
Open-source agent firewall for MCP security and AI agent egress
By Tanmay Verma, Founder · Last verified 06 Jul 2026
In short
Pipelock — Open-source agent firewall for MCP security and AI agent egress. Best for Teams deploying coding agents (Claude Code, Cursor, etc.) that need network egress control, Security engineers looking for open-source runtime guardrails for MCP agents, Organizations that require signed audit evidence for compliance (SOC 2, HIPAA, EU AI Act). Free to start; paid plans from $999/mo.
See what real users actually say. We scan live discussions, reviews and complaints across the web and hand you an honest verdict — in under a minute.
3 free scans · no card needed · downloadable report
Pipelock is the most mature open-source option for MCP agent firewall needs. Its flat pricing and signed receipts are unique, but it requires CLI comfort and self-hosting. For teams using Claude Code or Cursor who need to prevent credential leaks and prompt injection, the free tier is a strong starting point.
Skip Pipelock if Skip Pipelock if you need a GUI-based firewall or fully managed SaaS, or if you don't run coding agents like Claude Code or Cursor that send outbound traffic.
Last verified: July 2026
Across the latest 7 updates: 4 feature updates, 1 launch, 1 changelog entry and 1 news mention.
Blog index shows 47 posts; latest is v3.0 release from Jun 23.
Pipelock v3.0 hardens defaults to fail closed, adds signed self-update, provider-key DLP, and Conductor fleet operations.
Pipelock v2.6 adds operation-level request policy, file-borne injection detection, hook-based agent inspection, and MCP hardening from NSA guidance.
Pipelock v2.5.0 ships Audit Packet verifiers, host containment lifecycle commands, strict federation, MCP integrity, and IDE installers.
Pipelock Agent Egress Control v0.1.0: GitHub Action that wraps agent scripts in kernel-enforced network containment and writes signed Audit Packets.
Pipelock v2.4.0 ships learn-and-lock contracts, block reason headers, inbound envelope verification, Gemini redaction, and health checks.
Report on MCP security: public incidents, CVE trends, OWASP MCP Top 10 mapping, and control coverage across scanners, gateways, and inspection tools.
We ran a structured research pass across product reviews, community discussions, and post-purchase forum threads to surface the patterns vendors won't publish themselves. Below: the recurring strengths, the hidden costs people mention most, and the cohort that consistently regrets adopting this tool.
15 mentions across 4 sources (Hacker News, Bluesky, GitHub, Lemmy).
How likely is Pipelock to still be operational in 12 months? Based on 4 signals — momentum (how recently it shipped), wrapper dependency, revenue model, and web presence.
Last calculated: July 2026
How we score →Pipelock is an open-source agent firewall that sits between AI agents and the internet, scanning every HTTP, WebSocket, and MCP message to block secret leaks, unsafe tool traffic, and prompt-injection responses. It enforces egress at the network boundary and emits signed action receipts any third party can verify offline. The core security engine is free and Apache 2.0 licensed; paid plans add multi-agent coordination and fleet governance. It's designed for teams running coding agents like Claude Code, Cursor, VS Code, or JetBrains that need runtime guardrails without per-agent pricing. The v3.0.0 release hardened defaults to fail closed, added signed self-update, provider-key DLP, and Conductor fleet operations. Pipelock enforces MCP, HTTP, and WebSocket egress at the network boundary and emits signed action receipts any third party can verify offline. Compared to alternatives like MCP gateways from vendors, Pipelock offers flat pricing, open-source auditability, and compliance evidence mappings across seven frameworks.
We'd reach for Pipelock when we're running coding agents with access to sensitive credentials and need to enforce egress without per-agent pricing. The free Community tier already includes the full scanner pipeline, DLP, prompt injection detection, process sandbox, and signed reports—enough for a single agent profile. If you manage multiple named profiles, the Founding Pro tier at $49/mo flat is a bargain, especially compared to per-seat competitors. The compliance evidence mappings (OWASP, MITRE ATLAS, EU AI Act, HIPAA, SOC 2) make it a natural fit for regulated environments. Where it bites: Pipelock is not a point-and-click GUI—you'll need to be comfortable with CLI and self-hosting. It's also not a full web application firewall; it's laser-focused on AI agent traffic. If you need a fully managed SaaS solution, look elsewhere. Compared to other agent firewalls, Pipelock's open-source core and offline-verifiable receipts are unique, but the trade-off is operational complexity.
