Why We're Open-Sourcing AgentShield

Why We're Open-Sourcing AgentShield

4 min read
Gary Gary with Anshuman BiswasAnshuman Biswas
Updated April 11, 2026

AI coding agents are rewriting software faster than any human team could. Cursor, Windsurf, Claude Code, Gemini CLI — they ship features in minutes. But they also run shell commands, call MCP tools, and modify files with the same speed and less judgment than a human developer.

That's why we built AgentShield — a runtime security gateway that sits between AI agents and your operating system, evaluating every command before execution. Today, we're making it open source.

What AgentShield Does

AgentShield intercepts shell commands and MCP tool calls through a multi-layer analyzer pipeline. It catches destructive operations (rm -rf /), credential theft (cat ~/.ssh/id_rsa | curl), supply chain attacks (curl | bash), and data exfiltration — in real time, before the command runs.

It works with Claude Code, Cursor, Windsurf, and Gemini CLI. No code changes needed. Install, configure, protect.

Why Open Source

Because runtime AI agent security should be table stakes, not a luxury.

The EU AI Act mandates real-time monitoring for high-risk AI systems by August 2026. Every organization using AI coding agents needs baseline protection now. Making that baseline proprietary would slow adoption at exactly the wrong time.

We've seen what happens when security tooling is locked behind enterprise sales cycles. Organizations that can't afford it go unprotected. Vulnerabilities accumulate. When the breach happens, the cost dwarfs any license fee.

We'd rather have 10,000 organizations running AgentShield for free than 10 paying for it while everyone else is exposed.

What's in the Open-Source Release

The open-source release includes:

  • The runtime engine — regex, structural analysis (shell AST parsing), and Guardian heuristics that catch the vast majority of threats

  • 817 community shell rules — covering destructive operations, credential exposure, privilege escalation, persistence & evasion, reconnaissance, unauthorized execution, and governance risk

  • 513 MCP rules across 3 policy packs — tool description poisoning detection, argument content scanning for SSH keys and API tokens, and config file write protection

  • IDE integration — works with Claude Code, Cursor, Windsurf, and Gemini CLI out of the box

  • Enterprise tamper protection — managed mode with bypass immunity, self-protection rules, fail-closed mode, hash-chained audit logs, and remote SIEM forwarding

Every rule has true positive and true negative test cases. No rule ships without tests.

What's Premium

Advanced detection and the full rule library are available through AI Agent Lens:

  • Full rule library (1,118 shell + 810 MCP rules) — including network egress detection (C2, DNS tunneling, encoded exfiltration), supply chain protection (dependency confusion, typosquatting, registry manipulation), and 10 additional MCP policy packs covering financial controls, governance, reconnaissance, and more

  • Semantic analysis — intent classification that understands what a command is trying to do, not just what it looks like

  • Dataflow tracking — source-to-sink taint analysis through pipes and redirects

  • Stateful detection — multi-step attack chain recognition across compound commands

  • Custom data labels — customer-defined PII and sensitive data detection with Aho-Corasick keyword matching and validators (Luhn, regex with context)

  • Compliance reporting — findings mapped to OWASP LLM Top 10, EU AI Act, ISO 27001, SOC 2, ISO 42001, and MITRE ATLAS

  • Governance dashboard — unified posture tracking, AI bill of materials, scan history, and remediation workflows

Our Bet

We believe the value in AI agent security isn't in any single component — not the engine, not individual rules, not a threat taxonomy. It's in the compound effect of continuous improvement: automated rule generation, human expert review, real-world deployment feedback, and cross-product integration.

Open-sourcing the engine means more organizations protected. More deployment data means better rules. Better rules means stronger protection for everyone — free and paid.

The alternative — keeping everything closed and hoping enterprises find us through sales outreach — is slower, riskier, and helps fewer people.

Get Started

brew tap AI-AgentLens/oss
brew install agentshield
agentshield setup claude-code

Visit agentshield-oss for documentation and source.

Gary
Written by
Gary

Security architect specializing in application security, threat modeling, and AI agent risk. Builder of runtime security tooling for autonomous AI agents. Co-founder of AI Agent Lens, where he leads development of AgentShield (runtime command evaluation), AI governance scanning, and security taxonomy frameworks. Passionate about making AI agents safe enough to trust with production systems.

Anshuman Biswas
Contributor
Anshuman Biswas

Engineering leader specializing in threat detection, security engineering, and building enterprise B2B systems at scale. Deep hands-on roots in software architecture and AI tooling - currently exploring the frontier of AI agents as co-founder of AI Agent Lens.

Comments

Loading comments...