AgentKeeperby RAD Security

Enable AI
adoption
without giving
up control

AgentKeeper monitors AI agent activity across workstations, enforces org policy in real time, and keeps a complete audit trail for security teams.

Start with one workstationPlan enterprise rollout

Free for one workstation. No credit card.

Runtime action stream

The hard questions

Answer them before agents act.

See the request. Apply the policy. Keep the proof.

01

Data leaving

Could this tool move sensitive data out?

Inspect the call before it runs.

02

Secrets

Is the agent reaching for keys?

Block reads to protected paths.

03

Context

Is this safe for this user, repo, and team?

Apply policy by group and workspace.

04

Workflow

Can security watch without slowing builders down?

Start in monitor mode, enforce when ready.

The shift

AI agents are ready for work. Security needs to see the work.

Commands without guesswork

Developers keep terminal, file, git, package, and network access while AgentKeeper evaluates each action before it runs.

Approved tools in the flow

Give agents the MCP and SaaS tools they need, with server, tool, decision, gateway, and available identity evidence in one timeline.

Evidence that follows the work

Prompts, tool inputs, outputs, models, costs, and repositories stay attached to the session that produced them.

Sensitive data guardrails

Protect credentials, production env files, PHI, PII, and risky destinations without turning off the tools teams need.

MCP governance

Productivity-agent tools need a policy path before they touch data.

MCP turns agents into operators for files, SaaS apps, internal APIs, calendars, mailboxes, and local servers. AgentKeeper MCP Gateway gives that tool layer its own routing, policy, audit, and drift control plane.

Explore MCP GatewaySign in for setup docs

Server and tool identity

Normalize each routed MCP call into server, tool, arguments, gateway, decision, and available caller evidence so policy can reason about the operation instead of a generic network event.

Standalone gateway control

Run MCP Gateway by itself when you need central routing, tool policy, audit, and drift visibility without requiring workstation hooks first.

Combined deployment path

Add hooks, SSO, or MDM when you want stronger workstation and person attribution. Gateway evidence stays clean even when those layers are not present.

Investigations & audit

When an agent acts, the evidence should already be attached.

Prompt and tool context stay attached to the session.

Repository, workstation, user, policy, and verdict are visible together.

Detections explain which behavior matched and what response applied.

Teams can begin in audit mode, then enforce by tool, group, repo, or path.

Enablement loop

Discover, authorize, enable, investigate.

01

Discover

See every connected agent, workstation, MCP server, repo, and high-risk tool before policy work starts.

02

Authorize

Use org policy, group overrides, warn-only rules, blocked tools, and sensitive path controls to decide what each team can use.

03

Enable

Start in audit mode, then move specific actions to blocking as adoption grows and the rollout earns trust.

04

Investigate

Replay a session from prompt to command to output with model, token, cost, and user attribution.

Built for rollout

Start with one developer. Keep the path open for everyone else.

Install hooks locally, roll them out with MDM, or put MCP Gateway in front of productivity agents. AgentKeeper keeps one policy model across each adoption path.

Local hooks

Claude Code, Cursor, Windsurf, Copilot, Codex, Gemini CLI, and Google Antigravity connect in minutes.

Fleet rollout

Jamf, Iru, and repo hooks turn individual adoption into managed coverage.

Enterprise controls

RBAC, policy audit logs, identity groups, SSO-ready data model, and webhook alerts help security say yes.

Deployment model

Run AgentKeeper in your cloud when the data boundary matters.

Hosted AgentKeeper is the fastest path for most teams. Regulated environments can bring their own cloud or private Kubernetes so agent telemetry, policy evidence, and identity context stay inside the customer-controlled boundary.

Plan BYOC deployment
customer_control_plane
isolated stack
Mode
BYOC / on-prem
Runtime
Kubernetes
Boundary
Customer cloud
Parity
Same product surface

Customer-owned stack

Run AgentKeeper inside your Kubernetes cluster, VPC, or private cloud account. The deployment model uses standard infrastructure primitives and is not tied to one provider.

Regulated data boundary

Keep prompts, tool arguments, command output, user attribution, policy decisions, and audit evidence inside the environment your security team already controls.

