Open Source · The AI Agent Action Firewall · Apache 2.0

Prevent AI agents from
taking dangerous actions.

The open-source firewall that checks every agent tool call before execution — blocking data leaks, destructive actions, and unauthorized API calls in real time.
OpenAI · LangChain · CrewAI · custom Python · MCP.

Try it live → See it in action View on GitHub
scouter.intellectmachines.com/ui/
agent.tool_call delete_order(id="ORD-9921")
POLICY Destructive action — approval required
BLOCKED Stopped before execution · audit logged 38ms
agent.tool_call send_email(to="ext@x.com", body=customer_data)
POLICY External recipient + PII payload
BLOCKED Data exfiltration prevented 41ms
agent.tool_call lookup_order(id="ORD-123")
ALLOWED Within policy · executed 0.04ms
Block before execution
<50ms decision
Signed audit trail
Human approval gates

The problem

AI agents are becoming
privileged non-human users.

Your agents now query databases, modify customer records, send emails, call internal APIs, trigger refunds, run shell commands, and reach into production systems.
The risk isn't bad text output. It's unsafe action execution.

Data leakage

A prompt-injected agent calls send_email() or an external webhook with customer records or internal data attached.

Destructive actions

Agent fires delete_order(), drop_table(), remove_user(), or cancel_subscription() with no approval gate in front of it.

Unauthorized API abuse

Agent uses privileged keys to call refund_payment(), modify configs, or hit internal APIs outside its intended role.

Prompt injection → agent reasoning → tool call → production action → business damage.
Once the tool call fires, the damage is real. Scouter checks every action before execution.

How Scouter works

Sits between agent intent and real-world action.

Scouter intercepts every tool call. Evaluates the action, arguments, context, user intent, tool risk, and policy. Then allows, blocks, or escalates — before anything hits production.

01

Intercept

Every tool_call is captured before execution.

OpenAI · LangChain · CrewAI · MCP · custom agents.

02

Evaluate

Policy engine checks the action, args, tool risk, and approval rules.

Allow · Block · Require human approval.

03

Enforce & audit

Unsafe actions are blocked before they execute. Every decision is logged.

Signed audit trail · SIEM / SOC ready.

Integration

Add runtime control without rewriting your agent.

Wrap your client. Declare what the agent is and isn't allowed to do. Every tool call is now policy-checked before execution.

main.py · pip install scouter-ai 
from scouter.client import ScouterClient
from scouter.integrations.openai import wrap_openai
from openai import OpenAI

# 1. Init Scouter (cloud backend at scouter.intellectmachines.com)
scouter = ScouterClient(
    api_key="your-api-key",
    mode="enforce",   # audit | enforce
)

# 2. Register agent intent
intent = scouter.register_intent(
    agent_id="support-bot",
    natural_language="Answer customer questions about orders and products",
    permitted_actions=["lookup_order", "search_knowledge_base"],
    excluded_actions=["delete_order", "modify_payment"],
)

# 3. Wrap your OpenAI client — that's it
client = wrap_openai(OpenAI(api_key="..."), scouter=scouter, intent_id=intent.intent_id)

# 4. Use normally — Scouter governs every call transparently
response = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "What's my order status for ORD-123?"}],
)

Try it live

Spin up the control plane
in under a minute.

Open the live Scouter dashboard, send agent tool calls through the policy engine, and watch unsafe actions get blocked before execution — in real time, on real traffic.

scouter.intellectmachines.com/ui/ · no signup required
Try it live → View on GitHub Talk to founders

Tool calls in the wild

What Scouter blocks before execution.

Real agent tool calls. Real policy decisions. Made in milliseconds, before anything reaches production.

BLOCKED delete_order(id="ORD-9921")

Destructive action · approval required

BLOCKED send_email(to="ext@x.com", body=customer_data)

Data leakage · external recipient + PII

BLOCKED run_sql("DROP TABLE customers")

Database write · irreversible operation

BLOCKED execute_shell("rm -rf /var/data")

Shell exec · outside declared scope

BLOCKED refund_payment(amount=999999)

Privileged API · over policy threshold

ALLOWED lookup_order(id="ORD-123")

Within policy · executed & logged

See it live

Watch Scouter block a prompt-injected agent.

A support agent with order-tool access is told to delete an order and email customer data externally. Without Scouter, the action executes. With Scouter, it's blocked before execution and logged for review.

scouter.intellectmachines.com/ui/ Live
Actions today
0
▲ 12.4%
Blocked
0
▼ 4.1%
Avg latency
0ms
— p50
Risk score
0/100
▲ healthy

Live decision feed

streaming

Compliance posture

SOC 2 ready
0%
9 of 10 controls passing

Active intents

3 agents
  • support-bot
    v4 · 14k actions · 0 violations
    healthy
  • sales-research
    v2 · 6.2k actions · 3 escalations
    watch
  • data-migrator
    v1 · 412 actions · 1 hard-stop
    blocked

Decisions · last 24h

allowed · escalated · blocked
12 agents observed
99.97% uptime
Signed audit trail

Who it's for

For teams putting AI agents in front of real systems.

