marshal
Sign inSubscribe for updates
PRIVATE BETA · BY INVITATION

Coding agents at
full speed.
With full receipts.

Regain security control while freeing your developers to run faster. Marshal runs inside your VPC — every AI agent session lives in an isolated environment with full audit, credential isolation, and a live policy plane. You set the rules. You see every move.

100%
EGRESS LOGGED
<4ms
NET OVERHEAD
0
CREDS IN AGENT
ws-prod-1 · mar-9f2ainspection: healthy
agent@ws-prod-1:~/workspace$ claude --dangerously-skip-permissions
✓ Connected · 14 skills loaded · network: claude-code
● Migrating user_sessions to soft-delete
● Updating 14 call sites across 6 packages
● Running tests… 312/312 pass
› Drafting PR description
AUDIT · EGRESS INSPECTION · LIVE
allowGET registry-1.docker.io/v2/
auditGET pypi.org/simple/requests/
mitmGET github.com/acme/base.git
allowPOST npmjs.org/-/package/lodash
FOR SECURITY & CISO
Every byte, every verb, every credential — logged.
FOR DEVELOPERS & CTO
Yolo, without the cold sweat.
FOR PLATFORM LEADS
One substrate. Every agent. Your VPC.
01 / THE PROBLEM

AI coding agents are the biggest productivity gain in a decade. They're also the largest unmanaged attack surface in your stack.

Your developers have already turned on yolo mode. Your security team is about to find out. The trade you've been making — let them run loose, or lock them out — is wrong on both sides. The incidents have already started.

VELOCITY
“It deleted the production database. In nine seconds.”

A logged incident from a coding agent in 2025. It had psql because the developer did. Credentials sat in ~/.pgpass. Prompts were off. Backups were wiped too.

Tom's Hardware · 2025 · publicly reported
VISIBILITY
“We have no idea what data left the company.”

Cursor, Devin, Codespaces — every popular agent proxies egress through the vendor's own network. No per-request log, no rule to enforce, no domain to revoke. 33 npm packages shipped live .env secrets last quarter.

Knostic research · Q1 2026
GOVERNANCE
“Just block it.”

The answer your CISO is about to propose — and it's wrong. Nubank reports 8–12× efficiency, 20× cost savings. Block everything and you lose a generational advantage. Allow everything and you own the next breach.

Nubank case study · Devin · 2025
02 / AUTONOMY WITH GUARDRAILS

Let the agent fly. Keep the steering wheel.

Unattended autonomy and audited containment used to be a trade. Marshal removes it.

CONFIDENTIALITY

Agents never see your secrets.

The agent process runs with zero access to credentials. Tokens, keys, and SSH identities live in a supervisor-only vault and inject into tool subprocesses at invocation time — never into the agent's environment, never its filesystem. A leak from the agent leaks nothing.

WHAT THE AGENT SEES
$ env | grep KEY
(empty)
$ ls ~/.aws ~/.ssh
(empty)
$ cat .env
No such file
0 secrets reachable
SUPERVISOR VAULT
ANTHROPIC_API_KEY → claude
GITHUB_TOKEN → git, gh
AWS_ACCESS_KEY → aws (cp)
KUBECONFIG → kubectl (get)
SSH_PRIVATE_KEY → ssh, scp
injected per-invocation
agent terminal · live
$ aws s3 cp ./build s3://artifacts/v1.4.2/
✓ 14 files uploaded · 3.2 MB
$ aws s3 rm s3://artifacts/v1.3.0/ --recursive
✗ marshal: blocked by tool-policy
rule: aws.s3.destructive · deny
TOOL-POLICY.YAML · CLOUD-READONLY
allow aws s3 cp
deny aws s3 rm
allow kubectl get
deny kubectl delete
CONTROL

Block the verb, not just the host.

Marshal inspects every tool invocation by verb and argument. Allow aws s3 cp. Deny aws s3 rm. Permit kubectl get. Block kubectl delete. The agent gets exactly the verbs you authorized — no more.

BLOCK FIRST

The agent doesn't apologize. It justifies.

No “oops, sorry I deleted the database” moments. Risky moves get blocked mid-execution by manifest. The agent has to reason about why it needs the action — and you decide. Write a prod file, fetch a new domain, request a credential: each one stops, the agent submits a justification, you approve or deny.

● BLOCKED · req_8f3a2114:02:11
claude-code attempted write infra/production.tf
rule: terraform.production · write requires justification
REASONING · AGENT
“The RDS migration needs db.r6g.xlarge for the 6-hour backfill. The current large will throttle on insert rate. Reverting after.”
VELOCITY

Yolo mode, with a net.

