Burrow

**The problem** AI agents take real actions in production. They write code, call APIs, touch customer data, read email, invoke MCP tools, spawn sub-agents. The existing security stack stops at the prompt and the network gateway. Once the agent starts executing, the tool calls it makes go unobserved. Prompt injection from an email, a web page, or a malicious MCP server can turn a helpful agent into a data exfiltration vector, and you have no runtime visibility into what the agent actually did. Classifier-on-prompt approaches miss indirect injections. Static permission docs lie. IAM tells you what is allowed, not what is happening. **How Burrow works** Burrow hooks into the agent process itself and observes every action the agent takes, after the model decides but before the call executes. Shell commands, file reads and writes, HTTP requests, database queries, MCP tool invocations, sub-agent spawns. Each action is evaluated against policy. Allow, warn, or block, with full audit trail. Integration is a single CLI hook or SDK adapter, not a proxy in front of your model provider. That means no added latency on inference calls, no single point of failure, and full fidelity on the actual tool calls the agent makes. **What you get** Runtime visibility into every tool call, API call, file operation, and MCP invocation across your agent fleet. Policy enforcement at the tool-call layer, enforced before execution. Prompt injection detection at both the content layer and the behavioral layer. An agent-to-resource access graph built from live telemetry, not from docs. Session-level threat investigation with full call traces. SBOM for the tools and MCP servers your agents depend on. Detection rules for known attack patterns including credential exfiltration, sandbox escape, supply chain payloads, and cross-tenant data access. **What it integrates with** Coding agents: Claude Code, Cursor, Codex, Gemini CLI, Aider. Personal AI runtimes: OpenClaw. Agent frameworks: LangChain, CrewAI, AutoGen, LangGraph, LlamaIndex. 24 frameworks across Python and TypeScript, with MCP protocol support across all of them. **Who it is for** Platform and security teams running AI coding assistants inside the developer environment, internal agents connected to production systems, or customer-facing agents with access to user data. Teams that need to answer what the agent is actually doing with data, not with guesses. Engineering leaders worried about the blast radius of an agent compromise in a codebase that touches real money or real PII. **Founder** Saransh Rana. Led cloud security at CRED for 5 years, securing the infrastructure behind $80B+ in annual payments for 25M users. Previously Head of Infrastructure Security at JioStar. Currently Head of Security at Composio. DEF CON 33 Cloud Village and Black Hat speaker. Creator of aws-security-mcp with 150+ stars on GitHub. AWS Community Builder. Building Burrow solo with AI agents as the engineering team. **Links** burrow.run for the platform. [email protected] for design partner conversations. Currently onboarding design partners from the coding-agent and AI-infra space.