AI startup founders

Ship agents faster without building your own runtime guardrail system. Open-source SDK, free for dev + staging.

CTOs & CISOs

Deploy AI agents with policy enforcement, approval workflows, and signed audit trails. SOC 2, ISO 42001, EU AI Act ready.

Security & SOC teams

See what every agent did, which tool it called, what data it touched, and why the action was allowed — before it becomes an incident.

Without Scouter vs. with Scouter

Observability and IAM
weren't built for agent actions.

Monitoring tells you after the damage. IAM checks who, not what. Scouter checks the action itself — and blocks it before execution.

Observability IAM Prompt Injection Protection Scouter
Blocks unsafe actionspartial✓ real-time
Understands agent intent✓ registry
Prompt injection defense✓ text only✓ classifier
Shell / SQL / API guards✓ 60+ rules
Compliance audit trailpartialauth only✓ signed
Works with agent frameworksvia SDKvia SDK✓ drop-in
Open sourcepartialpartial✓ Apache 2.0

Build vs. Scouter

"We'll just build it ourselves."
Here's what that actually means.

A runtime control layer is a 12+ month security engineering project — not a weekend hackathon. Most teams underestimate it until the first agent incident.

Build in-house

• 2–4 senior eng for 6–12 months
• Policy DSL + evaluator
• Fast-path classifier for prompt injection
• Tool-call interceptors per framework (OpenAI, LangChain, CrewAI, MCP)
• Approval workflows + escalation
• Signed audit log + SIEM pipeline
• Ongoing rule maintenance as new attacks emerge

Then maintain it forever, while it's not your core product.

Adopt Scouter

• Wrap your client — minutes, not months
• Policy engine, classifier, and 60+ guards out of the box
• OpenAI, LangChain, CrewAI, MCP, custom Python — already integrated
• Approval gates, audit trail, SIEM hooks built in
• Open source · inspectable · self-hostable
• Threat coverage updated by a team focused only on this

Ship agents to production with boundaries, today.

The hidden cost of building

Most in-house attempts ship a thin allowlist, miss prompt-injection-to-action chains, and end up as a lagging audit log instead of a real enforcement layer.

By the time the gaps surface, an agent has already done something it shouldn't have — and now it's an incident, not a roadmap item.

FAQ

Questions, answered.

How is this different from content filters or prompt shields?

Content filters look at text. Scouter looks at actions. When your agent decides to call delete_order() or send_email(), Scouter evaluates the tool call itself — arguments, context, policy — and blocks it before execution.

Why not rely on prompt-injection defenses alone?

Prompt injection is dangerous because agents can execute tools. Even partial defenses leak. Scouter assumes inputs may be hostile and enforces policy at the action layer — the last line before production.

Does it slow down my agent?

Most calls clear the fast-path in under a millisecond. Risky ones get full policy evaluation (~40ms). Users won't notice.

Can I self-host?

Yes. The runtime is open source (Apache 2.0). Run it in your own VPC and keep all decisions on your infra. Cloud control plane also available.

What agent frameworks are supported?

OpenAI, LangChain, CrewAI, AutoGen, PhiData, custom Python agents, and MCP-style tool ecosystems.

What's open-source vs. enterprise?

The SDK, policy engine, and runtime are open source. The enterprise control plane adds centralized policy management, agent inventory, approval workflows, audit dashboards, SIEM integration, SSO, and compliance reporting.

Does it work in audit-only mode?

Yes. Run mode="audit" to observe and log without blocking. Switch to mode="enforce" when policy is tuned.

Pricing

Open source today.
Enterprise control plane next.

The runtime, SDK, and policy engine are free and Apache 2.0. The enterprise control plane is in active development — talk to the founders to shape it.

Open Source

Free · Apache 2.0

• Full runtime & SDK
• Policy engine + 60+ guards
• Self-host in your VPC
• OpenAI · LangChain · CrewAI · MCP
• Community support

View on GitHub →

Enterprise

Coming soon

• Centralized policy management
• Agent inventory & approval workflows
• Audit dashboard + SIEM integration
• SSO · RBAC · compliance reporting
• Dedicated support & SLA

Talk to founders →

Your AI agents are getting more powerful.
Give them boundaries before production.

IntellectMachines builds runtime security for AI agents. Scouter is the open-source AI Agent Action Firewall. Start with the SDK, scale to the enterprise control plane when you're ready.

Try it live → Book a design partner call ⭐ View on GitHub