Any cloud with Kubernetes

Support AWS, Azure, GCP, sovereign cloud, or private Kubernetes environments with standard ingress, TLS, secrets, storage, and database primitives.

Same controls, isolated plane

Policy packs, workstation hooks, Claude Chat Gateway routing, Cowork coverage, alerts, and investigations stay aligned with hosted AgentKeeper while the stack remains isolated.

Private ingress or VPN-only access

Customer-managed secrets and upgrade windows

Dedicated database, storage, and telemetry ingress

Hosted, BYOC, and on-prem deployment paths

For enterprises

Make AI-agent rollout accountable before it becomes invisible.

AgentKeeper is built around the enterprise operating model: people use workstations, groups define policy audiences, policy profiles govern actions, and detections explain the evidence.

Plan enterprise rollout

Identity graph

People, groups, and workstations stay connected so security can tell who acted, from which machine, and under which audience.

Policy profiles

Base Policy covers every session. Group profiles let platform teams roll out stricter controls to pilots, contractors, production owners, or regulated teams.

Detector catalog

Named detections such as secret leakage, prompt injection, credential harvest, and data exfiltration stay visible in policy and investigation workflows.

Audit evidence

Policy changes, group assignments, detector matches, verdicts, and workstation context remain traceable for security review.

Pricing

Start free. Scale the rollout when teams are ready.

Annual pricing shown

Team is priced per protected workstation and supports up to 20 workstations.

Trying AgentKeeper on one workstation

Free

For the first developer connecting an agent and seeing the loop.

$0forever

No credit card required.

  • 1 workstation with AgentKeeper hooks
  • Local Runtime Shield
  • 1 repository, 1 API key
  • Latest 25 activity events visible
  • 7-day investigation history
Start with one workstation

Individual developers and small pilots

Pro

For builders expanding agent use across repos and tools.

$15/ mo

Flat pilot package.

  • 3 workstations, 3 repositories
  • 3 API keys
  • Unlimited activity event visibility
  • 30-day investigation history
  • MCP Gateway and Claude Cowork coverage
  • AI insights and email alerts
  • Usage and cost telemetry
Start Pro

Security teams rolling out across engineering

Team

For managed rollout across up to 20 developer workstations.

$23/ workstation / mo

Annual price shown. Monthly is $29/workstation. Limited to 20 workstations.

  • Everything in Pro
  • $23 per protected workstation per month
  • Up to 20 workstations
  • Unlimited repositories
  • RBAC and team invitations
  • Org and group policy controls
  • MCP access policies
  • Webhook alerts and audit logs
  • 30-day investigation history
Start Team rollout

Organizations expanding to more agent surfaces

Enterprise

For browser extension, cloud, custom agents, retention, and procurement.

Customcontract

Priced by rollout scope and data requirements.

  • Everything in Team
  • Claude OTLP and Compliance API
  • Browser extension support
  • Cloud and custom agent support
  • SSO / SAML integration
  • Custom retention and data controls
  • OTLP forwarding
  • Dedicated support and SLA
  • NET-30 invoicing
  • Custom security review support
Plan the rollout

Questions

Practical answers for teams moving fast.

What makes AgentKeeper different from prompt scanning?+

It protects the moment an agent acts. Prompts matter, but adoption risk shows up when an agent reads files, runs commands, calls MCP tools, drafts emails, or touches repos.

Can teams start in audit mode?+

Yes. Map real agent behavior first, then turn on enforcement by policy area, group, repo, or integration as teams are ready.

Which agents are first-class?+

Claude Code, Claude Chat, Codex, Gemini CLI, Google Antigravity IDE, Cursor, Windsurf, GitHub Copilot, Claude Cowork, and MCP Gateway are the focus of this release.

Does this replace EDR?+

No. EDR sees endpoint behavior. AgentKeeper gives security and platform teams the agent context they need to approve use: prompt, tool, arguments, policy, verdict, repository, user, and session.

Let teams use AI agents with policy already in the path.

Connect the first workstation, learn what your agents are doing, and roll out guardrails without stalling adoption.

Start with one workstation