Detection is free. Enforcement is the product.
The source-available core detects, reacts, and advises the agent, free forever. Active Defence is for production: a hijacked agent physically cannot run what you didn't pre-authorize, and it cannot switch the guard off. You pay to turn “detected” into “impossible.”
Free
See everything. Stop a single agent.
- 82 detectors, correlation, eBPF sensor, on-device Warden model
- Reactive response: block IP, kill process, suspend user, honeypot
- AI-agent guardrail (advisory): check-command, MCP proxy, taint tracking
- Arm the Execution Gate on one agent (observe → rehearse → enforce), no licence needed
- Hash-chained audit + off-host anchor CLI
- Local dashboard, alerts (Telegram/Slack/webhook), SIEM (CEF)
Active Defence
Make it kernel-impossible, not just detected.
- Always-on Execution Gate across every agent: nothing runs unless pre-authorized
- Agent-scoped enforce, lock each agent's process tree, host untouched
- DNS Guard enforce: malicious domains never resolve
- Anti-tamper watchdog: integrity + stealth, survives a root attacker
- Managed allowlist + curated policy
- Everything in Free
Enterprise
Fleet, compliance, and sovereignty, with a human on call.
- Fleet: multi-host + per-tenant attribution (k8s pod → tenant)
- Signed off-host audit anchors (auditor-grade tamper evidence)
- Air-gapped / sovereign deployment, no cloud dependency
- SSO, priority support, SLA, onboarding
- Compliance mapping (ISO 27001, MITRE Navigator export)
- Everything in Active Defence
Platform / OEM
Ship the guardrail inside your agent product.
- Embed the kernel guardrail in the runtime you ship to customers
- One integration protects every workload you deploy
- Per-tenant attribution + pod-scoped enforcement built in
- Co-engineering + a direct line to the people writing the eBPF
- Volume / revenue-share licensing
Active Defence is priced per protected agent (per registered agent slot) for single-box and small deployments, so it maps to the unit of risk: one rogue agent is the incident. Fleets with many short-lived agents per node are priced per node instead, and enterprise deployments are scoped as a contract. Talk to us and we'll fit the meter to how you actually run agents.
The upgrade trigger is never “detect better.”
Free already enforces reactively and runs the full advisory guardrail. Teams pay for one of three things:
Make it impossible, not just detected
Free blocks reactively and can arm the gate on one agent. Paid keeps enforcement always-on across every agent and adds a watchdog a root attacker cannot switch off.
Prove it to someone
An auditor, a customer's security review, a cyber insurer. Signed off-host audit anchors turn a local record into third-party tamper-evidence.
Don't operate it alone
Curated policy, a managed allowlist, fleet aggregation, SLA, and support, for teams that need the outcome without running the machinery.
Free vs Active Defence, per real scenario
| Situation | Runs free | Pays when… |
|---|---|---|
| Claude Code for staff on Kubernetes | Advisory guardrail + per-tenant attribution + per-pod detection | Per-pod enforce (unknown binary impossible) + fleet console + support |
| OpenClaw on a VM (single box) | Guardrail + check-command + detection | Armed gate (kernel denies) + anti-tamper watchdog |
| CI runner running an agent on PRs | Advisory check-command on every command | Actually block exec of non-allowlisted binaries in the runner |
| Cursor on a senior dev's Linux workstation | Guardrail + local detection (the right fit) | Usually stays free, and that is fine |
| Long-running autonomous agent (Devin-like) | Hash-chained audit + advisory | Enforce while it runs unattended + signed audit of what it did |
| Remediation agent that touches prod | Reactive skills (block/kill, reversible) + advisory | Pre-authorization (agent runs only the approved set) + audit |
| Agent with access to a customer DB | Detection + advisory | DNS Guard enforce (exfil domain won't resolve) + egress lockdown |
| Vendor building an agent platform | n/a | Always licensed, embed the enforcement in their product (OEM) |
| Team using 10 third-party MCP servers | MCP proxy advisory + taint tracking (alert) | Proxy in guard/kill mode blocking tool-poisoning, managed |
| Regulated fintech / healthcare | Local audit + anchor CLI | Signed off-host anchor (auditor tamper-evidence) + enforce + SLA |
| Defence / gov, air-gapped | Everything local (detection + advisory) | Enforce + stealth watchdog + sovereign support (pays the most) |
| Solo dev / small team, exposed VPS, no SOC | Full EDR, block IP, honeypot (free forever) | Almost never, and the free tier is complete on its own |
The first partners don't pay list price.
We are taking a small number of design partners onto Active Defence at a steep discount (or free) in exchange for a logo, a case study, and direct feedback that shapes the roadmap. You get the founding team on your threat model, and pricing locked in before the list price applies.
curl -fsSL https://www.innerwarden.com/install | sudo bash