Run agents in unattended --dangerously-skip-permissions mode without the cold-sweat moment. Every tool call routes through the tool guardrail; every byte of egress through the inspection plane; every credential request is gated. The blast radius is bounded by manifest, not by attention.

ws-yolo-1 · yolo modemarshal: supervising
agent@ws-yolo-1:~$ claude --dangerously-skip-permissions
● Migrating user_sessions to soft-delete
● Updating 14 call sites across 6 packages
● Running tests… 312/312 pass
› Drafting PR description
847
TOOL CALLS
234
EGRESS
3
BLOCKED
1
ESCALATED
psql · database control plane · live
prod=> SELECT count(*) FROM orders;
48213
prod=> DROP TABLE orders;
ERROR: marshal db-policy blocked statement
rule: prod.destructive · deny DROP
DB-POLICY.YAML · PROD-READONLY
allow SELECT · GET · KEYS
deny DROP / ALTER / FLUSHDB
allow UPDATE … WHERE
deny DELETE (no WHERE) · TRUNCATE
THE DATABASE

“Deleted the production database in nine seconds.” Not here.

Marshal intercepts every database connection at the wire-protocol level — Postgres, MySQL, MongoDB, Redis, and friends — so policy lands on the statement, not just the host. Allow SELECT, GET, UPDATE … WHERE. Deny ALTER TABLE, DROP, FLUSHDB. The credentials never reach the agent, and the nine-second incident never compiles.

SUPPLY CHAIN

Skills and MCPs, on a leash.

Skills (markdown injected) and MCP servers (tools the agent calls) expand what your agent can do. They're also a supply chain you can't see into. Marshal injects them in isolation — they never touch your credentials, never reach your filesystem, never speak directly to your network. Scope each per session. When a CVE lands, revoke it across every running session in under a second.

SKILLS & MCPS · WS-PROD-1 · 5 INJECTED · 1 ALERT
MCP
github-mcp v2.1.0
scope: PRs · issues only
MCP
slack-mcp v1.4.3
scope: #eng-only
MCP
langchain-mcp v0.18.2
CVE-2026-1234 · vulnerable dep
SKILL
security-policies v1.2
scope: markdown only
isolated · zero credential access · revoke fans out in <1s
CONTAINMENT

Quarantine in one click.

Anomalous DNS exfil. A new intercept-flagged domain. A credential request you didn't expect. Quarantine the session — runtime freezes mid-execution, network goes dark, credentials revoke, and the entire state is preserved for forensics. Sub-second. Reversible. Auditable.

Quarantined · ws-incident-07414:02:33
Anomalous DNS pattern · 14 requests to unknown infra
Detector flagged 14 DNS queries to *.exfil-relay.net in under 4 seconds. Session frozen pre-egress.
POD
frozen
NETWORK
dark
CREDS
revoked
03 / DEVELOPER EXPERIENCE

Built for the way developers actually work.

The fastest things you do on your laptop — bridged ports, fast iteration, real collaboration — extended into the space and across every agent you have running.

Bridged ports, both ways.

Local Postgres, Ollama, staging tunnel — exposed into the space. The agent's dev server at :3000 — exposed back. Both directions, automatically.

postgres · :5432
ollama · :11434
dev server · :3000

Open in your IDE — VS Code, Cursor, Windsurf, and more.

Every space registers in your SSH config — it shows up in Connect to Host… for VS Code, Cursor, Windsurf, JetBrains, and any other Remote-SSH client. Click it and edit remotely as if local.

VS CodeCursorWindsurfJetBrains

Pause. Resume. Zero compute between.

Pause the space — state snapshots to encrypted storage in your VPC, the meter stops. Resume tomorrow on a cheap spot, exactly where you left off.

◐ paused · meter stopped
⬆ snapshot → s3 · encrypted
resume · 0 reprovision

Mission Control — orchestrate them all.

Run dozens of agent sessions at once and drive them from one pane. See what each is doing, what it is blocked on, and what is waiting on you — then triage, freeze a runaway, approve a gate, or jump straight into any session.

ws-prod-1running
ws-feat-204running
ws-incident-074needs you

Ready on boot.

Pick a manifest, get a runtime — any toolchain pre-baked, every org tool already authenticated to the scopes your security team approved. Open the terminal. Start typing.

go 1.24python 3.13node 22rust 1.84

Pair, share, hand off.

Share a live link with a teammate. Read-only spectator mode for reviewers. Every collaborator sees the same terminal, audit log, and policy plane. Sessions outlive the originator.

