enforced

InnerWarden

The agent works on the real machine. The rules are enforced below it, in the kernel, where a compromised agent cannot reach.

Watch it block an attack

Malware tries to run. The kernel refuses. Watch it happen.

This is exactly what happens on a real machine running InnerWarden: an attacker's binary tries to execute inside the agent's environment and the operating system refuses it before a single instruction runs. No sandbox to escape, no prompt to trick. Denied is denied.

See the full kernel evidence
What your agent's day looks like with InnerWarden
$ malware.binsomewhere on the host
✓ runs. the host is yours, nothing else changes
$ malware.binlaunched by your hijacked agent
✗ BLOCKED by the kernel: Operation not permitted
$ git pushyour agent's real work
✓ allowed. work continues, nothing slows down
What InnerWarden does

Guard. Enforce. Prove.

Three jobs, on a hardened Linux host: 82 host detectors and an eBPF sensor watch the machine underneath, so the guardrail has a backstop when an agent, dependency, or attacker slips the polite layer.

Guard

Freedom, with boundaries.

Every command and MCP/tool call is screened for secret theft, destruction, and unsafe changes, free. Legitimate work keeps running; risky actions get reviewed or denied. Not a sandbox that keeps agents useless.

Enforce

From tool call to syscall.

The Execution Gate denies any binary that wasn't pre-authorized and DNS Guard refuses to resolve malicious domains, enforced in the kernel below anything a hijacked agent can reach. Not detected, impossible.

Prove

Local-first. Yours to prove.

The decision, the policy, and a hash-chained, signable audit trail stay on your infrastructure; the model runs on-device and works air-gapped. Evidence for an auditor, a customer, or a regulator, not just for you.

Why now

The agents shipped. The guardrail didn't.

Agents reached production

Coding agents, ops agents, and autonomous runners now hold a real shell on real servers. The blast radius moved from a wrong answer to a compromised host, and nothing owns that risk at the kernel layer.

Accountability stays with you

When an autonomous agent breaks something, no cloud console answers for it, you do. The controls, the evidence, and the off switch have to live on your own infrastructure, under your name.

Regulation is arriving

Emerging AI rules and cyber insurers are about to demand provable control over what autonomous agents do, exactly the tamper-evident, on-host evidence InnerWarden produces today.

Measured against the framework

Anthropic published the security framework for deploying AI agents. It describes two layers: the agent-side controls Claude Code ships, and the host enforcement and defensive operations underneath. InnerWarden is that layer.

See the evidence stack
Free and Active Defence

Free to run. Active Defence when you go to production.

The free tier runs the full detection, the advisory guard, and single-agent kernel enforcement on your own machines. Active Defence adds always-on enforcement across production and a tamper-proof watchdog a compromised agent cannot switch off. It is guarding production AI agents today.

Free

See everything. Stop a single agent.

Detect and audit every agent action, gate the agent before it acts, and arm the kernel gate on one agent. Your own hosts.

  • Self-hosted Linux monitoring and autonomous response
  • AI-agent command checks and MCP/tool guardrails
  • Local dashboard, alerts, and hash-chained audit trail
  • Arm the kernel execution gate on a single agent, no licence needed
Active Defence · Early access

The Execution Gate

Always-on kernel enforcement, fleet management, and a tamper-proof watchdog a compromised agent cannot switch off. For teams running agents in production and regulated environments.

  • Execution Gate: nothing runs unless pre-authorized, enforced by an eBPF LSM hook in the kernel
  • Agent-scoped enforcement: gate one agent's process tree, leave the host untouched
  • DNS Guard: malicious domains never resolve, C2 callbacks fail at lookup
  • Signed tamper-evident audit anchors, fleet and per-tenant controls

Licensed source access for security review and procurement is available to customers. Source-available, not open source.

Questions, answered

What everyone asks before installing.

Will it slow down or interrupt my agent?

No. InnerWarden watches from outside the agent's process, and nothing blocks until you decide to arm enforcement. Before you do, rehearse mode shows you exactly what would have been denied, so day one is all signal and zero surprises.

Do I need a cloud account?

No. InnerWarden is self-hosted: detection, verdicts, and the audit trail all live on your machines. There is no mandatory cloud control plane and your data never leaves the box.

Which platforms does it run on?

Linux gets the full tier, including enforcement in the kernel itself. macOS and Windows run the free monitoring tier with command screening for your agents. One install command per platform.

Is the source available?

Yes. InnerWarden is source-available: the core source is licensed to customers to read and audit, not public open source. Active Defence, the kernel-enforced pre-authorization tier for production, is the commercial step on top.

Which agents does it work with?

Claude Code, Cursor, OpenClaw, and any MCP client, plus a local API any agent can call. If it runs commands on a machine you care about, InnerWarden can guard it.

What does it cost?

The core is free forever, including arming the kernel gate on one agent. Active Defence, always-on enforcement across production with the anti-tamper watchdog, is $50 per protected agent per month, billed annually. Full details on the pricing page.

Early access

Bring us the work you want agents to do safely.

Design partners work directly with the founding team: a 1:1 threat-modelling session for your agent stack, priority on the controls you need, and a steep discount on list pricing locked in for launch.

No sales sequence. No mandatory cloud account. Your answers go to our self-hosted CRM and are used only to match pilots.

Apply for early access

Read by the founders

One minute to fill in. Every submission gets a personal reply.

Sent to our self-hosted Mautic instance. By submitting, you agree that we may contact you about InnerWarden early access. See our privacy policy.