Skip to main content

78 policies. 368 rules. Zero config.

Stop your AI agents from breaking things.

AI coding agents can run rm -rf /, leak your credentials, push to production. Vectimus intercepts every action and blocks the dangerous ones before they execute.

Your developers get guardrails that don't slow them down. Your security team gets audit logs and compliance evidence without chasing tickets.

How it works
Browse all 78 policies

Apache 2.0. No telemetry. No account required.

This is already happening

AI agents with unrestricted tool access have caused real damage. These incidents motivated every policy in the base pack.

Clinejection

February 2026 · 4,000+ developers compromised

A malicious MCP server instructed AI coding agents to publish backdoored npm packages. No governance layer existed between the agent's intent and npm publish.

Terraform destroy

January 2026 · 6-hour production outage

An AI agent ran terraform destroy -auto-approve against production state. The command completed in 30 seconds, destroying databases and compute instances.

Cursor .env leak

November 2025 · AWS credentials exposed

An AI agent in Cursor read .env to 'check the config' and included AWS keys in its response context. The keys were visible in the conversation history and potentially sent to third-party logging.

drizzle-kit push

March 2026 · 60+ production tables dropped

An AI agent ran drizzle-kit push against a production database on Railway. The ORM bypassed interactive confirmation, dropping 60+ tables in seconds.

Read all incident analyses

Your agents skipped permissions. Vectimus didn't.

Claude Code's --dangerously-skip-permissions, Cursor's yolo mode, Copilot's auto-run. You use them because confirmation prompts break your flow. But when you skip the agent's built-in checks, nothing sits between the model and your shell.

Vectimus does.

Every tool call still passes through 78 deterministic Cedar policies containing 368 rules, whether the agent asked for your permission or not. Credential access, destructive commands, MCP exfiltration patterns, dangerous content hidden in scripts — all caught at the hook layer before execution.

You get the speed of unrestricted mode. You lose the risk of an unmonitored agent running rm -rf /, leaking .env files or pushing to production without you noticing.

Skip permissions. Not governance.

The agent's permission model is optional. Vectimus policies are not.

Hooks fire on every tool call regardless of what mode your agent is running in.

You were going to skip permissions anyway.

We'd rather you did it with 78 policies watching your back than with nothing at all.

Full audit trail, even in fast mode.

Every evaluated action is logged with the tool call, the policy result and a timestamp. When something goes wrong you can trace exactly what happened.

Two commands. Immediate guardrails.

78 policies active out of the box. Disable or override per project when you need to.

1.
$ pipx install vectimus
2.
$ vectimus init

What you get

A safety net between the agent and the shell. Deterministic. Auditable. Yours.

Try before you enforce

Observe mode logs what would be blocked without stopping anything. Review the audit log, tune your policies, then flip the switch when you are ready.

Under 5ms. Every time.

Evaluates 78 Cedar policies in under 5ms. No network, no daemon, no waiting. Or point clients at a shared server for team-wide policies.

Lock down MCP servers

Every MCP tool call is blocked by default. Approve servers one by one. Input inspection catches credential leaks and CI/CD tampering on approved servers.

Sees inside scripts too

When an agent writes a file or runs a script, Vectimus inspects the content line by line. Your shell policies catch dangerous commands whether they are typed directly or hidden in a script.

Override per project

Disable rules for specific repos without weakening global policy. Overrides stored outside the repo so a malicious PR cannot turn off your safety net.

Every rule has a story

Each policy links to a real incident: Clinejection, Terraform destroy, Amazon Q exfiltration. These are not theoretical risks. They happened.

Nothing leaves your machine

Zero telemetry. All evaluation happens locally. Audit logs stay on disk. The optional server is self-hosted on your infrastructure.

Need to enforce this across your whole team — even when they skip permissions?

Policies backed by real incidents

Every built-in rule references the incident that made it necessary.

Works with your tools

vectimus init detects installed AI coding tools and configures hooks automatically.

Claude Code

Pre-tool-use hooks via settings.json. Vectimus intercepts every Bash, Write, Edit, MCP and WebFetch call.

Full support

Cursor

Shell and MCP hooks via .cursor/hooks.json. File read and write events intercepted at the editor level.

Full support

GitHub Copilot

VS Code chat participant hooks via tasks.json. Shell commands and MCP tool calls governed.

Full support

9 of 10 OWASP Agentic categories. Covered.

29 of 78 policies map to the OWASP Top 10 for Agentic Applications. The remaining 49 cover destructive commands, secrets, file-system safety and MCP lockdown.

Active rules

ASI01 Agent Goal Hijack

Exfiltration patterns intercepted

ASI02 Tool Misuse & Exploitation

Destructive commands blocked

ASI03 Identity & Privilege Abuse

Credential access detected

ASI04 Supply Chain Vulnerabilities

Lockfile and registry tampering blocked

ASI05 Unexpected Code Execution

Reverse shells and eval patterns caught

ASI06 Memory & Context Poisoning

Agent config file writes blocked

ASI07 Inter-Agent Communication

Parameter checks locally; session tracking in server mode

ASI08 Cascading Failures

Spawn floods and action rate spikes detected in server mode

ASI10 Rogue Agents

Log tampering and persistence blocked

Requires output-layer controls

ASI09 Human-Agent Trust Exploitation

Requires inspecting agent output, not tool calls

Read the full mapping with detailed analysis | Browse OWASP policies

Compliance evidence built in

Every rule maps to real compliance controls via @controls annotations. Every decision is logged. If you ever need the evidence, it's already there.

SOC 2

6 criteria
CC6.1 CC6.6 CC6.8 CC7.2 CC7.3 CC8.1

Logical access, boundary protection, change management

Read the full mapping

NIST AI RMF

3 functions
GOVERN MEASURE MANAGE

Behaviour monitoring, risk mitigation, third-party risk

Read the full mapping

EU AI Act

5 articles
Art. 9 Art. 12 Art. 13 Art. 14 Art. 15

Record-keeping, transparency, human oversight, cybersecurity

Read the full mapping

Vectimus is the enforcement and audit layer for AI agent actions. It does not replace a full compliance programme. Each mapping is transparent about what is and is not covered.

How it works

Every tool call passes through Vectimus before execution. Run locally for zero-setup individual use, or point your clients at a shared server for team-wide policy enforcement.

Local mode pipx install vectimus
AI Agent (tool call) Vectimus Normaliser Cedar Policy Engine allow / deny Audit Log (JSONL)
  • Stateless. No network. Under 5ms.
  • Parameter-level Cedar policy checks
  • Works offline, nothing to configure
Server mode vectimus init --server-url https://...
Developer 1 Agent + Client (hooks forward) Developer 2 Agent + Client (hooks forward) HTTPS Vectimus Server Shared Cedar policies Session tracking API key auth (OAuth/OIDC planned) Centralised audit log Decision
  • Deploy remotely. Developers' clients forward hooks via HTTPS.
  • Stateful session tracking detects spawn floods and rate spikes
  • Shared policies and audit log across the whole team

Start governing your AI agents today

Two commands. Under a minute. No account required.

Read the docs

Need to enforce policies across your team?

Need to enforce policies across your whole engineering team, even when developers skip agent permissions? That's what server mode is for. We're working with early teams to shape it.