MC Maya · owner
JL Jamie · pair
SR Sam · reviewer (read-only)

Ephemeral envs, per task or test.

Every manifest can spin up a full dev environment or an ephemeral test stack — Docker Compose, Kubernetes-in-Kubernetes, or a just-in-time GPU spot instance. One per task, zero conflict, zero cleanup.

docker-composek8s-in-k8sGPU spot · g5

CLI first. Web wraps it.

Every action in the web UI is a CLI command. A local daemon handles port forwarding, SSHFS mounts, and keepalive — so the web terminal feels native even when the pod is across a continent.

$ marshal new --manifest claude-code
$ marshal forward 5432:postgres
$ marshal share ws-prod-1 --reviewer

Disconnect-proof sessions.

Wi-Fi drops, laptop sleeps, train tunnel happens — your session keeps running in your VPC. Reconnect and the agent picks up mid-thought. Mosh-style local buffer means zero re-typing.

● disconnected (Wi-Fi)
⟳ reconnecting…
tunnel restored · 0.4s

Your files, mounted in.

Your repo, workspace, and dotfiles mounted into the space over SSHFS. Edit in your IDE, the agent sees it instantly. Edit in the space, your editor reloads. No git push-pull dance, no drift.

~/projects/marshal ⇄ /workspace
📄 src/router.tsx · instant
📁 node_modules/ · space-only

Even docker build goes through the build integrity sentinel.

Build containers are where supply-chain attacks hide. Marshal routes Docker-in-Docker build egress through the build integrity sentinel. Every fetch during a build is logged, policy-checked, and revocable.

allow GET registry-1.docker.io
intercept GET pypi.org/simple
deny POST telemetry.pkg-cdn.net

The agent reads the room first.

Every session opens with an auto-generated briefing — toolchains installed, credentials wired, network profile live, what’s in the workspace. The agent starts oriented instead of probing blindly.

toolchains node 22 · go 1.25
credentials github · gcloud (ro)
network profile: claude-code

Rewind the whole space.

SOON

The agent went off the rails 4 minutes ago? Rewind the entire space — files, env, network state, audit log position — to any checkpoint. Branch from there. The agent has no time machine. You do.

$ marshal rewind 4m
12 checkpoints · branch from any

Every dollar, in view.

SOON

Live per-session, per-tool, per-agent spend — surfaced in the session, not extracted from a JSONL at 2 AM. Set spending caps that auto-pause. No more “why did this run $400 overnight?”

ws-prod-1 · spend$0.42 / $5.00
auto-pause armed
INLINE REVIEW

The agent asks for your eyes.

When the agent hits a hunk that needs human judgment, it pings you inside Marshal. Open the diff, leave inline comments on the lines that matter, suggest replacements. Marshal sends a structured response back — comments and edits — so it picks up exactly where you left off. No tab-switching. No copy-paste. No losing context.

review · rv_3f2asrc/auth/login.tsx
45 export function Login(){
46 const user = useAuth()
47 if (user.email) {
48 return <Dashboard />
MCMayaline 47 · just now
Also handle the SSO path from the new manifest — should land here, not after a re-render.
+ if (config.sso) return <SSOLogin />
🔒 3000-x7f2.preview.marshal.codes
live · HMR
3000 http5432 tcp8080 http
LIVE PREVIEW

The agent built it. See it running.

The agent starts a dev server in the space — Marshal gives it a real https:// URL. Review the running page right inside the dashboard, next to the terminal, and click through it as the agent iterates — or pop it into its own tab. Hot-reload and WebSockets pass straight through. Marshal probes each port first, so it only ever offers the ones that actually speak HTTP — never your Postgres socket.

04 / ONE PRODUCT, THREE JOBS

Security gets proof. Developers get freedom. Platform gets control.

Three stakeholders, three different definitions of success — the same platform delivers all three without trade-offs.

FOR DEVELOPERS

Boot fast. Run loose. Feel local.

Yolo without the cold sweat — Marshal supervises in the background
Every toolchain pre-baked, every org tool authenticated
Bridged ports + SSHFS mounts — laptop and space feel local
Open in your IDE — VS Code, Cursor, Windsurf, JetBrains
Pause when you step away, resume on a spot — zero compute paused
Pair, share, hand off live sessions to teammates
Mission Control across every running session
Pick any of 8 agents — Claude Code, Codex, Gemini, …
FOR PLATFORM LEADS

Manifests over snowflakes.

Declarative manifests with golden-path inheritance + override
Versioned + rollback-able like any other artifact
Org RBAC + invitations + SSO + audit retention
Cost caps + quotas per team, per session, per agent
BYO model providers — proxy keys, attribute spend per team
Per-task envs — Docker Compose · K8s · GPU spot
Deploys into your VPC, your KMS, your cluster
One platform, every coding agent your team picks
FOR SECURITY & CISO

Receipts, not promises.

