Zero-Trust · for AI agents

Zero-Trust for AI agents. Identity, a gateway, and policy on every tool call.

Your agents act with real credentials. AxioRank gives each one a short-lived identity and runs every tool call through a gateway that scores risk, enforces your policy, and writes a redacted audit trail in under 100 ms. Nothing is trusted by default, in either direction. On the way in, it verifies the AI agents that visit you cryptographically, not by user-agent string.

Open the console Try the live inspector Explore the platform

short-lived tokens · default-deny · secrets fingerprinted, never stored

POST/gateway/tool-callinspecting

toolaws.s3.deleteBucket

risk

policyevaluating…

sig

scanning payload…

try

<0ms

Decision on the hot path

Default token lifetime

Content detectors

Critical-signal floor

The exposure

Agents act autonomously, with production credentials.

Give a model tools and it can read your database, push code, and call your cloud. The same autonomy that makes agents useful makes a single bad tool call catastrophic.

Credential leak

Agents hold real secrets

A tool call carries a live cloud key straight to an external service, one paste from exfiltration.

arguments.env.AWS_ACCESS_KEY_ID

"AKIA••••••••••••EXAMPLE"

▌secret.aws_access_keycritical

Destructive op

One statement drops prod

Generated SQL runs without a WHERE clause and rewrites or deletes an entire table.

arguments.query

DELETE FROM users;

▌destructive.sql_no_wherehigh

Injection

Untrusted input hijacks

Hostile content steers the agent toward your cloud metadata endpoint to harvest credentials.

arguments.url

"http://169.254.169.254/…"

▌injection.ssrfhigh

Identity

Never trust an agent by default.

Zero-Trust starts with identity. Each agent trades a static key, or a federated identity, for a short-lived signed token that verifies locally with no database round-trip and cannot be replayed. Tokens default to a 15 minute lifetime, so a leaked credential is worthless in minutes, not months.

Explore agent identity

static key or federated identity

what the agent starts with

exchange

axr_tok_… · TTL 15m · scopes

short-lived signed token

verify

verified locally · no DB hop

and it cannot be replayed

MCP gateway

Every tool call runs the gateway, in one hop.

Point any tool call at the gateway and it runs a pipeline on the synchronous path: verify identity, score risk, evaluate policy, check the allowlist, and write a redacted record. It returns allow, deny, or hold in under 100 ms, with no agent rewrite.

Authenticate

The gateway verifies the agent's token or key and resolves its identity locally.

verify token · no DB hop

Inspect

Detectors scan every payload leaf for signals and combine them into a score.

31 detectors → risk 0–100

Decide

Policies resolve under deny-overrides to allow, deny, or hold for approval.

allow · deny · hold

Allowlist

A default-deny tool and egress allowlist blocks anything you have not approved.

default-deny · pinned

Record

A redacted, append-only audit row is written and your quota is metered.

redacted · append-only

Policy engine

Deny-overrides, by design.

Policies are evaluated in priority order against a fixed precedence. The first matching rung wins and a deny sits on top, so when nothing matches the call is allowed, but any deny short-circuits everything below it.

Rules match a tool pattern and context like IP, time, host, and agent labels. A signal-category deny is as strong as an explicit deny, so content inspection becomes enforceable.

Explicit deny

action = deny, no conditions

deny

Signal deny

a flagged category is present on the call

deny

Explicit allow

action = allow, no conditions

allow

Signal allow

an opt-out for a category on specific tools

allow

Risk threshold

risk ≥ threshold for matching tools

deny

Default

nothing matched

allow

Content inspection

Five categories. Thirty-one detectors.

Every string leaf of a tool call is scanned with bounded, ReDoS-safe patterns. Findings become redacted signals, and the evidence proves a match without ever echoing the raw value.

Secret

12 detectors

Live credentials, fingerprinted and masked out of the stored payload.

AWS access keyAWS secret keyGitHub tokenGitHub PAT

Slack tokenGoogle API keyLLM provider keyStripe live keyPrivate key (PEM)JWTBearer tokenHardcoded credential

+8 more · hover to expand

Destructive

6 detectors

Irreversible commands against files, databases, and cloud resources.

rm -rfSQL DROP / TRUNCATEDELETE without WHEREResource teardown

Git force pushDangerous CLI flag

+2 more · hover to expand

Injection

6 detectors

Attempts to hijack the agent, your database, shell, or network.

Prompt injectionSystem overrideSQL injectionShell injection

SSRF / metadataPath traversal

+2 more · hover to expand

PII

4 detectors

Personal data, masked in evidence. Card numbers are Luhn-validated.

EmailUS SSNPhoneCredit card (Luhn)

Egress

3 detectors

Bulk reads and oversized payloads that signal data exfiltration.

Unbounded SELECT *Bulk exportOversized payload

Redaction

Proof a secret was there, without storing it.

Secrets are masked out of the payload at write time and replaced with a deterministic, irreversible fingerprint. The audit log can prove a key of this shape appeared, and even that the same key recurs, while never persisting the value itself.

What the agent sentexposed

{
  "env": {
    "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE"
  }
}

What AxioRank storesredacted

{
  "env": {
    "AWS_ACCESS_KEY_ID": «redacted:secret.aws_access_key»
  }
}

evidence

AK…LE · len 20 · sha256:a1b2c3d4

critical

Live inspector

Run the gateway in your browser.

