Agentic AI Protection

The gateway in front of every AI agent.

Agents act on instructions hidden inside the tools they call. Proxara inspects every tool call, description, and result, and stops the attack before it reaches the model or the wire.

Request a trial See the pipeline

Sits in front of every MCP host and agent

The inspection point in front of every tool call.

None of these attacks breaks encryption. None trips a DLP rule. Each turns a tool the agent already trusts into the exfiltration channel, and each meets a layer built to stop it.

Hidden instructions inside a tool description

The MCP spec puts no restriction on a tool’s description. The interface shows the short name; the model receives the whole description as trusted context and acts on it. Invariant Labs exfiltrated ~/.ssh/id_rsa through a poisoned add tool.

Invariant Labs · Apr 2025

The research behind the threat

OWASP · MCP TOP 10 · 2025

Tool poisoning catalogued as a top-tier MCP threat (MCP03:2025)

ACUVITY · CVE-2025-54136 · APR 2025

Rug pulls: a tool definition that changes silently after approval

OX SECURITY · CVE-2025-6514 · CVSS 9.6

A systemic STDIO flaw across the official MCP SDKs

Designed for the realities of agentic AI.

The MCP ecosystem grew faster than its security did. Tool calling went mainstream in a year, and the threat research followed close behind.

Request a trial Read the documentation

970×

MCP install growth, Nov 2024 to Mar 2026

Effloow

200,000

vulnerable MCP server instances exposed by the Ox Security STDIO disclosure

Ox Security

+270%

growth in MCP-specific CVEs from Q2 to Q3 2025

CyberSecStats

95%

of security leaders could not detect or contain an AI-misuse incident today

Saviynt, 2026

Every JSON-RPC message crosses one pipeline

A reverse proxy between any MCP host and any downstream server. Nine stages run in fixed order on every tools/call, tools/list, and resources/read. Nothing crosses without passing through.

MCP HOSTtools/call · tools/list · resources/read

01ingresssession terminate

02authzOAuth 2.1 · per-tool RBAC

03redactiontokenise PII

04injectionBedrock classifier

05graphper-session call graph

06policyblock · sanitise · drop

07tagprovenance label

08auditCBOR + Ed25519

09egressSTDIO validation

MCP SERVERonly what passed every stage

One reverse proxy · MCP 2025-11-25 + 2025-06-18 · p99 added latency < 120 ms

Reads the instructions, not just the actor

A Bedrock classifier scans every tool description and result before the model sees it. Authentication checks the actor; nothing else in the stack checks the instructions hidden in the tools the agent already trusts.

Sees the whole session, not one call

A per-session directed graph of every call matches read-then-exfil and leak-then-send shapes, with a 10-call baseline and 3σ deviation flags. The lethal trifecta is caught as a pattern, not a single request.

MCP servers

Data & search

Finance Trading Ai Agents

Proxara recommendation

BlockHigh risk

Community project that wires autonomous trading agents to brokerage APIs. Granting a model order-execution tools from a supervised device raises SEC and FINRA concerns; provenance is thin and maintenance is sparse.

Sources

finance-trading-ai-agents: READMEnpm: finance-trading-ai-agentsPackage health report: finance-trading-ai-agents

Assessed by Proxara intelligence (AWS Bedrock).

Block (recommended)ApproveDismiss

A verdict, with sources

Secure.
Scalable.
Seamless.

Privately deployable: a single ~5 MB Rust binary that runs embedded, standalone on :8443, or hosted in your own VPC. Built like security tooling, not a wrapper.

Built for the hot path: a wait-free arc-swap configuration path keeps p99 added latency under 120 ms, inside Claude Desktop’s request budget even on tools/list.

Drops in with no agent changes: every MCP host — Claude Desktop, Cursor, Claude Code, Windsurf, ChatGPT Desktop, internal agents — is treated as just another JSON-RPC client. No per-host integration.