You locked down your CI/CD pipeline. You hardened your cloud IAM. You put guardrails around every account in your organization.
Then your developers installed AI coding agents, and handed them the keys to everything.
Claude Code, Cursor, Copilot, Aider, Gemini, Codex. They run on developer laptops with the developer's full access. They read AWS keys, GitHub tokens, and database passwords. They run shell commands. They call MCP servers that reach production. And they act on the developer's behalf in seconds, with no human in the loop and no record of what they did.
Every credential. Every API. Every database. Who is watching what these agents do? And who will stop them when they overreach?
That's why we built Guardian.
AI EDR: an inspection layer for coding agents
AI coding agents have become part of the trusted compute base on developer machines. But unlike everything else running there (the OS, the browser, the endpoint security agent), they've had no inspection layer between them and the systems they can reach.
Guardian fills that gap. It plays the same role for coding agents that EDR plays for endpoints: discover what's running, watch what it does, and step in when it crosses a line. A lightweight daemon on each developer machine wires into the agents your team already uses, inspects every prompt, tool call, and shell command in real time, and rolls the whole fleet up to one console for your security team. No proxy. No sandbox. No code changes.
What agents are running?
You can't govern what you can't see. Guardian auto-discovers every AI coding agent across your fleet: Claude Code, Cursor, Copilot, Aider, Gemini, Codex. It maps the devices they run on and the MCP servers and plugins they connect to.
This is shadow IT for the AI era. Teams know about the Claude Code and Cursor installs they rolled out. They don't know about the Codex CLI on one machine, the Copilot CLI on another, or the half-dozen extensions quietly talking to an LLM. Guardian finds them, groups them by type, and shows you exactly which agents Guardian's hooks already cover, and which aren't covered yet.
Every machine reports up to one place. Your security team sees the entire picture without touching a single laptop: credential posture, device and agent inventory, live activity, threats, and policy drift across the fleet.
One console for the whole fleet: inventory, live activity, blocks, and the allow/warn/block mix at a glance
What can they reach?
Knowing an agent exists is only half the story. The other half is its blast radius.
Guardian inventories every credential each agent can use, from AWS keys and GitHub tokens to database passwords and SSH keys, then maps those credentials to the projects, resources, and environments they unlock. The question stops being abstract: if this machine is compromised, or this project leaks, exactly what is exposed?
The answer surprises most teams. A single developer laptop routinely holds dozens of credentials, accumulated over months and reachable by any agent on the machine.
The credential inventory across the fleet: the blast radius behind every agent
Credential values never leave the machine. Guardian keeps a safe reference and a one-way fingerprint, never the secret itself. You get the inventory and the blast radius without creating a new place for secrets to leak.
What are they doing?
Guardian goes deeper here than anything else in your stack. It's the first thing people ask to see in a demo.
Guardian records every agent session and stitches every prompt, tool call, command, file touch, and credential use into a single timeline, alongside the decision it made about each one. You can watch a session live, or replay it after the fact. Nothing happens without a trail.
Replay isn't just a transcript. Guardian pins the moments that matter: where it warned, where it blocked, where an agent reached for a sensitive file. A fifteen-minute agent run collapses into the handful of steps worth reviewing.
Replay any session: turns, tool calls, credentials used, and the warnings Guardian raised, pinned to the moments they happened
Because Guardian sees the whole sequence, it catches what no single step reveals. Read an .env file, base64-encode it, curl it to an external host. Each call looks ordinary on its own, but together they're a known attack pattern. Guardian raises a threat when a session matches one, and notifies your security team before it spreads.
How do you control it?
Visibility is the foundation. Control is the point.
Guardian runs as native hooks inside each agent's own config, so it can act on a prompt or tool call before it runs. No proxy, no code changes. You set the rules; Guardian enforces them on every machine, in milliseconds, even offline.
Most tools that watch AI agents stop at the prompt. They scan what the agent was asked to do, maybe flag some PII, and move on. Guardian goes a layer deeper. It parses the actual command, tool call, and script about to run, down to the Bash, the Python, and the SQL. From that it pulls out what's really happening: which credential is in play, which resource is being touched, whether the operation reads or writes, and whether the target is production or development.
That depth is what makes precise policy possible. A rule doesn't just match "a database query." It matches a write to a production database with a specific credential. So a single rule can let an agent read freely, warn it on a write to development, and block that same write to production. Guardian already knows the difference.
Rules block risky actions, warn on others, or allow the rest, scoped per credential type, per agent, per project, and per environment. Guardian monitors first and allows by default, so blocking is always a deliberate choice you make.
How Guardian deconstructs one command. Parse the call, extract the resource, operation, and credential, classify the environment, then decide. The same write is blocked on production and allowed on scratch.
Decision rules that block, warn, or allow, scoped by environment, resource, agent, and operation
When a rule fires, the decision lands right where the developer is already working, inside the agent's own session. The agent gets a clear reason, the developer keeps moving, and Guardian records the whole exchange for your audit trail. Guardian itself is SOC 2 Type II compliant, so that trail lands somewhere your auditors already trust.
What am I spending?
Agents don't just touch your systems. They run up a bill. Every turn burns tokens, and with a dozen projects in flight the AI budget slips out of view fast. Guardian meters agent spend per turn and breaks it down by project, model, and developer, so you can finally see where it all goes.
Agent spend across the fleet, broken down by model, project, and developer
Built on a decade of going faster, safely
For the last decade, Turbot has helped enterprises Go Faster. Safely. Our runtime guardrails and preventive controls let teams move fast in the cloud without losing control. Guardian extends that same idea to a new frontier: the AI agents now writing code, running commands, and touching production from every developer's laptop.
It's clearly a different world from cloud governance. But the philosophy is the same one we've always had: give teams the freedom to move fast, with guardrails that keep them safe.
Get early access
Guardian is in early preview, and this is a fast-moving space. We're building it hand-in-hand with security teams who want to get ahead of AI agent risk.
If your developers are vibe coding (spoiler: they are), let's talk...
Request early access to Guardian → or talk to us about what you're seeing in your own environment.