Capability · Pre-action
5-axis inspection,
before each tool call runs
Every tool call a coding agent makes is normalized and scanned across five axes before it executes — then allowed, redacted, warned or blocked against one centrally-managed policy.
❯ claude "ship the billing service to prod with our cloud keys" ⚠ Cloudanix Guard — inspecting tool call hook : PreToolUse agent : claude-code ✗ egress cloud access-key in prompt [CRITICAL] ✓ ingress no injection markers ⚡ output introduced-dependency [LOW] ✗ action-authz command not allowed on prod [HIGH] ● decision: BLOCK strictest-mode-wins · 0.6 ms prompt not forwarded · command not executed audit-id : guard-7f3a2c1e (hash-chained)
The risk
One control point for the whole agent attack surface
A coding agent is not just an egress pipe — it reads, runs, and writes with your developer's privileges. A single-axis scanner is blind to four of the five ways that goes wrong.
What it sends
Credentials, personal data and proprietary source travel verbatim inside prompts and tool arguments to a third-party model — past CASB, DLP and proxies.
What it runs
Destructive shell commands, protected-branch pushes and credential rotation run autonomously, before any code review.
What it reads & writes
A poisoned README can hijack its next action, and the code it writes can be insecure or pull slopsquatted dependencies.
Mechanics
One hook. Every action checked.
Hook
A one-line install wires the guard into every coding agent's pre-action hook — Claude Code, Cursor, Codex, Windsurf and Kiro.
Normalize
Each agent's tool-call shape is normalized into one internal payload — prompt, files and the tool name being invoked.
Inspect across 5 axes
Egress, ingress, output, action-safety and action-authz scanners run in-process. De-obfuscation strips zero-width unicode and decodes base64 before matching.
Decide
Strictest-mode-wins over (type, severity) plus rule overrides yields one verdict: allow, redact, warn or block. The most dangerous commands never override.
Prove
The decision lands in a tamper-evident, hash-chained local audit trail and the Console fleet view — the matched value never leaves the device.
Inside the capability
The five axes
Each axis answers a different question about the same tool call — and carries its own default disposition tuned to be low-friction.
Egress
What may the agent send? Credentials, personal data and sensitive file paths in prompts and tool args — blocked or redacted by severity.
Ingress
Is the content it reads trying to hijack it? Indirect prompt-injection markers in READMEs, fetched pages and MCP responses — audited with a nudge.
Output
Is the code it writes dangerous? Insecure sinks (eval / exec / SQL injection / pickle / innerHTML) and an introduced-dependency signal for slopsquat correlation.
Action-safety
Is this command unrecoverable? A narrow, high-precision set of catastrophic commands is blocked unconditionally — no inline bypass, ever.
Action-authz
Is this tool allowed to do this? Per-tool allowed commands, blocked patterns, path and MCP-server policy — the on-device policy decision point.
Severity-aware fail-mode
On an internal error a high-blast-radius action fails closed while a read fails open — the guard never wedges a session on its own failure.
Outcomes
What security & compliance teams get
- On-device, pre-action control — stops the risky action before it runs, unbypassable like a network proxy
- One policy and one verdict model across five coding agents
- Real credential leaks and unrecoverable commands stopped; everything else is at most a one-line nudge
- Privacy-first — categorical findings reach the Console, the matched value never leaves the device
- A tamper-evident local audit chain for every block, override and detection
- Backward-compatible & opt-in — new axes are empty by default until an admin turns them on
Ready to see your graph?
Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.
Book a Demo