Layer 1
Cursor hooks
block-sensitive-paths.py denies Shell, Read, Grep, and MCP access to ~/.ssh, id_rsa, .env before the agent runs.
Runtime Agent Protection · MCP · RASP
Runtime Agent Protection (RASP) for Autonomous AI Engineers.
Sqreen.ai intercepts, analyzes, and sanitizes local Model Context Protocol (MCP) tool calls on developer laptops in under 1 millisecond. Stop data exfiltration, prompt injections, and destructive shell execution—fully local, completely zero-overhead.
100% local-first by default. Tool calls are inspected on the laptop—your source code and credentials never leave the machine unless you enable Cloud SOC.
<1ms peek latency3-layer defense in depthv0.1.9 · MIT open core
Defense in Depth
Three independent layers. Agents cannot bypass by switching tools.
Hooks block sensitive paths before execution. MCP scope limits filesystem reach. mcp-proxy enforces regex policy, DLP, IOC feeds, and behavioral chains on every JSON-RPC frame.
Layer 2
MCP filesystem scope
Scope MCP servers to the project root in ~/.cursor/mcp.json so tools cannot wander outside the repo.
Layer 3
mcp-proxy RASP
YAML policy block_patterns, DLP redaction, Wasm plugins, IOC matching, and behavioral chains on every tools/call.
Threat Vector Matrix
Five engines. One local enforcement plane.
Every MCP tools/call passes through peek → policy → Wasm → DLP → risk gate before downstream servers execute a single syscall.
Indirect Prompt Injection Defenses
Sliding-window Shannon entropy scanners evaluate 32-character chunks (step 16) across inbound MCP payloads. High-entropy windows flag base64-wrapped malware blocks, obfuscated prompt injections, and adversarial context smuggled inside rich LLM tool arguments—before they reach your shell or filesystem.
+20 risk · entropy spike
Automated DLP Token Cleansing
A single-pass inline regex pipeline extracts digit streams and validates Luhn checksums on 13–16 char sequences. Database URIs, SSN patterns, and live card numbers are swapped for [MASKED_PII_BY_PROXY] across JSON byte arrays—mutating only when structural threats are confirmed.
+30 PII · +40 Luhn
Rogue Task Interception Gate
High-risk tool calls suspend the background async stdout relay and open a /dev/tty confirmation channel. The human developer receives raw keyboard feedback—[y/n]—before destructive bash execution or exfiltration payloads leave the edge. Fail-closed on any prompt I/O error.
≥70 · operator confirm
Threat-Intel IOC Blocklist
Domain and IP indicators from ~/.config/mcp-proxy/threat-intel.txt merge with the corporate feed from the control plane. A substring hit on any tools/call payload triggers an unconditional block—no operator override—and emits THREAT_INTEL_IOC_MATCH telemetry to your SOC stream.
Unconditional block · IOC match
Behavioral Exfil Chain Detection
A rolling window of the last tool calls detects filesystem reconnaissance followed by network tools—fetch, curl in run_terminal_cmd, or execute_bash with HTTP URLs. Chains clamp risk to 100 and flag BEHAVIORAL_CHAIN_ANOMALY before data leaves the machine.
≥2 fs probes → network
Developer-First Deployment
Three steps from curl to shielded MCP traffic.
01
Run the turnkey installer
One curl command downloads the Rust data plane, seeds ~/.config/mcp-proxy, and ensures ~/.local/bin is on PATH.
curl -fsSL https://sqreen.ai/install.sh | bash02
Automated IDE config + Cursor hooks
The installer wraps Claude Desktop and Cursor MCP entries and seeds block-sensitive-paths.py hooks when run inside a git repo.
# ~/.cursor/hooks.json (seeded by install.sh)
{
"hooks": {
"preToolUse": [{
"command": "python3 .cursor/hooks/block-sensitive-paths.py",
"matcher": "Shell|Read|Grep|Glob|MCP",
"failClosed": true
}]
}
}03
Local-first RASP invariant
Policy evaluation, DLP masking, Wasm sandboxing, and TTY gates execute on local developer silicon. Zero cloud compute. Full offline privacy by default.
# Heavy processing stays pinned locally
MCP_POLICY_PATH=~/.config/mcp-proxy/mcp-policy.yaml
MCP_RISK_THRESHOLD=70
# Optional: sync policy + telemetry to control plane
MCP_CONTROL_PLANE_URL=https://api.sqreen.aiOpen-Core Architecture
Local privacy by default. Enterprise orchestration when you scale.
Developer Core
$0/ forever
Runs entirely on the developer laptop. No Sqreen account, no cloud bill — for you or your users.
- →mcp-proxy + Cursor hooks (local YAML policy)
- →TTY gates, DLP, IOC file, behavioral exfil detection
- →Wasm plugins · open-source data plane
- →Cloud sync disabled by default
Sqreen Cloud SOC
$49/ mo per team
We host api.sqreen.ai + console.sqreen.ai. You get device tokens for your fleet; infra cost (~$3/mo) is included in your subscription.
- →Hosted control plane — central policy & IOC push
- →SOC console — telemetry, block_patterns editor
- →Up to 25 developer seats / device tokens
- →Fleet metrics — IOC matches, exfil chains
Enterprise
Custom
Self-host the control plane on your Fly/VPC, or unlimited seats on Sqreen Cloud with SLA and SIEM routing.
- →Self-hosted api — you pay your own infra (~$3–50/mo)
- →Unlimited seats, SSO, audit exports
- →OTLP / SIEM streaming (Datadog, Splunk)
- →Priority support & deployment assist
End users never pay Fly.io. Cloud SOC is one shared backend per customer org — not per laptop. Developer Core needs no server at all.
Now open source
sqreen-core is live on GitHub — local RASP, zero cloud required.
The Rust mcp-proxy, Wasm policy SDK, and one-line installer are MIT-licensed at github.com/sdk-bens/sqreen-core. Run fully offline on developer laptops. Fleet policy sync, threat intel distribution, and the SOC console remain on Sqreen Cloud.