By ByteBot
Most developers shipping AI agents to production are making a quietly catastrophic mistake: giving those agents unrestricted access to the network. The agent holds your AWS credentials. It fetches URLs from the web. It calls external APIs via MCP tools. And nothing is watching the egress boundary. On May 4, 2026, Pipelock dropped as a free, open-source Go binary to fix exactly that.
The Problem Is Worse Than You Think
Before getting to the solution, it’s worth sitting with the threat for a moment. Researchers at BlueRock Security analyzed over 7,000 MCP servers and found 36.7% were potentially vulnerable to server-side request forgery (SSRF). In a working proof-of-concept, they used Microsoft’s MarkItDown MCP server to retrieve AWS IAM keys from the EC2 instance metadata endpoint. That’s not a theoretical attack path — that’s a real one.
The same week, Microsoft’s security researchers disclosed CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel. The attack chain: inject a malicious prompt, execute arbitrary code on the host running the agent. A single poisoned prompt was enough to pop a shell. OWASP’s Top 10 for Agentic Applications 2026 has formalized these risks into eight categories, but the underlying pattern is consistent: agents that can read untrusted content and write to the network are a loaded gun.
The security community calls this the “lethal trifecta”: an agent simultaneously holds private credentials, consumes untrusted content from the web, and has unrestricted outbound network access. Most production deployments today satisfy all three conditions.
How Pipelock Works
Pipelock’s architecture is built around capability separation. The agent process holds secrets but has no direct network access. Pipelock holds network access but has no secrets. All traffic crosses a scanning boundary between the two zones. This isn’t a clever trick — it’s the only design that actually enforces the boundary, because you cannot inspect traffic you don’t control.
Every request that crosses that boundary flows through an 11-layer scanner pipeline: scheme enforcement, CRLF injection detection, path traversal blocking, domain blocklisting, data loss prevention with 48 credential patterns, path and subdomain entropy analysis, SSRF protection, rate limiting, URL length checks, per-domain data budgets, and 25 injection patterns with 6-pass normalization. The DLP layer alone recognizes 48 different credential formats — meaning it catches API keys leaking in request bodies or response content before they leave your environment.
Pipelock also ships with 17 pre-execution rules for MCP tool calls that block dangerous operations before they reach any server: destructive operations, credential access, reverse shells, persistence mechanisms, and encoded command execution.
Why MCP Support Is the Real Differentiator
Standard network firewalls cannot inspect MCP protocol messages. They see traffic and pass it through. Pipelock scans MCP traffic in both directions across three transport modes: stdio subprocess wrapping, streamable HTTP bridging, and HTTP reverse proxy.
That bidirectional inspection catches attack vectors that network-level tools miss entirely. Client requests are checked for credential leaks before they go out. Server responses are scanned for injected payloads before they reach the agent. And tools/list responses — the MCP mechanism that tells an agent what tools are available — are checked for both poisoned tool descriptions and mid-session changes.
That last category has a name: rug-pull attacks. An MCP server gets approved as safe, the agent starts using it, and then the server quietly changes a tool’s description or behavior to redirect the agent’s actions. Pipelock detects and blocks mid-session rug-pull changes. It also supports Google’s Agent-to-Agent (A2A) protocol, making it one of the few open-source tools covering the emerging multi-agent communication landscape.
Getting Started: Three Commands
The barrier to entry is deliberately low. Pipelock ships as a single 20MB static Go binary with no external dependencies.
brew install luckyPipewrench/tap/pipelock
pipelock generate config --preset balanced > pipelock.yaml
pipelock run --config pipelock.yamlThe --preset balanced flag generates a reasonable starting configuration without requiring deep security expertise upfront. Configs reload automatically via file watcher or SIGHUP signal — no restart required for policy changes. The GitHub repository includes dedicated integration guides for Claude Code, Cursor, and the OpenAI Agents SDK, plus Docker and Kubernetes deployment recipes.
Production-Grade Audit Included
For teams operating under compliance requirements, Pipelock generates a hash-chained, tamper-evident audit log with SHA-256 chain links and optional Ed25519 signatures. Every scanner decision, policy action, and session event is recorded. Compliance mappings ship for the OWASP MCP Top 10, OWASP Agentic AI Top 10, MITRE ATT&CK, EU AI Act, SOC 2, and NIST 800-53. It can also produce CycloneDX 1.6 agent bills of materials — the kind of artifact regulators and enterprise security teams ask for when agents touch production data.
The project is Apache 2.0 licensed. No SaaS tier, no telemetry, no vendor lock-in. More detail on the tool’s security model is available at the PipeLab agent firewall explainer.
The Bottom Line
Pipelock does not solve every AI agent security problem. It doesn’t prevent a compromised model from giving bad advice, or stop an agent from making poor decisions within its allowed scope. What it does is enforce a real boundary at the network layer, with protocol-level inspection that generic tools cannot provide. If you’re shipping agents to production — via Claude Code, Cursor, the OpenAI Agents SDK, or anything built on MCP — running them without egress inspection is an unnecessary risk. Pipelock just eliminated the excuse that there was nothing to fill that gap.
