We secure your AI,
SixWays to Sunday.

Three ways we shield you. Three ways we strike back.

SixWays SixWays
Shield
Monitor
Contain
Harden
Sword
Intercept
Govern
Sever
Governance Console 247 agents governed
Tool Calls Today
1,842
Auto-Approved
1,791
Human Approvals
33
Denied
18
Governance Decisions
09:36:28 MCP Proxy Claude Code: tools/call "bash" with rm -rf. Destructive action requires approval
Pending
09:36:21 Risk Profile User jsmith escalated T1 to T2. Score: 0 to 25 after sandbox violation Escalated
09:36:14 MCP Proxy Cursor: tools/call "git push --force" on main branch. Denied by org policy
Denied
09:35:58 MCP Proxy Copilot: tools/call "npm install lodash" approved. Package in allowlist
Approved
09:35:42 Policy Push Updated Claude Code managed-settings.json on 12 endpoints. SHA-256 verified Synced
09:35:18 MCP Proxy Gemini CLI: tools/call "kubectl apply" requires human approval. Approved by admin
Approved
3-Tier ML Pipeline All tiers operational
T1 Kinetic
12,847 scans <5ms
T2 Semantic
342 escalated ~50ms
T3 Cognitive
23 flagged ~200ms
Recent Detections
09:36:14 T2 Semantic Prompt injection via vector similarity (0.91). PII redacted from response stream. Redacted
09:36:18 T1 Kinetic Egress: AWS credential pattern detected in Cursor response via Aho-Corasick. Redacted
09:35:41 T3 Cognitive Shadow audit flagged social engineering intent. User risk score escalated. Escalated
09:35:02 T1 Kinetic Slopsquatting: unknown package "reaqt-dom" not in allowlist. Blocked
09:34:47 T1 Kinetic Egress: Private key pattern (-----BEGIN RSA) detected in Copilot response. Redacted
09:34:12 T2 Semantic Presidio NER: 3 email addresses and 1 SSN detected in agent output. Confidence 0.94. Redacted
Container Sandboxes 34 active / 84 total endpoints
Active Containers
34
eBPF Sidecars
34
Syscalls/sec
8,421
Violations Today
7
Active Sandboxes
S
sandbox-0a4f Claude Code
Wolfi devcontainer / seccomp: 214 allowed / uptime 47m
Monitored
CPU
42%
MEM
1.2G
NET
18%
S
sandbox-1b3e Cursor
Wolfi node / seccomp: 214 allowed / uptime 23m
Monitored
CPU
28%
MEM
820M
NET
8%
S
sandbox-2c5d Aider
Wolfi python / seccomp: 214 allowed / uptime 8m
Violation
CPU
91%
MEM
640M
NET
67%
Policy Management Enforcement mode: Active
Active Policies
14
Guardrail Rules
86
Agent Configs
5
Last Push
3m ago
Policy Hierarchy
O
Organization: Default Policy
Block secret file reads / sandbox code execution / redact PII
Enforcing
G
Group: Engineering
Allow npm/pip registries / block pastebin.com / sandbox all CLI agents
Enforcing
U
User Override: jsmith
Elevated access to staging APIs / temporary exception expires in 4h
Override
E
Endpoint: dev-laptop-3d6e
Container sandbox required / block host-level execution / Gemini CLI restricted
Enforcing
Session #4821 - jsmith / Claude Code
▶ Play ❚❚ 2x 47:12 / 47:38
Process Lineage
claude_code PID 2841
python3 PID 3412
bash PID 4519
git PID 5231
curl PID 6100
System Activity Timeline 10:00:00 - 10:00:50
10:00:32
:00:10:20:30:40:50
Processes
claude_code
python3 (3412)
bash (4519)
🌐 Network
TCP api.anthropic.com
TCP github.com
📁 Filesystem
Read src/main.rs
Write config.json
Read ~/.ssh/id_rsa
Input
Type 'import subprocess...'
Type 'chmod +x run.sh'
Event Details
bash (PID 4519) | 10:00:28
Process ID
4519
Parent
python3 (3412)
Command
/bin/bash -c "chmod +x scripts/run.sh"
FS Write
scripts/run.sh
Network
TCP to github.com
eBPF Verdict
BLOCKED
Reason
Unauthorized file read: ~/.ssh/id_rsa
Incident Response No active incidents
Agents Terminated
3
Sessions Severed
5
Credentials Revoked
4
Avg Response Time
1.2s
Recent Sever Events
09:36:12 Process Kill Claude Code (sandbox-0a4f) terminated. Unauthorized read on ~/.ssh/id_rsa Severed
09:35:41 Session Revoke Cursor (dev-laptop-2c5d) session invalidated. Behavioral anomaly score exceeded threshold Severed
09:34:18 Container Freeze sandbox-2c5d frozen and queued for forensic snapshot. Outbound exfiltration attempt detected Frozen
09:33:02 Credential Revoke API token for jsmith revoked across 3 endpoints. Telemetry submitted to server Revoked
08:47:55 Process Kill Aider (sandbox-3f8a) terminated. Attempted write to /etc/hosts Severed
Monitor. See everything your AI agents do. Replay any session like a DVR with synchronized process lineage, network activity, filesystem access, and chat transcript. Scrub to any point, bookmark key moments, and fast-forward at up to 8x speed. Built for incident response, compliance audits, and debugging.

