oktsec is an open-source security proxy and MCP gateway for AI agents. It runs as a single Go binary with no external dependencies, no cloud connectivity, and no proprietary LLMs.
This post explains what it does, why it is built this way, and what the tradeoffs are.
The problem
AI agents process external data: emails, documents, tool responses, API outputs, code, webhooks. Any of those can carry instructions the agent will follow. The IPI Arena competition (Gray Swan AI + OpenAI + Anthropic + Meta + NIST) tested 272,000 attacks against 13 frontier models. Every model was vulnerable, from 0.5% (Claude Opus 4.5) to 8.5% (Gemini 2.5 Pro).
There is no standard infrastructure layer between the agent and that data. Most agents process external inputs with no scanning, no access control, and no audit trail.
The existing tools in this space (Zenity, Lakera, HiddenLayer, Prompt Security) are SaaS platforms. They require cloud connectivity, vendor accounts, and send your agent traffic through third-party infrastructure. For teams that need on-premises control, air-gapped deployment, or full auditability, that does not work.
What oktsec does
oktsec sits between the agent and the external data it processes. Everything passes through a 10-stage security pipeline before the agent sees it.
Rate limiting. Per-agent sliding window. Prevents message flooding from compromised or runaway agents.
Identity verification. Ed25519 signatures on every message. No valid signature, no processing.
Agent suspension. Instant kill switch. A suspended agent is rejected before any further processing.
ACL enforcement. YAML-based policies control which agent can communicate with which. Default-deny mode rejects unknown senders.
Content scanning. 230 detection rules (Aguara engine) scan for prompt injection, credential leaks, PII exposure, data exfiltration, MCP attacks, tool-call manipulation, supply chain risks, fake authority tags, concealment instructions, and more. 40ms average latency.
Intent validation. Compares what the agent declared it would do against what the message actually contains. Detects agents that say one thing and do another.
Blocked content filter. Per-agent category-based content blocking. If an agent should not handle financial data, any message containing financial patterns gets escalated.
Verdict escalation. Three or more blocks in one hour triggers automatic escalation for that agent. Prevents slow-burn attacks.
Audit logging. Every interaction is logged in a hash-chained audit trail with Ed25519 proxy signatures. Tamper-evident by design. If anyone modifies a log entry, the chain breaks. Three-level redaction (full, analyst, external) for compliance.
Anomaly detection. Background scoring that flags agents with unusual communication patterns.
The pipeline outputs one of four verdicts: clean, flag, quarantine, or block.
MCP gateway
oktsec also operates as an MCP gateway that fronts multiple backend MCP servers. This controls what each agent can do:
Tool allowlists. Per-agent lists of which tools are permitted. If an agent should not send emails, it cannot call the email tool regardless of what instructions it receives.
Spending limits. Per-tool monetary limits per agent. An agent with a $100 daily limit on payment tools cannot process a $10,000 transaction.
Rate limits. Per-tool rate limits per agent. Prevents tool abuse.
Approval thresholds. Actions above a configurable amount require human approval before execution.
The gateway auto-discovers tools from backend servers and namespaces conflicting tool names. It supports 17 MCP clients out of the box: Claude Desktop, Cursor, VS Code, Windsurf, Cline, Amp, Gemini CLI, and more.
Two detection layers
The deterministic layer (230 pattern-matching rules) handles volume. It runs on every message at 40ms with zero cost. It catches fake system tags, impersonated user tokens, shell injection in tool arguments, concealment instructions, fabricated authority language, and more.
The optional LLM analysis layer handles attacks that require semantic understanding. A fabricated compliance requirement that reads like a real one. A $450 charge hidden in a maintenance JSON response. A phishing URL that mimics a legitimate domain. Pattern matching cannot distinguish these from legitimate content without unacceptable false positive rates.
We benchmarked both layers against 95 real attacks from the IPI Arena public dataset:
| Layer | Detected | Rate |
|---|---|---|
| Deterministic (230 rules) | 81/95 | 85.3% |
| LLM (Claude Sonnet 4.6) | 14/14 remaining | 100% |
| Combined | 95/95 | 100% |
| False positives | 0 | 0% |
The LLM layer only runs on the ~15% of messages that the deterministic layer marks as clean. In practice, most traffic never reaches the LLM.
Full benchmark methodology and evidence: IPI Arena Benchmark
Why open source
The tools that secure AI agents should be auditable. If a security proxy scans your agent traffic, you should be able to read every detection rule, every scanning algorithm, every audit implementation.
oktsec is Apache 2.0. The 230 detection rules, the Aguara scanning engine, the LLM analysis prompts, the audit trail implementation, everything is visible at github.com/oktsec/oktsec.
No telemetry is required. Opt out with one environment variable (OKTSEC_NO_TELEMETRY=1) or a file (~/.oktsec/.no-telemetry). Details at oktsec.com/telemetry.
No cloud dependency. The binary runs entirely on your infrastructure. No data leaves your network.
No vendor lock-in. Fork it, modify it, deploy it however you want.
Why a single binary
oktsec compiles to a single Go binary with no CGO dependencies. This means:
No external services. No Redis, no Postgres (SQLite by default), no message queue. Install and run.
Cross-platform. Builds for darwin/linux/windows on amd64/arm64. Available via go install, Homebrew, or GitHub releases.
10-second setup. oktsec run discovers your MCP servers, generates config, creates keypairs, and starts scanning with a real-time dashboard.
Air-gap ready. The binary embeds all 230 detection rules. No network calls needed for scanning.
The tradeoff is horizontal scaling. A single binary handles one instance. For multi-node deployments, you run one oktsec per node. We do not have built-in clustering or distributed coordination yet.
How it compares
| Capability | oktsec | Zenity | Lakera | HiddenLayer |
|---|---|---|---|---|
| Open source | Apache 2.0 | No | No | No |
| On-premises | Yes (single binary) | Cloud SaaS | Cloud SaaS | Cloud + on-prem |
| MCP gateway | Yes (per-agent policies) | No | No | No |
| Detection rules | 230 (embedded) | Proprietary | Proprietary | Proprietary |
| Audit trail | Hash-chained, Ed25519 | Vendor logs | Vendor logs | Vendor logs |
| LLM layer | Optional, any provider | Built-in | Built-in | Built-in |
| Setup time | 10 seconds | Enterprise onboarding | Enterprise onboarding | Enterprise onboarding |
| Cost | Free | Enterprise pricing | Enterprise pricing | Enterprise pricing |
This comparison is based on publicly available information. We have not tested these products directly. If any of this is inaccurate, let us know.
Limitations
Single-node architecture. One binary per node. Multi-node deployments require running multiple instances without built-in coordination.
No multi-turn attack detection. The pipeline evaluates messages independently. Adaptive attackers who adjust based on agent responses are not covered.
Enterprise features in progress. SSO, multi-tenant, and RBAC beyond agent-level ACLs are on the roadmap.
Numbers
| Metric | Value |
|---|---|
| Detection rules | 230 across 16 categories |
| Scan latency | 40ms average |
| Audit throughput | ~90K inserts/sec |
| MCP clients | 17 supported |
| Tests | 844 with race detector |
| Go LOC | ~57K |
| Dashboard | 12 pages, real-time SSE |
| License | Apache 2.0 |
Get started
go install github.com/oktsec/oktsec/cmd/oktsec@v0.12.0
oktsec runOr via Homebrew:
brew install oktsec/tap/oktsec
oktsec runSource
Get started
One binary. 230 detection rules. Delegation chains. Deploy in minutes.