A firewall for the agent’s context, memory, tools, and actions.
Your agent’s weakest point is not the prompt — it is the context it trusts. The firewall sits between context and action, deciding what each class of context is allowed to influence.
Enforcement at every context boundary.
Not model-level “please behave” prompts. Policy enforced at context provenance, retrieval, memory writes, tool gateways, and outbound actions.
Context provenance & trust
Tag every recalled, tool-result, and retrieved span — and instruct the model to treat withheld content as data, never commands.
Source-to-sink policy
Declare which context classes may influence which actions — external content can answer, but can't authorize an export.
Ingress injection screening
Deterministic detectors first, then a purpose-built specialist classifier on what passes — catching override, jailbreak, and exfiltration directives. Quarantine, don't drop; fail-open.
Egress DLP
Stop secrets, Luhn-validated cards, mod-97 IBANs, and PII in tool args and the model's own prose — redact, tokenize + vault, or block.
Insecure-output defang
Neutralize shell, SQL, and script constructs the model emits toward a sink.
Tool-call inspection
Inspect name, arguments, target resource, identity, tenant, and side effects before execution.
MCP tool-integrity
Hash-pin name + description + schema at first enumerate; flag rug-pull drift and cross-namespace shadowing.
Identity & consent
Mint short-lived, scoped per-call tokens (fail-closed) and refuse in-band consent spoofing.
Memory safety
A RAG source-ACL recall gate plus a write-gate that refuses to store a poisoned plant — so a later replay finds nothing.
Agent-to-agent defense
HMAC-sign peer messages with replay protection; a cascade circuit-breaker withholds on unverified upstream output.
Network / SSRF guard
Block metadata, loopback, and link-local destinations — including obfuscated IPs — by default.
Multimodal screening
Decode OCR / EXIF / QR so image-borne instructions hit the same screener as text.
Quotas & rate limits
Per-tenant rate-limit, token-budget, and CIDR enforcement — real volume control, not just detection.
Tamper-evident audit
Every decision in a hash-chained audit log, mapped to SOC 2 / EU AI Act evidence.
Five decisions on every flow.
The firewall classifies each piece of context and each attempted action, then resolves to one decision — recorded for audit and regression.
Every tool call is inspected — name, arguments, target resource, identity, tenant, data classification, side effects, and the trust of the context that requested it — before execution.
One policy, three surfaces.
The same declarative policy enforces inline, in front of the model, or in front of the tools — wherever it fits your stack.
Drop screen_egress / screen_tool into a LangGraph or ReAct loop — no proxy, no network hop.
An OpenAI-, Anthropic-, Bedrock-, and Gemini-compatible endpoint that screens requests and responses, streaming-aware and fail-closed.
A JSON-RPC gateway that screens every tools/call before execution and every result before it re-enters context — the hard-enforcement boundary.
Built to be trusted between your agent and the world.
A security layer you can put inline without inheriting a new bill, a new model dependency, or a new region problem.
Deterministic-first screening
Fast deterministic detectors run first, then a purpose-built specialist classifier checks what passes — not a generative LLM-judge in the hot path. Two tiers, fail-open: an outage falls back to detectors, never quarantines clean traffic.
Your model stays yours
The firewall fronts your agent and screens the boundary — bring your own model, keys, and provider bill. We screen the traffic; we never proxy-resell tokens or replace your model.
Choose your region
Run the managed service in the USA, EU, or UK for data residency — or self-host the data plane in your own VPC for full control.
Overhead you can ignore.
A firewall in the request path has to be fast. The deterministic tier is CPU-cheap — measured, not estimated.
Inline SDK adds only screening CPU — no network hop. A quota rule adds one ~0.1–0.2 ms Redis round-trip; the opt-in classifier and OCR tiers add inference only when enabled.
Attack paths become enforceable controls.
We don’t just scan prompts. We attack the full agent loop with hostile users, poisoned context, malicious tools, and real exploit chains — then convert the findings into source-to-sink policy for the Context Firewall.
Re-test after every change. Prove the path stays closed.
Model swap, new prompt, new tool, new retrieval source, new policy — each resets your risk posture. Ultra13 re-runs the offensive suite and produces fresh evidence.
Any change to model, prompt, tool, retrieval, or policy queues a regression run.
The same offensive agents replay known exploit chains plus new variants.
Before/after results, blocked-action logs, and a residual-risk register.
Proof, held to a precision bar that can’t regress.
Every defended family runs undefended (the attack lands) and then behind the firewall (it’s neutralized) — a two-pass OFF→ON harness across 38 families, gated on fixed deterministic benchmarks so neither side can silently rot.
// 33 covered · 5 partial · 0 gap (of 38 families) · 9 / 10 OWASP ASI Top 10 classes
Deploy the firewall around one high-risk agent workflow.
We attack it, contain it at the context boundary, and prove the exploit path is closed.