-
-
Notifications
You must be signed in to change notification settings - Fork 30
Home
A self-defending security agent for Linux servers, and a safety layer for the AI agents running on them.
InnerWarden does two jobs:
- It defends the host. It watches the machine from firmware to userspace with eBPF, recognises attacks (reverse shells, credential theft, privilege escalation, ransomware, C2, container escape, and more), and can block or contain them on its own. Think of it as an EDR you do not need a SOC team to operate.
- It guards your AI agents. When an AI agent (Claude Code, Cursor, an autonomous runner) can touch a real shell, InnerWarden sits outside the agent and screens what it tries to do, before it does it. If the agent is tricked by a poisoned file or web page, the safety layer is not inside the thing being tricked.
One install, two Rust services (a sensor that watches and an agent that decides), and the innerwarden CLI. No cloud control plane. Your data and your audit trail stay on the box.
curl -fsSL https://innerwarden.com/install | sudo bashIt installs in observe-only, dry-run mode. It watches and explains first; you decide when it is allowed to block.
| You want to... | Start here |
|---|---|
| Understand what it is and get it running | Install and First Run |
| Run it day to day (status, tuning, responding) | Everyday Operations · Responding to Incidents |
| Put a guardrail around an AI agent | AI Agent Guardrail · Connect Your Agent |
| Know how it works under the hood | Architecture · What It Detects |
| Extend it with your own detection or response | Write a Module |
| Review it for security or compliance | Trust and Safety Invariants · ISO 27001 Mapping · Privacy and GDPR |
New here? Read Install and First Run, then come back and pick a path.
You do not need to memorise these. They are here so you know the depth is real.
- 45 eBPF programs loaded in the kernel (process, network, file, and firmware-level hooks)
- 30 collectors feeding 82 detectors
- 69 cross-layer correlation rules that stitch single events into attack chains
- 90+ MITRE ATT&CK techniques across 12 tactics
- 208 Sigma community rules + 9 built-in, plus a YARA scanner and an on-device anomaly model
- JA3/JA4 TLS fingerprinting, behavioural attacker DNA, and a local hash-chained audit trail
License: Apache-2.0 (the shield DDoS module is BUSL-1.1; the Execution Gate and DNS Guard arming tools are a separate paid Active Defence layer).
In plain terms, not spec numbers:
-
InnerWarden can now be an MCP server for your AI agent. Run
innerwarden agent mcp-serveand your agent can ask, before it acts: "is this command safe?", "is this IP a known threat?", "what is the host's threat level?" See AI Agent Guardrail. - Install and configure by handing it to a coding agent. A new on-box guide teaches Claude Code (or any coding agent) how to install InnerWarden, adapt it to the machine, and safely learn what is normal, without blind-trusting whatever is already running. See Connect Your Agent.
- Recent releases also added: a real Telegram control surface (approve and reverse actions from your phone), alerts that name which server they came from and explain what happened in plain language, and protection so InnerWarden does not accidentally cut off a legitimate AI agent it is meant to guard.
Full history: CHANGELOG.
- Install / source: github.com/InnerWarden/innerwarden
- Live attack feed: innerwarden.com/live
- For AI coding agents: innerwarden.com/agents.md · llms.txt
- Report a vulnerability: Vulnerability Disclosure