77 rules. Zero config. Open source.
Stop your AI agents from
breaking things.
AI coding agents can run rm -rf /,
leak your credentials, push to production. Vectimus intercepts every action and blocks the dangerous ones before they execute.
Your developers get guardrails that don't slow them down. Your security team gets audit logs and compliance evidence without chasing tickets.
Apache 2.0. No telemetry. No account required.
This is already happening
AI agents with unrestricted tool access have caused real damage. These incidents motivated every policy in the base pack.
Clinejection
February 2026 · 4,000+ developers compromised
A malicious MCP server instructed AI coding agents to publish backdoored npm packages. No governance layer existed between the agent's intent and npm publish.
Terraform destroy
January 2026 · 6-hour production outage
An AI agent ran terraform destroy -auto-approve against production state. The command completed in 30 seconds, destroying databases and compute instances.
Cursor .env leak
November 2025 · AWS credentials exposed
An AI agent in Cursor read .env to 'check the config' and included AWS keys in its response context. The keys were visible in the conversation history and potentially sent to third-party logging.
drizzle-kit push
March 2026 · 60+ production tables dropped
An AI agent ran drizzle-kit push against a production database on Railway. The ORM bypassed interactive confirmation, dropping 60+ tables in seconds.
See it in action
An agent calls a tool. Vectimus intercepts the call, evaluates it against Cedar policies and blocks it before anything happens.
Two commands. Immediate guardrails.
77 rules active out of the box. Disable or override per project when you need to.
What you get
A safety net between the agent and the shell. Deterministic. Auditable. Yours.
Try before you enforce
Observe mode logs what would be blocked without stopping anything. Review the audit log, tune your policies, then flip the switch when you are ready.
Lock down MCP servers
Every MCP tool call is blocked by default. Approve servers one by one. Input inspection catches credential leaks and CI/CD tampering on approved servers.
Override per project
Disable rules for specific repos without weakening global policy. Overrides stored outside the repo so a malicious PR cannot turn off your safety net.
Every rule has a story
Each policy links to a real incident: Clinejection, Terraform destroy, Amazon Q exfiltration. These are not theoretical risks. They happened.
Under 50ms. Locally.
Evaluates with cedarpy on your machine. No network, no daemon, no latency. Or point clients at a shared server for team-wide policies.
Nothing leaves your machine
Zero telemetry. All evaluation happens locally. Audit logs stay on disk. The optional server is self-hosted on your infrastructure.
Policies backed by real incidents
Every built-in rule references the incident that made it necessary.
Works with your tools
vectimus init detects installed AI coding tools and configures hooks automatically.
Claude Code
Pre-tool-use hooks via settings.json. Vectimus intercepts every Bash, Write, Edit, MCP and WebFetch call.
Full supportCursor
Shell and MCP hooks via .cursor/hooks.json. File read and write events intercepted at the editor level.
Full supportGitHub Copilot
VS Code chat participant hooks via tasks.json. Shell commands and MCP tool calls governed.
Full support9 of 10 OWASP Agentic categories. Covered.
Vectimus ships with two policy packs mapped to the OWASP Top 10 for Agentic Applications. 29 rules across 9 categories. The one we don't cover needs a different architecture entirely.
Active rules
Exfiltration patterns intercepted
Destructive commands blocked
Credential access detected
Lockfile and registry tampering blocked
Reverse shells and eval patterns caught
Writes to agent config files blocked
Parameter checks locally. Session tracking detects message storms and privilege delegation in server mode.
Parameter checks locally. Session tracking detects spawn floods and action rate spikes in server mode.
Log tampering and persistence blocked
Requires output-layer controls
Requires inspecting agent output, not tool calls
Compliance evidence built in
Every rule maps to real compliance controls via @controls annotations.
Every decision is logged. If you ever need the evidence, it's already there.
SOC 2
6 criteriaLogical access, boundary protection, change management
NIST AI RMF
3 functionsBehaviour monitoring, risk mitigation, third-party risk
EU AI Act
5 articlesRecord-keeping, transparency, human oversight, cybersecurity
Vectimus is the enforcement and audit layer for AI agent actions. It does not replace a full compliance programme. Each mapping is transparent about what is and is not covered.
How it works
Every tool call passes through Vectimus before execution. Run locally for zero-setup individual use, or point your clients at a shared server for team-wide policy enforcement.
- Stateless. No network. Under 50ms.
- Parameter-level Cedar policy checks
- Works offline, nothing to configure
- Deploy remotely. Developers' clients forward hooks via HTTPS.
- Stateful session tracking detects spawn floods and rate spikes
- Shared policies and audit log across the whole team
Start governing your AI agents today
Two commands. Under a minute. No account required.
Need team-wide policy enforcement?
The enterprise tier adds shared server mode, centralised audit, session tracking, SSO and approval workflows. Drop your email. We'll reach out when the enterprise tier opens.