VeriSwarm Guard

Guard protects your agents and their tools from security threats, data exposure, and unauthorized behavior. It combines a transparent MCP proxy, PII tokenization, security scanning, tool policies, and an emergency kill switch.

Plan requirement: Max plan. Guard must be enabled at the platform level -- contact your VeriSwarm administrator if you receive a "Guard module is not enabled" error.

Guard Proxy

The headline capability. Guard Proxy is a transparent MCP proxy that sits between your agents and the tools they call. Your agent connects to the proxy as if it were the real MCP server -- no agent-side code changes required.

What it intercepts

Every tool call passes through the following pipeline:

  1. Policy check -- is this tool allowed for this agent?
  2. PII tokenization -- sensitive data in the request is replaced with typed tokens
  3. Forward -- the sanitized request is sent to the real MCP server
  4. PII tokenization -- sensitive data in the response is tokenized before reaching the agent
  5. Prompt injection scan -- the response is checked for injection attempts
  6. Audit log -- the full interaction is recorded (with Vault if enabled)

Deployment modes

Mode Best for Setup
Cloud-hosted Fastest start, no infrastructure Point your agent at a VeriSwarm proxy URL. Nothing to install.
Docker Production on-prem deployments Run the Guard Proxy container in your own environment.
Local (pip) Development and testing pip install veriswarm-guard-proxy and run locally.

Cloud-hosted is the easiest path. See Getting started below.

SDK helpers

Generate proxy configuration from the SDKs:

Python:

config = client.guard_proxy_config(agent_id="agt_123", server="my-mcp-server")

Node:

const config = client.guardProxyConfig({ agentId: "agt_123", server: "my-mcp-server" });

PII Tokenization

Guard detects personally identifiable information in event payloads, tool calls, and tool responses, and replaces it with typed tokens. Original values are encrypted at rest and can be restored when needed.

Detected PII types

Names, addresses, email addresses, phone numbers, Social Security numbers, credit card numbers, IP addresses, and credentials.

Token format

Detected values are replaced with tokens in the format:

[VS:EMAIL:a1b2c3]
[VS:PHONE:d4e5f6]
[VS:NAME:g7h8i9]

The token type tells you what was redacted without exposing the value.

Rehydration

When your system needs to write back to a real service (sending an email, placing an order), rehydrate tokens to restore original values:

POST /v1/suite/guard/pii/rehydrate
{ "text": "Send confirmation to [VS:EMAIL:a1b2c3]", "session_id": "ses_abc" }

Returns the text with original values restored.

Session management

PII tokens are scoped to sessions. You can list active tokens in a session or revoke an entire session to invalidate all its tokens.

API endpoints

  • POST /v1/suite/guard/pii/tokenize -- detect and replace PII with tokens
  • POST /v1/suite/guard/pii/rehydrate -- restore original values from tokens
  • GET /v1/suite/guard/pii/sessions/{session_id} -- list active tokens
  • DELETE /v1/suite/guard/pii/sessions/{session_id} -- revoke all tokens in a session

MCP tools

  • tokenize_pii -- tokenize PII in text
  • rehydrate_pii -- restore original values from tokens

SDK methods

Python Node
tokenize_pii() tokenizePii()
rehydrate_pii() rehydratePii()
get_pii_session() getPiiSession()
revoke_pii_session() revokePiiSession()

See API reference for full endpoint details.

Security Scanning

Guard automatically scans agent event payloads during ingestion, detecting:

  • Credential leaks
  • Personally identifiable information (PII)
  • Unsafe tool usage patterns
  • Unauthorized MCP server access

Each detection produces a finding with severity (info, low, medium, high, critical), a human-readable description, and structured evidence. Findings are tracked through a status workflow: open -> false_positive, mitigated, or resolved.

When high-severity findings are detected, Guard creates a notification with a direct link to the affected agent's Guard tab.

Kill Switch

An emergency control that immediately blocks all trust decisions and credential issuance for a compromised agent.

What happens when you kill an agent

  1. All subsequent decision checks are blocked
  2. Credential issuance is denied
  3. An immutable Vault ledger entry is created (if Vault is enabled)
  4. A danger-level notification is sent to the workspace

The kill switch is reversible. Only accounts with guard.killswitch.write permission can activate or reverse it.

Tool Policies

Policies define what agents are allowed or forbidden to do.

Policy types

Type Purpose
tool_allowlist Restrict agents to approved tools
mcp_restriction Control which MCP servers agents can connect to
content_filter Block or flag events matching specific patterns

Enforcement levels

Level Behavior
audit Log the violation, allow the action
review Flag for manual review before proceeding
block Deny the action immediately

See API reference for policy creation and management endpoints.

Getting started

The fastest path to Guard Proxy:

  1. Enable Guard on your workspace (requires Max plan)
  2. Get your proxy URL from the Guard tab in the dashboard, or generate it with the SDK:
    config = client.guard_proxy_config(agent_id="agt_123", server="my-mcp-server")
  3. Point your agent at the proxy URL instead of the real MCP server URL
  4. Verify -- tool calls now flow through Guard with PII tokenization, policy checks, and audit logging active by default

For Docker or local deployments, see deployment mode details above or contact support.

Authentication and permissions

  • Read operations (list findings, list policies, list PII sessions): API key or session token
  • Write operations (manage policies, update findings, tokenize/rehydrate PII): session token with role-based permissions
  • Kill switch: session token with guard.killswitch.write permission

Full access roles: super_admin, platform_admin, tenant_admin, demo_admin, operator. Read-only roles: support_admin, read_only_admin, reviewer, analyst.

Troubleshooting

Symptom Fix
403 "Guard module is not enabled" Contact your platform administrator
403 "Your plan does not include Guard access" Upgrade to the Max plan
403 "Account type lacks permission" Request role elevation from a workspace admin
404 "Agent not found" Verify the agent ID and workspace context
400 "Agent is not killed" Agent is not currently killed -- check status before calling unkill

Related docs