AxioRankZero-Trust for AI Agents
Open the console

Content inspection

Read every argument before the tool ever runs.

More than 31 detectors walk every string in a tool call and score what they find. Secrets are fingerprinted and masked out of the stored record, so you keep the proof without keeping the secret.

Open the consoleRead the docs

31+ detectors · 5 categories · redacted at write time

scan · argumentscritical
AWS access key idenv.AWS_ACCESS_KEY_ID
Email addresstext
Unbounded SELECT *sql
stored: secrets fingerprinted, never raw
0+
Content detectors
0
Signal categories
0
Severity tiers
0+
Critical-signal floor

The taxonomy

Five categories, one pass over the payload.

Every string leaf is checked against detectors grouped into five categories. A call can light up more than one at once.

Secret

AWS keys, tokens, private keys, and more. A live credential floors the score.

Destructive

Recursive deletes, DROP and TRUNCATE, and DELETE without a WHERE clause.

Injection

Prompt injection, SQL and shell injection, SSRF, and path traversal.

PII

Emails, Social Security numbers, phone numbers, and Luhn-checked cards.

Egress

Unbounded SELECT *, bulk export, and oversized field values.

Live inspector

Paste a tool call. Watch it get scanned.

Detection runs in your browser using the same patterns and severities as the gateway, and the score uses the production scoring function. Edit the arguments and the result updates instantly.

valid JSON · every string leaf is scanned

risk scorebase 9096
96/100
signals · 1
Secret
  • AWS access key idcritical
    secret.aws_access_key · arguments.env.AWS_ACCESS_KEY_ID
    AK…LE · len 20 · sha256:96bca470

Secrets and personal data never reach the audit log in the clear.

From signals to a score

Many signals, with diminishing returns.

Each finding carries points by severity. The most severe signal counts in full, and each one after it counts for a little less, so a pile of tiny findings cannot game the number.

Weighted by severity

Low, medium, high, and critical findings each carry their own weight before they are combined.

Diminishing returns

Signals are combined so the score climbs fast on the first real finding and levels off after.

Critical floor

A live cloud key, a private key, or a forged signature floors the score at 90 or above on its own.

One credential is enough

A single live credential pushes the risk score to at least 90, no matter how harmless the rest of the call looks.

Redaction

Proof a secret was there, without storing it.

When a detector finds a secret, the audit log keeps a fingerprint, not the value. You can prove a key leaked, see where, and confirm it was caught, while the raw secret is masked at write time and never persisted.

What your agent sent

{ "env": { "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE" } }

What gets stored

{ "env": { "AWS_ACCESS_KEY_ID": "«redacted:secret.aws_access_key»" } }
fingerprint: AK…LE · len 20 · sha256:1a2b3c4d

Every detector

Browse the catalog, scan an example.

Filter by category and severity, then run an example payload to see exactly which detectors fire.

Scan an example
Category
Severity

Showing 31 of 31 detectors

  • AWS access key id
    secret.aws_access_key
    critical
  • AWS secret access key
    secret.aws_secret_key
    critical
  • GitHub token
    secret.github_token
    critical
  • GitHub fine-grained PAT
    secret.github_pat
    critical
  • Slack token
    secret.slack_token
    critical
  • LLM provider API key
    secret.llm_key
    critical
  • Stripe live key
    secret.stripe_key
    critical
  • Private key (PEM)
    secret.private_key
    critical
  • Google API key
    secret.google_api_key
    high
  • JSON Web Token
    secret.jwt
    high
  • Bearer token
    secret.bearer
    high
  • Hardcoded credential
    secret.assignment
    medium
  • Recursive or forced delete
    destructive.rm_rf
    high
  • SQL DROP or TRUNCATE
    destructive.sql_drop
    high
  • DELETE or UPDATE without WHERE
    destructive.sql_no_where
    high
  • Resource destruction
    destructive.resource_delete
    high
  • Git force push
    destructive.force_push
    medium
  • Dangerous CLI flag
    destructive.dangerous_flag
    low
  • Prompt injection
    injection.prompt
    high
  • System-prompt override
    injection.system_override
    high
  • SQL injection
    injection.sql
    high
  • Shell or command injection
    injection.shell
    high
  • SSRF or internal endpoint
    injection.ssrf
    high
  • Path traversal
    injection.path_traversal
    medium
  • Email address
    pii.email
    medium
  • US Social Security Number
    pii.ssn
    high
  • Phone number
    pii.phone
    low
  • Credit card number
    pii.credit_card
    high
  • Unbounded SELECT *
    egress.select_star
    medium
  • Bulk data export
    egress.bulk_export
    high
  • Large field value
    egress.large_value
    low

Keep exploring

Continue across the control plane.

Agent identity

Short-lived signed tokens that verify locally and cannot be replayed.

Open

MCP gateway

Every tool call scored, policed, and logged on the hot path in under 100 ms.

Open

Policy engine

Glob and context rules with deny-overrides. One line says no production database.

Open

Automated response

Quarantine, revoke, or alert. Watch in monitor mode, then arm it when you trust it.

Open

Threat intelligence

A cross-tenant feed with a k-anonymity floor, plus model scoring and anomaly detection.

Open

Pricing

Content inspection ships on every plan, including the free one.

Open

Developers

Score a payload from the SDK or the HTTP API in one call.

Open

See what your agents are really sending.

Route a tool call through the gateway and get a scored, redacted record of every payload in under 100 milliseconds.

Open the consoleCompare plans