Free, no signup — tell us your goal and get tools matched to your budget & existing stack.
Concrete scenarios for the personas Pipelock actually fits — and what changes day-one when you adopt it.
Wire all developer Claude Code instances through a local Pipelock proxy to block credential leaks. Configure the Community tier with the default security profile, enable the Telegram kill switch, and generate signed audit reports weekly for compliance review.
Outcome: Credential exfiltration blocked on day one, signed audit trail for SOC 2 readiness, and zero per-agent cost.
Set up Pipelock Pro with named security profiles for each project (e.g., one for frontend, one for backend). Configure per-profile DLP allowlists for project-specific domains and per-profile MCP tool policies to restrict dangerous tools like `write_file`.
Outcome: Centralized policy enforcement with no per-agent pricing, cross-agent session isolation prevents leaks between projects.
Run pipelock assess to get a hash-chained, Ed25519-signed assessment report. Map findings to NIST AI RMF and EU AI Act controls. Verify the report offline using the free verifier.
Outcome: Produce compliance evidence within hours, verifiable by auditors without a vendor portal.
as of 2026-07-06
as of 2026-07-06
Project the real annual outlay, including the implied monthly cost when only an annual tier is published.
Vendor list price only. Add-on usage, seat overages, and contract minimums are surfaced under Hidden costs & gotchas.
For each published Pipelock tier: who it actually fits, and what it adds vs. the previous tier. Cross-reference the cost calculator above for projected annual outlay.
Community
$0/mo
Ideal for
Solo developer or hobbyist running one coding agent (e.g., Claude Code) who wants free, open-source egress control and DLP without per-agent pricing.
What this tier adds
Free entry point with full scanner pipeline, signed reports, and kill switch, but limited to one default security profile.
Founding Pro
$49/mo ($490/yr)
Ideal for
Startup or small team coordinating 2+ agent profiles (e.g., separate profiles for dev and ops) who need per-profile DLP, allowlists, and MCP tool policies.
What this tier adds
Adds unlimited named security profiles, per-profile policies, dedicated agent listeners, and cross-agent session isolation. Grandfathered at $49/mo for first 50 customers.
Assess License
$999/yr
Ideal for
Compliance officer or security consultant needing a signed, offline-verifiable security assessment report with compliance mappings (OWASP, NIST, EU AI Act, SOC 2).
What this tier adds
Standalone one-year license for pipelock assess, producing hash-chained Ed25519-signed assessment with risk rating and badge.
Enterprise
$25,000/yr
Ideal for
Organization managing a fleet of agents across teams requiring central governance, signed policy distribution, and fleet audit aggregation for compliance.
What this tier adds
Adds signed fleet policy bundles, remote kill, durable fleet audit aggregation, live stream observability, and enrollment-token lifecycle management.
The company stage and team size where Pipelock's pricing actually pencils out — and where peers do it cheaper.
Pipelock's free Community tier offers a full security engine with no per-agent pricing, making it ideal for solo developers and small teams exploring agent guardrails. The $49/mo Founding Pro tier (grandfathered for first 50) is competitive with vendor-specific tools like the Claude Code Pro subscription ($20/mo per user) but covers unlimited profiles and agents. Enterprise at $25,000/year is flat-rate, which can be cheaper than per-agent competitors like Valence Security or Wiz Agent Security
How long it actually takes to get something useful out of Pipelock — broken out by persona, not the marketing-page minute.
For a single agent like Claude Code, setup takes about 2 minutes: run `brew install luckyPipewrench/tap/pipelock`, then `pipelock claude setup`. Multi-agent or fleet setups take 30-60 minutes to define named profiles and configure policies per profile. Enterprise fleet governance involves deploying the Conductor and configuring enrollment tokens, which can take a few hours for initial setup.
How to bring data in from common predecessors and how to get it back out — written for the switcher, not the buyer.
Educational content from pipelab.org
Helpful link from pipelab.org
Helpful link from pipelab.org
Helpful link from pipelab.org
Helpful link from pipelab.org
Helpful link from pipelab.org
Durable execution platform for reliable AI agents and workflows.
Browser security platform that stops AI-powered attacks and controls AI tool usage.
Used Pipelock? Help shape our editorial sentiment research.