IronCurtain: The Open-Source Shield Against Rogue AI Agents
Autonomous AI agents can execute shell commands, modify files, and access APIs — but what stops them from going rogue? IronCurtain is a new open-source security layer that intercepts every agent action before execution, preventing prompt injection attacks and agentic drift.
The Problem: Unchecked AI Agents
AI agents like Claude Code, custom MCP-powered tools, and LLM-based automation are increasingly autonomous. They read files, run commands, call APIs, and make decisions. This power creates a new attack surface:
- Prompt injection: Malicious input hijacks the agent to exfiltrate data, steal credentials, or modify code
- Agentic drift: Over extended sessions, agents gradually deviate from user intent
- Credential exposure: Agents with broad tool access can leak OAuth tokens, API keys, or environment variables
There's currently no standardized security layer between AI agents and system resources. IronCurtain fills that gap.
What Is IronCurtain?
Built by veteran security engineer Niels Provos, IronCurtain is an open-source security framework that acts as a trusted proxy between AI agents and their tools. Every tool call is intercepted, evaluated against security policies, and either allowed, denied, or escalated to human review.
GitHub: github.com/provos/ironcurtain
Four-Layer Isolation Architecture
IronCurtain implements defense in depth through four isolation layers:
| Layer | Component | Function |
|---|---|---|
| 1 | Agent Layer | TypeScript code runs in V8 isolated VM (sandboxed) |
| 2 | Policy Engine | Trusted MCP proxy evaluates every tool-call request |
| 3 | Verdict System | Classifies requests: ALLOW / DENY / ESCALATE |
| 4 | Execution Layer | Standard MCP servers handle filesystem, git, external tools |
Every agent — whether a direct LLM session or Claude Code in a Docker container — goes through the same pipeline.
Constitution-Based Policy Compilation
Instead of writing security rules in code, users define a "constitution" — guiding principles in plain English:
"The agent may only read files in /project/src. It must never access .env files, credentials, or modify its own configuration."
The compilation pipeline:
- Write — Define security principles in natural language
- Compile — LLM translates English into typed security rules with verified primitives
- Test — Scenario generator identifies policy gaps
- Verify — Validator confirms rules match original intent
- Refine — Iterative loop until alignment is confirmed
What IronCurtain Blocks
- Filesystem boundary violations — Access outside allowed paths
- Credential theft — OAuth tokens, API keys, service account secrets
-
Environment variable exfiltration — Blocks
env,printenv, and similar - Self-modification — Cannot alter its own policy files, audit logs, or configuration
- Unknown tools — Rejects any tool call not explicitly registered
Integration Flow
User Prompt → AI Agent → IronCurtain Proxy → Policy Check
├── ALLOW → MCP Server → Execute
├── DENY → Block + Audit Log
└── ESCALATE → Human Review → Approve/Deny
MITRE ATT&CK Relevance
| Technique | AI Agent Context |
|---|---|
| T1059 - Command Interpreter | Agent executing unauthorized shell commands |
| T1552 - Unsecured Credentials | Credential exfiltration via compromised agent |
| T1005 - Data from Local System | Unauthorized file access through agent tools |
| T1565 - Data Manipulation | Agent modifying files or code without authorization |
Prompt injection is becoming the new SQLi — untrusted input leading to unauthorized actions. Just as WAFs protect web applications, IronCurtain protects AI agent operations.
Why This Matters
As AI agents become autonomous workers handling real infrastructure, security frameworks like IronCurtain become essential. The MCP protocol is seeing rapid adoption, and without a security layer between agents and tools, every MCP server is a potential attack surface.
IronCurtain's open-source model means community-driven security evolution — exactly what this emerging threat landscape needs.
Need help assessing your exposure? Apply to our Beta Tester Program at theinsider-x.com — limited slots available.
Sources: HelpNetSecurity (2026-02-27), Niels Provos, github.com/provos/ironcurtain
Top comments (0)