SixWays monitors, contains, and governs AI coding agents on your developers' machines.

We secure your AI, six ways.

Shield

Monitor

See everything.

  • Agent reads ~/.ssh/id_rsa? You see it instantly
  • Agent says it edited src/main.rs but the endpoint saw no write. Discrepancy flagged
  • Behavioral profiles for 14 agents. We know what normal looks like for each one

Contain

Isolate the blast radius.

  • .env, .ssh/, .aws/ excluded at the filesystem level. Never enter the sandbox
  • Seccomp default-deny blocks unauthorized syscalls before they execute
  • Agent works normally inside the container. Doesn't know it's contained

Harden

Lock down before runtime.

  • Policies written directly into Claude Code, Copilot, Cursor, and 11 more agent config files
  • Four-level hierarchy: org, group, user, endpoint. Deny always wins
  • Baselines define what each agent should do. Anything outside that is already a violation
Sword

Intercept

Catch threats in-flight.

  • Prompt injection detected via vector similarity. Blocked in under 5ms
  • PII like SSNs, emails, and credit cards redacted from agent responses in real time
  • Slopsquatting: reaqt-dom not in allowlist. Blocked before install

Govern

Enforce policy in real time.

  • Destructive tool call? Human-in-the-loop approval required before execution
  • Every MCP tool call evaluated against org policy. The agent is told "no"
  • Full audit chain with cryptographic signatures for compliance evidence

Sever

Kill it, report it, done.

  • Agent telemetry stops but the process is still alive? Logging evasion detected. Severed
  • Endpoint sees network to transfer.sh but agent never reported it. Unreported exfiltration. Severed
  • Full incident telemetry fired to the server. Encrypted, tamper-evident, auditable

We've open sourced the first of six ways. Want to know when the rest drop?

Works where you work.

The first of six ways is now open source.
Sandboxed IDE, sandboxed CLI, or right in your terminal. macOS and Windows.

Desktop IDE
Desktop CLI
Terminal TUI
Server Dashboard
SixWays Endpoint desktop application monitoring AI agents and file system events
SixWays Endpoint CLI monitor embedded in the desktop app, showing a Claude Code session in a container sandbox
SixWays Endpoint terminal TUI with real-time network, process, and filesystem activity bars
SixWays Server policy guardrails configuration

SixWays Endpoint

Desktop application for monitoring every AI agent on the device. Inspect sandbox activity, review filesystem events, and see real-time telemetry as it happens.