Let AI agents touch real infrastructure. Safely.
Prompt filters control what it says. InnerWarden controls what it does.
One poisoned file, PR, or web page can turn your agent into an attacker on your own machine. InnerWarden stops that below the agent, in the operating system, where a hijacked agent can't reach. Self-hosted on Linux, macOS, and Windows. Your machines, your data, your rules.
curl -fsSL https://www.innerwarden.com/install | sudo bashAn AI agent stops being a chatbot when it can act.
Files, tickets, web pages, and tool output can all contain hidden instructions. InnerWarden supervises the runtime outside the agent, where a compromised prompt cannot simply switch it off.
Sandboxes keep agents safe by keeping them useless.
The value of an agent is that it can touch real systems: your repos, your servers, your data. There are three ways to live with that, and only one keeps the agent useful without trusting it to police itself.
Sandboxes
Lock the agent in a disposable VM and it cannot touch your repos, your servers, or your data. That is the work you wanted done.
Prompt guardrails
System-prompt rules trust the agent to police itself. One poisoned file or tool output can talk the model out of its rules.
InnerWarden
The agent works on the real machine. The rules are enforced below it, in the kernel, where a compromised agent cannot reach.
Malware tries to run. The kernel refuses. Watch it happen.
This is exactly what happens on a real machine running InnerWarden: an attacker's binary tries to execute inside the agent's environment and the operating system refuses it before a single instruction runs. No sandbox to escape, no prompt to trick. Denied is denied.
See the full kernel evidenceGuard. Enforce. Prove.
Three jobs, on a hardened Linux host: 82 host detectors and an eBPF sensor watch the machine underneath, so the guardrail has a backstop when an agent, dependency, or attacker slips the polite layer.
Freedom, with boundaries.
Every command and MCP/tool call is screened for secret theft, destruction, and unsafe changes, free. Legitimate work keeps running; risky actions get reviewed or denied. Not a sandbox that keeps agents useless.
From tool call to syscall.
The Execution Gate denies any binary that wasn't pre-authorized and DNS Guard refuses to resolve malicious domains, enforced in the kernel below anything a hijacked agent can reach. Not detected, impossible.
Local-first. Yours to prove.
The decision, the policy, and a hash-chained, signable audit trail stay on your infrastructure; the model runs on-device and works air-gapped. Evidence for an auditor, a customer, or a regulator, not just for you.
The agents shipped. The guardrail didn't.
Coding agents, ops agents, and autonomous runners now hold a real shell on real servers. The blast radius moved from a wrong answer to a compromised host, and nothing owns that risk at the kernel layer.
When an autonomous agent breaks something, no cloud console answers for it, you do. The controls, the evidence, and the off switch have to live on your own infrastructure, under your name.
Emerging AI rules and cyber insurers are about to demand provable control over what autonomous agents do, exactly the tamper-evident, on-host evidence InnerWarden produces today.
Anthropic published the security framework for deploying AI agents. It describes two layers: the agent-side controls Claude Code ships, and the host enforcement and defensive operations underneath. InnerWarden is that layer.
Free to run. Active Defence when you go to production.
The free tier runs the full detection, the advisory guard, and single-agent kernel enforcement on your own machines. Active Defence adds always-on enforcement across production and a tamper-proof watchdog a compromised agent cannot switch off. It is guarding production AI agents today.
See everything. Stop a single agent.
Detect and audit every agent action, gate the agent before it acts, and arm the kernel gate on one agent. Your own hosts.
- Self-hosted Linux monitoring and autonomous response
- AI-agent command checks and MCP/tool guardrails
- Local dashboard, alerts, and hash-chained audit trail
- Arm the kernel execution gate on a single agent, no licence needed
The Execution Gate
Always-on kernel enforcement, fleet management, and a tamper-proof watchdog a compromised agent cannot switch off. For teams running agents in production and regulated environments.
- Execution Gate: nothing runs unless pre-authorized, enforced by an eBPF LSM hook in the kernel
- Agent-scoped enforcement: gate one agent's process tree, leave the host untouched
- DNS Guard: malicious domains never resolve, C2 callbacks fail at lookup
- Signed tamper-evident audit anchors, fleet and per-tenant controls
Licensed source access for security review and procurement is available to customers. Source-available, not open source.
What everyone asks before installing.
Will it slow down or interrupt my agent?
No. InnerWarden watches from outside the agent's process, and nothing blocks until you decide to arm enforcement. Before you do, rehearse mode shows you exactly what would have been denied, so day one is all signal and zero surprises.
Do I need a cloud account?
No. InnerWarden is self-hosted: detection, verdicts, and the audit trail all live on your machines. There is no mandatory cloud control plane and your data never leaves the box.
Which platforms does it run on?
Linux gets the full tier, including enforcement in the kernel itself. macOS and Windows run the free monitoring tier with command screening for your agents. One install command per platform.
Is the source available?
Yes. InnerWarden is source-available: the core source is licensed to customers to read and audit, not public open source. Active Defence, the kernel-enforced pre-authorization tier for production, is the commercial step on top.
Which agents does it work with?
Claude Code, Cursor, OpenClaw, and any MCP client, plus a local API any agent can call. If it runs commands on a machine you care about, InnerWarden can guard it.
What does it cost?
The core is free forever, including arming the kernel gate on one agent. Active Defence, always-on enforcement across production with the anti-tamper watchdog, is $50 per protected agent per month, billed annually. Full details on the pricing page.
Bring us the work you want agents to do safely.
Design partners work directly with the founding team: a 1:1 threat-modelling session for your agent stack, priority on the controls you need, and a steep discount on list pricing locked in for launch.
Apply for early access
Read by the foundersOne minute to fill in. Every submission gets a personal reply.
