Pattern engine
50-pattern denylist, Day 1.
DROP TABLE without WHERE. rm -rf outside sandbox. git force-push to main. AWS s3 rb. We ship 50 patterns Day 1. Cross-customer pattern DB grows weekly.
SQL.drop_tableshell.rm_rfgit.force_pushaws.s3_rbAgent Firewall · stop-the-wipe
Catch destructive AI agent actions before they execute
Drop-in safety layer for Cursor, Claude Code, Devin, Replit Agent. Blocks DROP TABLE, rm -rf, force-push on main. Routes ambiguous calls to Telegram for human approve/deny in 30 seconds.
Install free in 60 seconds
npm i · 60s setup · no credit card
PromiseEvery destructive tool call your AI agent attempts gets blocked or escalated before it runs.
Blocked
Allowed
- <50ms
- p99 verdict
- 30s
- Telegram approve
- 50
- Day-1 patterns
Could've been prevented · 10+ documented agent-destruction incidents · Oct 2024 — Apr 2026
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
PocketOS
Replit Agent
SaaStr ATL
Antigravity
Cursor IDE
Amazon Kiro
Claude Code
Devin
Cline
Continue
cursor · claude-3-5-sonnet · session #4f3a
live
// agent reasoning
// > clean up old user records before migration
$ tool_call(execute_sql, { query: "DROP TABLE users;" })
[firewall] match: sql.drop_table_no_where · severity=critical · pattern_id=SQL-007[firewall] VERDICT: BLOCKED · agent halted · 18ms
// notification posted to telegram://team/agent-firewall
// audit row: intercepts/01HXR5K2…
$ verdict latency · 18msfail-closed · default denypolicy v1.4 · 50 patterns
Evidence
This is what your team would have seen.
Cursor proposed a destructive SQL call at 04:12 UTC. Pattern SQL-007 matched in 18ms. Verdict: BLOCKED. The agent halted; the database stayed.
- 50-pattern denylist · SQL · shell · git · cloud
- Verdict in <50ms p99 · before the agent runs the call
- Audit row + Telegram alert · every block, no exceptions
Proof
PocketOS lost their entire database in 9 seconds to a Cursor-driven Claude. Replit wiped 1,206 records during an explicit code freeze. Ten documented agent-destruction incidents in the last 18 months. One blocked incident pays 50 years of subscription.
Three steps · sixty seconds
Install once. Block forever. Sleep through the rest.
The pain on your team today — Engineers run AI agents against staging or prod with broad-scope tokens, and one bad chain-of-thought wipes data — PocketOS-style.
Install
One npm install. Drop the MCP wrap into your agent config or wrap your SDK call. 60 seconds.
npm i @agentfirewall/sdkBlock
Every tool call gets scanned against 50 hard-deny patterns. Critical matches halt instantly. Medium-risk escalates to Telegram.
verdict: blocked · 18msSleep
Read-only observability tools (LangSmith, Langfuse) tell you what happened, not stop it from happening.
policy: balanced · 30s timeout
The control plane
Three primitives. Zero ambiguity.
Read-only observability tools tell you what happened. Agent Firewall stops it from happening.
Human-in-the-loop
Telegram approve / deny in 30s.
Medium-risk calls escalate to your phone in seconds. Tap Approve, tap Deny, or set 'Approve always for this pattern'. Fail-closed by default — uncertainty never auto-allows.
ApproveDenyApprove always30s timeout
Cross-vendor
One policy layer, every tool.
MCP server + SDK wrap. Works with Cursor, Claude Code, Devin, Replit Agent, Cline, Continue, and any custom agent loop. One policy layer, every tool.
CursorClaude CodeDevinReplitClineIncident wall · selected
Each of these would have been one match away from prevented.
- POCKETOSread
Cursor-driven Claude wiped production DB and backups in 9 seconds.
Tom's Hardware · Fast Company · ABC News · The Register
- REPLIT · SAASTRread
Replit Agent wiped 1,206 executive records during an explicit code-freeze window.
TechCrunch · Hacker News · Replit blog post-mortem
- ANTIGRAVITYread
Agent loop ran rm -rf inside the repo root after misreading a cleanup task.
Antigravity engineering blog · Twitter thread
- CURSOR · CVE-2026-26268read
RCE via crafted MCP server payload — agent invoked attacker-controlled shell on host.
NVD · Snyk advisory
One blocked incident pays 50 years of subscription.
Pricing
One blocked incident covers a year. Probably ten.
Free tier covers 10 intercepts/day per team — enough to confirm the firewall is wired before you decide.
Solo
$29/mo
One developer. Local SDK or single-agent MCP.
- 50-pattern denylist
- 100 intercepts/day
- Telegram approve/deny
Most teams pick this
Team
$299/mo
10-50 person engineering team. Cross-vendor team policy.
- Unlimited intercepts
- All 50+ patterns + custom rules
- Per-developer approval routing
- 30-day audit retention
Pro
$999/mo
Compliance-grade audit, SSO, custom pattern engine.
- Everything in Team
- SSO + RBAC
- Custom pattern engine
- 1-year audit + export
FAQ
The five things every CTO asks first.
Still have one we didn't list? Email hello@agentfirewall.dev.
Hard-deny patterns evaluate in <50ms p99 — a stateless regex/AST match with no network round-trip. The only call that pauses is a medium-risk escalation to Telegram, capped at a 30-second timeout (default-deny on expiry). Everything below medium-risk passes through.
Ship the firewall before the incident
Your agent is one --dangerously-skip-permissions away from your production database. The blocklist works the moment you install it.
Drop-in safety layer for Cursor, Claude Code, Devin, Replit Agent. Blocks DROP TABLE, rm -rf, force-push on main. Routes ambiguous calls to Telegram for human approve/deny in 30 seconds.
Free tier · no credit card · 60-second install