14:32:01 [GUARD] HTTPS egress scan - 0 secrets detected - ALLOW
14:32:03 [BLOCKED] AWS key detected in POST body to webhook.site
14:32:05 [GUARD] GET api.openai.com/v1/models - clean - ALLOW
14:32:08 [BLOCKED] Private key PEM block in request to httpbin.org
14:32:11 [SCAN] Request body scanned in 0.3ms - 30+ rules evaluated
14:32:14 [GUARD] POST api.anthropic.com/v1/messages - clean - ALLOW
14:32:17 [BLOCKED] GitHub token ghp_* in Authorization header
14:32:19 [SCAN] MITM validation passing - 24/24 real-client tests
14:32:22 [GUARD] Egress proxy listening on 127.0.0.1:8080
14:32:25 [BLOCKED] Stripe secret key in JSON payload to unknown host
14:32:01 [GUARD] HTTPS egress scan - 0 secrets detected - ALLOW
14:32:03 [BLOCKED] AWS key detected in POST body to webhook.site
14:32:05 [GUARD] GET api.openai.com/v1/models - clean - ALLOW
14:32:08 [BLOCKED] Private key PEM block in request to httpbin.org
14:32:11 [SCAN] Request body scanned in 0.3ms - 30+ rules evaluated
14:32:14 [GUARD] POST api.anthropic.com/v1/messages - clean - ALLOW
14:32:17 [BLOCKED] GitHub token ghp_* in Authorization header
14:32:19 [SCAN] MITM validation passing - 24/24 real-client tests
14:32:22 [GUARD] Egress proxy listening on 127.0.0.1:8080
14:32:25 [BLOCKED] Stripe secret key in JSON payload to unknown host
Home Scanner Guard Roadmap About Join the Beta
AI Agent Egress Security

The Local Firewall
for AI Agent Egress

Your LLM agents (LangChain, CrewAI, AutoGen, Ollama) make outbound HTTP calls you can't always predict. QuantTape Guard is a local egress proxy that intercepts every request, scans URLs, headers, and bodies for leaked secrets, and blocks them before they hit the wire. No cloud service required.

Think of it as a firewall that only allows clean traffic out - no secrets, no credentials, no keys.

Get Early Access How It Works
quanttape guard
$ quanttape guard --mode agent

  QuantTape Guard v0.0.22
  Listening on http://127.0.0.1:8080
  Mode: agent
  HTTP + HTTPS interception (full MITM)

[14:32:01] ALLOW  POST https://api.openai.com/v1/chat  (HTTPS decrypted)
[14:32:03] ALLOW  GET  https://httpbin.org/get
[14:32:05] BLOCK  POST https://webhook.site/abc123  (HTTPS decrypted)
           AWS Secret Access Key wJalrXUt********
[14:32:07] BLOCK  POST https://api.external-ai.com/v1/exfil  (HTTPS decrypted)
           Private Key -----BEG********
[14:32:09] ALLOW  GET  https://api.github.com/repos  (HTTPS decrypted)

  Validation: curl • requests • httpx - 24/24 MITM tests passing

Early Access

Guard is in private preview. Enter your email to see the full product page.

No spam. We only send product updates.
Before & After

One install. Complete egress control.

Without Guard
🤖
AI Agent
🌐
Internet
0 secrets leaked
0 blocked
0 audited
With Guard
🤖
AI Agent
🛡
Guard
Scan / Block
🌐
Internet
Decryption and inspection happen locally. Clean traffic is re-encrypted and forwarded.
0 allowed
0 blocked
0 audited
Use Cases

Built for anyone running AI agents

LangChain Agents

Tool calls you can't predict

Your agent makes tool calls to external APIs. Guard ensures no secret leaks out in those requests - even ones your agent generates on its own.

Ollama / Open WebUI

Local LLMs with web access

Local LLMs with web access can exfiltrate data through outbound calls. Guard sits on localhost and blocks it before anything leaves your machine.