Edit a tool call and watch AxioRank inspect it. Detection runs client-side, but the score and verdict use the combine() and evaluatePolicy() functions straight from the production engine.

toolarguments

valid JSON · every string leaf is scanned

Denied96

denied by policy "deny-live-secret" (secret detected)

risk scorebase 90 → 96

96/100

signals · 1

Secret

AWS access key idcritical
secret.aws_access_key · arguments.env.AWS_ACCESS_KEY_ID
AK…LE · len 20 · sha256:96bca470

Policy playground

deny-overrides · toggle a rule to re-evaluate

deny-live-secret
deny if secret detected · prio 5
matched
deny-destructive
deny if destructive detected · prio 15
risk ≥ 75
deny if risk ≥ 75 · prio 50

Audit & dashboard

Every call, logged and reviewable.

Decisions land in an immutable, redacted audit log, filterable by agent, tool, risk, and signal category, with high-risk activity surfaced the moment it happens.

app.axiorank.com/logslive

Calls inspected

1,284

Denied

Avg risk

Recent decisionsrisk · verdict

aws.s3.deleteBucket
claude-prod
SecretDestructive
12s98deny
db.query
support-bot
DestructiveEgress
1m90deny
slack.post
intake
PII
2m73allow
github.push
ci-runner-
4m40allow
gmail.send
outreach
PIIEgress
6m84deny

Top signals

last 24h

Secret
47
Destructive
18
PII
9
Injection
5
Egress
3

Deny rate

24h

7.5%

Automated response

From verdict to action, automatically.

A deny is the floor, not the ceiling. Response rules can quarantine an agent, revoke its keys, or raise an alert the moment a pattern crosses the line. Monitor mode runs on every plan, so you can prove a rule before you arm it.

Monitor, then arm

Every rule can run in monitor mode first, recording exactly what it would have done. Arm it when you trust it.

mode: monitor

Kill-chain detection

A sensitive read followed by egress is the attack the single call hides. Correlation across calls catches it.

pattern: exfiltration

Contain on contact

When a rule fires, quarantine the agent, revoke its keys, or raise an alert in the same second.

action: quarantine_agent

Explore automated response

Threat intelligence

Your agents learn from everyone's.

Opt in to a cross-tenant feed of card verdicts, protected by a k-anonymity floor. When enough organizations have flagged a host, that shared judgment raises your local risk. It fails open, so the feed never blocks you on its own. On Team and above, a model returns a threat class, and behavioral baselines flag a new tool, a risk spike, or off-hours activity.

Explore threat intelligence

tools.shadyvendor.io

12 organizations flagged this host

35→90

k ≥ 5

anonymity floor before anything is shared

fail-open

intelligence raises risk, never blocks alone

The other direction

Now point it the other way.

Outbound, AxioRank governs the agents you run. Inbound, it verifies the agents that visit you, cryptographically, not by user-agent string. Same engine, both directions.

Request

An AI agent hits a property guarded by the AxioRank middleware.

axioGuard({ siteKey })

Identify

Match the visitor against the known-agent directory: GPTBot, ClaudeBot, Perplexity, and more.

20+ known agents

Verify

Check the Web Bot Auth signature cryptographically; fall back to reverse-DNS and user-agent.

RFC 9421 · Ed25519

Score

Run the same detectors on the request for scraping, enumeration, and probe signals.

risk 0–100

Decide

Inbound policies resolve under block-overrides to one verdict.

allow · challenge · block

Verdictsallow verified good actorschallenge unknown visitorsblock spoofed identitiesverifiedspoofed

Interoperate

Speaks 44 agent-interop protocols.

MCP, A2A, OAuth protected-resource, x402, AP2, DID, ANS, NANDA AgentFacts, W3C Verifiable Credentials, Visa TAP and more, across six planes. Verify identities and capabilities across the agent ecosystem. The coverage matrix is machine-readable.

View coverage protocols.json

SDK

Drop it in. One line guards a call.

No agent rewrite. Route tool calls through the gateway and let policy decide. Resolve the decision yourself with toolCall(), or let enforce() throw on a deny.

agent.ts

import { AxioRank, AxioRankDeniedError } from "@axiorank/sdk";
 
const axio = new AxioRank({ apiKey: process.env.AXIORANK_KEY! });
 
try {
  // One line guards the call. Throws if the gateway denies it.
  await axio.enforce({
    tool: "aws.s3.deleteBucket",
    arguments: { bucket: "prod-backups", force: true },
  });
  await s3.deleteBucket("prod-backups"); // only runs when allowed
} catch (err) {
  if (err instanceof AxioRankDeniedError) {
    console.error(err.result.reason); // denied by policy "deny-destructive"
  }
}

Pricing

Start free. Scale when you are ready.

Every plan includes Zero-Trust identity, the gateway, policy, content inspection, monitor-mode response, and full protocol coverage. Paid plans add anomaly detection, armed response, more volume, and model threat intel.

Free$0

10K events / month

For trying it out and small projects.

Pro$49

250K events / month

For teams running agents in production.

Team$299

2M events / month

For security teams that need depth.

EnterpriseCustom

Unlimited events / month

For organizations with scale and compliance needs.

Start free Compare plans

Put every agent behind Zero-Trust.

Give your agents a short-lived identity, run every tool call through the gateway, and keep a redacted record of it all in under 100 ms.

Open the console Try the live inspector