Guard protects your agents and their tools from security threats, data exposure, and unauthorized behavior. It combines a transparent MCP proxy, PII tokenization, security scanning, tool policies, and an emergency kill switch.
Plan requirement: Max plan. Guard must be enabled at the platform level -- contact your VeriSwarm administrator if you receive a "Guard module is not enabled" error.
The headline capability. Guard Proxy is a transparent MCP proxy that sits between your agents and the tools they call. Your agent connects to the proxy as if it were the real MCP server -- no agent-side code changes required.
Every tool call passes through the following pipeline:
| Mode | Best for | Setup |
|---|---|---|
| Cloud-hosted | Fastest start, no infrastructure | Point your agent at a VeriSwarm proxy URL. Nothing to install. |
| Docker | Production on-prem deployments | Run the Guard Proxy container in your own environment. |
| Local (pip) | Development and testing | Install locally via pip (coming soon) and run directly on the agent host. |
Cloud-hosted is the easiest path. See Getting started below.
Generate proxy configuration from the SDKs:
Python:
config = client.guard_proxy_config(agent_id="agt_123", server="my-mcp-server")
Node:
const config = client.guardProxyConfig({ agentId: "agt_123", server: "my-mcp-server" });
Guard detects personally identifiable information in event payloads, tool calls, and tool responses, and replaces it with typed tokens. Original values are encrypted at rest and can be restored when needed.
Names, addresses, email addresses, phone numbers, Social Security numbers, credit card numbers, IP addresses, and credentials.
Detected values are replaced with tokens in the format:
[VS:EMAIL:a1b2c3]
[VS:PHONE:d4e5f6]
[VS:NAME:g7h8i9]
The token type tells you what was redacted without exposing the value.
When your system needs to write back to a real service (sending an email, placing an order), rehydrate tokens to restore original values:
POST /v1/suite/guard/pii/rehydrate
{ "text": "Send confirmation to [VS:EMAIL:a1b2c3]", "session_id": "ses_abc" }
Returns the text with original values restored.
PII tokens are scoped to sessions. You can list active tokens in a session or revoke an entire session to invalidate all its tokens.
POST /v1/suite/guard/pii/tokenize -- detect and replace PII with tokensPOST /v1/suite/guard/pii/rehydrate -- restore original values from tokensGET /v1/suite/guard/pii/sessions/{session_id} -- list active tokensDELETE /v1/suite/guard/pii/sessions/{session_id} -- revoke all tokens in a sessiontokenize_pii -- tokenize PII in textrehydrate_pii -- restore original values from tokens| Python | Node |
|---|---|
tokenize_pii() |
tokenizePii() |
rehydrate_pii() |
rehydratePii() |
get_pii_session() |
getPiiSession() |
revoke_pii_session() |
revokePiiSession() |
See API reference for full endpoint details.
Guard automatically scans agent event payloads during ingestion, detecting:
Each detection produces a finding with severity (info, low, medium, high, critical), a human-readable description, and structured evidence. Findings are tracked through a status workflow: open -> false_positive, mitigated, or resolved.
When high-severity findings are detected, Guard creates a notification with a direct link to the affected agent's Guard tab.
An emergency control that immediately blocks all trust decisions and credential issuance for a compromised agent.
The kill switch is reversible. Only accounts with guard.killswitch.write permission can activate or reverse it.
Policies define what agents are allowed or forbidden to do.
| Type | Purpose |
|---|---|
tool_allowlist |
Restrict agents to approved tools |
mcp_restriction |
Control which MCP servers agents can connect to |
content_filter |
Block or flag events matching specific patterns |
| Level | Behavior |
|---|---|
audit |
Log the violation, allow the action |
review |
Flag for manual review before proceeding |
block |
Deny the action immediately |
See API reference for policy creation and management endpoints.
The fastest path to Guard Proxy:
config = client.guard_proxy_config(agent_id="agt_123", server="my-mcp-server")
For Docker or local deployments, see deployment mode details above or contact support.
guard.killswitch.write permissionFull access roles: super_admin, platform_admin, tenant_admin, operator.
Read-only roles: support_admin, read_only_admin, reviewer, analyst.
| Symptom | Fix |
|---|---|
403 "Guard module is not enabled" |
Contact your platform administrator |
403 "Your plan does not include Guard access" |
Upgrade to the Max plan |
403 "Account type lacks permission" |
Request role elevation from a workspace admin |
404 "Agent not found" |
Verify the agent ID and workspace context |
400 "Agent is not killed" |
Agent is not currently killed -- check status before calling unkill |
Guard Proxy protects at runtime. The MCP Security Scanner protects at deploy time -- audit MCP tool definitions before connecting them to your agents.
6 security checks:
API: POST /v1/guard/scan-mcp -- accepts an array of tool definitions, returns a structured report with verdict (pass/warn/fail), risk score, and per-finding recommendations.
CLI: python -m mcp_scanner --file tools.json -- exits with non-zero for critical findings (CI/CD friendly).
Defends against memory poisoning (OWASP ASI06) by routing critical decisions through multiple LLMs and requiring majority consensus.
API: POST /v1/guard/verify -- provide a prompt and response, receive consensus result from 2-3 verification models.
How it works:
Configure verification models in your tenant's llm_config.verification settings.