CrewAI / AutoGen

Multi-agent workflows

Multi-agent workflows make dozens of HTTP calls per task. Guard scans every one without slowing your pipeline.

How It Works

Three steps. No config files.

Every outbound request passes through the QuantTape rules engine before reaching its destination. Sub-millisecond scan overhead for typical payloads.

01 - Install

pip install

Install with guard extras. One command, no Docker, no sidecar.

02 - Point

Set HTTP(S)_PROXY

One env var tells your agent to route through Guard. Works with Python requests, httpx, Node.js fetch, curl - any HTTP client. Encryption keys never leave your ~/.quanttape directory.

03 - Run

quanttape guard

Guard intercepts, scans, and blocks. Every blocked attempt logged to ~/.quanttape/guard.log with rule, severity, and redacted payload.

Detection

What Guard catches

The same rules engine from QuantTape Scanner, tuned for runtime HTTP payloads.

x

AWS / GCP / Azure Keys

Access keys, secret keys, service account JSON, client secrets

x

Private Keys

RSA, EC, DSA, OpenSSH private keys in any payload

x

API Keys & Tokens

GitHub tokens, Slack tokens, JWTs, generic API key patterns

x

.env File Leakage

Environment variable assignments in outbound payloads

x

High-Entropy Strings

Shannon entropy detection catches secrets that evade pattern matching

x

Webhook Exfiltration

Discord and Slack webhook URLs used as data exfil channels

Plus database URLs, PII patterns, header secrets, system paths, code exfiltration, and more. 30+ rules total.

30-Second Demo

See Guard make a real block decision

Works in under 30 seconds. Install, start Guard, send a request containing a secret, and watch it get blocked before it leaves your machine.

demo
# Install and start Guard
$ pip install quanttape[guard]
$ quanttape guard

  QuantTape Guard v0.0.22
  Listening on http://127.0.0.1:8080

# Send a request with a leaked GitHub token
$ curl -x http://127.0.0.1:8080 \
     --cacert ~/.quanttape/ca.pem \
     "https://api.example.com/data?token=ghp_a1b2c3SECRET"

403 Forbidden
X-QuantTape-Action: blocked
{
  "error": "QuantTape Guard: request blocked",
  "allowed": false,
  "reason": "Blocked: 1 secret(s) detected"
}
Try It Now
What happens when Guard blocks a request?

Your agent gets a 403 response with a JSON body explaining why. No crash, no silent failure. Your code handles it like any HTTP error.

Get Started

30 seconds to full egress protection.

Step 1 - Install
pip install quanttape[guard]
Step 2 - Run
quanttape guard --mode agent

Works with Ollama, LangChain, AutoGen, CrewAI, Open WebUI, and any HTTP client.

Step 3 - Point your proxy (requests / openai)
export HTTP_PROXY=http://127.0.0.1:8080
export HTTPS_PROXY=http://127.0.0.1:8080
export REQUESTS_CA_BUNDLE=~/.quanttape/ca.pem
Step 3 - Point your proxy (httpx / LangChain)
export HTTP_PROXY=http://127.0.0.1:8080
export HTTPS_PROXY=http://127.0.0.1:8080
export SSL_CERT_FILE=~/.quanttape/ca.pem
Step 3 - Point your proxy (Node.js / AutoGen)
export HTTP_PROXY=http://127.0.0.1:8080
export HTTPS_PROXY=http://127.0.0.1:8080
export NODE_EXTRA_CA_CERTS=~/.quanttape/ca.pem
Step 3 - Test with curl
curl --proxy http://127.0.0.1:8080 \
--cacert ~/.quanttape/ca.pem \
https://api.openai.com/v1/models

Full HTTPS inspection requires trusting the local CA. Run quanttape setup-certs for platform-specific instructions.

Sub-ms scan latency 24/24 MITM tests passing Real-client validated
Early Development

Guard is in active early development. If you run into bugs or unexpected behavior, please let us know at info@quanttape.com. Your feedback helps us ship faster.