AIronClaw is the firewall your agents talk through. Every call, every tool argument, every response is inspected by a three-layer detection stack and a policy engine you can audit. Sensitive material is sealed at the application layer with AES-256-GCM, and the whole stack runs on EU-only infrastructure.
Inbound traffic is terminated over TLS at the edge. Sensitive fields — upstream MCP tokens, LLM provider keys, TOTP secrets and recovery codes — are sealed with AES-256-GCM at the application layer before they reach the control plane. Plaintext only exists for the lifetime of the request that needs it.
TLS is terminated at the edge proxy in front of the gateway. We recommend TLS 1.3 with AEAD ciphers and HSTS for self-hosted deployments; defaults are documented in the deployment guide.
TLS 1.3 · AEAD · HSTSAES-256-GCM on every sensitive field at the application layer: MCP upstream tokens, LLM provider keys, TOTP secrets and recovery codes. The master key is loaded from the runtime environment and never persisted alongside the ciphertext.
AES-256-GCM · field-levelLogs never store decrypted secrets. Built-in detectors strip PII, payment data and provider credentials from payloads before anything reaches the audit pipeline — only redacted text, verdicts and metadata are retained.
no plaintext secrets in logsEvery prompt and response runs through a fixed pipeline. Pattern detectors catch what regex can catch — PII, payment data, provider credentials, known prompt-injection signatures. They're fast, deterministic, and free.
When patterns hit a maybe, an LLM-as-judge takes over for semantic classification: prompt-injection intent, jailbreak attempts, exfiltration framing. Verdicts are cached so the same payload doesn't pay twice.
Whatever survives is filtered by the policy layer: tool-level RBAC, IP allow/deny lists, rate limits, per-proxy blocking mode. Each decision lands in an append-only event store you can audit from the dashboard.
# request trace — agent.tools/call 01layer 1 patterns 02 pii.luhn → no match 03 prompt_injection.sigs → soft hit (0.42) 04layer 2 llm_judge 05 category=benign cache:miss → 312ms 06layer 3 policy 07 rbac.tool_allowed("search") → ok 08 ratelimit.consume(1) → 42/120 09verdict FORWARD → upstream
AIronClaw is a gateway, not a data lake. We hold the minimum needed to give you visibility, you control the rest.
Inspected payloads land in the audit log redacted. Default retention is short-lived and configurable per deployment, so old conversations roll off without operator action.
Built-in detectors strip sensitive material before payloads leave the gateway, whether they're heading to a model or to the audit log.
Every policy decision — block, allow, redact, rate-limit — lands in an append-only event store with rule, verdict, identity and timestamp. Queryable from the dashboard.
Instead of a wall of vendor stickers, here are the public threat taxonomies AIronClaw covers in code today. Each item is a detector or policy you can inspect in the dashboard rules engine.
Detectors for prompt injection, sensitive information disclosure, excessive agency, and vector / embedding weaknesses — combining pattern matching with semantic LLM-as-judge classification.
Adversarial ML technique coverage for LLM prompt injection and LLM jailbreak (DAN, Crescendo, GCG-style attacks), with both signature-based and intent-based detection paths.
Guardrails for the categories called out in the NIST GenAI Profile: dangerous content (CBRN), obscene material, output safety (invisible text, malware patterns), and data exfiltration framing.
The whole stack runs on EU infrastructure — no transatlantic transfers, no surprise sub-processors. A signed DPA is available on request for European customers.
AIronClaw is engineered in Italy and runs exclusively on EU infrastructure. No transatlantic data transfers, no surprise sub-processors in other jurisdictions. Ideal for European companies with strict data-residency requirements.
We accept private vulnerability reports and treat them as a first-class priority. Please give us a reasonable window to investigate and patch before public disclosure — we'll keep you posted on triage and credit you in release notes if you'd like.