Ultra13
Security · Architecture

Where does Ultra13 sit in your stack?

Ultra13 can run inline inside the agent loop, as an LLM-compatible proxy, or as an MCP / tool gateway. The same source-to-sink policy model controls context assembly, memory reads and writes, tool calls, outbound actions, and final output screening. Teams can start in monitor mode, then enforce on high-risk sinks such as exports, shell execution, webhook egress, tenant-crossing actions, and persistent memory writes.

By the Ultra13 teamPublished Updated
TL;DR
  • Three deployment modes: inline SDK, LLM-compatible proxy, or MCP / tool gateway.
  • One source-to-sink policy model governs context, memory, tools, egress, and output.
  • Start in monitor mode, then enforce on high-risk sinks.
  • Every decision is logged with provenance for replay and audit.

Three places Ultra13 can sit

  1. Inline SDK inside the agent loop — screening context assembly, memory reads/writes, tool calls, and egress.
  2. LLM-compatible proxy in front of model requests and responses.
  3. MCP / tool gateway in front of JSON-RPC tool calls and results.

What gets logged

In all modes, policy decisions are logged with source provenance, sink, action arguments, identity, tenant, data class, decision, rule ID, and replay metadata — the basis for the evidence in the Trust Centre and a proof report.

Monitor first, then enforce

Start in monitor mode to observe the agent loop and flag exploit paths without changing behaviour, then enforce on high-blast-radius sinks. This mirrors the fail-open detection / fail-closed enforcement split described on the Context Firewall page.

FAQ

Frequently asked questions

Can Ultra13 run in our own VPC?
Self-hosted and VPC deployment options are covered in the Trust Centre. Confirm current availability with the team for your region and requirements.
Do we have to enforce immediately?
No. Start in monitor mode to gather evidence, then enforce on the high-risk sinks first — exports, shell/code execution, webhook egress, tenant-crossing actions, and persistent memory writes.

See where the firewall stops the path.

Give us one agent workflow. We’ll map the context boundary, replay the abuse paths, and show where the Context Firewall blocks them.