Per-request audited egress + live rule mutation
Block-first agent gate — must justify before acting
Per-verb tool policy (allow aws s3 cp, deny rm)
Per-statement DB policy (allow SELECT, deny DROP)
Build-time egress audited via build integrity sentinel
Credentials never reach the agent — or MCPs, or skills
CVE in a dependency? Revoke across every session in <1s
One-click session quarantine — freeze, revoke, preserve
05 / THE MARSHAL DIFFERENCE

One product owns both ends.

Every other tool is one shape: it lives on your laptop (no audit), runs in someone else's cloud (no policy), gives you a workspace (no agent guardrails), exposes a sandbox over an SDK (not for interactive work), or boxes the agent in a local microVM (HTTP-only interception, protects one laptop, not your org). Marshal is all of them at once — plus the policy plane in the middle, covering HTTP, raw TCP, database wire protocols, and build traffic.

Capability
Laptop & IDE agents
runs on the dev machine
Vendor-cloud agents
hosted in their cloud
Remote dev envs
cloud workspaces
Sandbox SDKs
programmatic, headless
Local VM/container sandbox
microVM on the dev machine
Marshal
Runs inside your VPC — your cluster, your KMS~~
Self-hostable · no traffic leaves your network~~~
Credentials never reach the agent process~~
Egress inspection plane — HTTP(S), raw TCP, build traffic~
Per-verb tool policy (allow cp, deny rm)
Database wire guard — per-statement policy, DB credentials never exposed
Block-first gate — agent justifies before acting~
One-click session quarantine (forensic preserve)
MCP & Skill isolation + CVE-wide revoke
✓ structurally yes · ~ partial / depends on the product · ✗ not possible for that category — typical of each kind of tool; individual products vary.
06 / AGENT AGNOSTIC

Bring your own agent. Or three.

Marshal is the substrate — not the agent. Eight agents ready today. Run one this morning, bake off three this afternoon, change your mind by Friday. Your isolation, audit, and policy plane stay the same.

AGENT-MANIFEST.YAML
# swap the agent — same controls, same policy
agent: claude-code
toolchain: [node 22, go 1.24]
network: claude-code
# bake-off: change one field
agent: codex # or cursor · gemini…
CC
Claude Code
Anthropic
Cx
Codex
OpenAI
Gm
Gemini CLI
Google
Cu
Cursor
Cursor
Co
Copilot
GitHub
Oc
OpenCode
Open source
Ws
Windsurf
Codeium
Ki
Kiro
AWS
He
HermesSOON
coming soon
+
Many more in progressSOON
Devin · Amp · Goose · Jules · Cline · Aider · …
+ bring any other CLI-callable agent via manifest.agent — Marshal is the substrate, not the agent.
07 / ARCHITECTURE

Three planes. One trust boundary. Your VPC.

A daemon on the developer's laptop bridges ports, files, and auth over a single HTTPS tunnel. A control plane in your cluster runs sessions, manifests, RBAC, the policy plane, and the audit log. Each session gets its own isolated pod where the agent runs sandboxed — its network egress through the inspection plane, database connections through the database control plane, build traffic through the build integrity sentinel, tool calls through the tool guardrail, and MCP servers inside the MCP isolation sandbox. Nothing leaves the boundary unaudited, and Marshal never sees your traffic.

1 · YOUR LAPTOP
Where the developer sits
outside the boundary
native terminal · any shell · VS Code · Cursor · Warp
marshal daemon · ports / files / auth
browser terminal · xterm.js
HTTPS / WSS
YOUR VPC · YOUR CLUSTER · YOUR KMS
2 · CONTROL PLANE
api + gateway
one per org
sessions · manifests
integration catalog
RBAC · SSO · policy plane
gateway · SSH / WS routing
audit log · → your storage
provisions
3 · SESSION RUNTIME
isolated pod
one per session
agent process · own UID
no creds · no inbound · no direct network
SUPERVISOR · PID 1 · BROKERS EVERY MOVE
egress inspection plane · all HTTP(S)
database control plane · per-statement SQL
build integrity sentinel · container build egress
TCP flow sentinel · non-HTTP protocols
tool guardrail · per-verb policy
MCP isolation sandbox · policy + egress
credential injector · at request time
network policy engine · allow · intercept · deny
audit pipeline · → control plane
credential vault · root-only
PII redaction · response bytessoon
EGRESS PATH · EVERY BYTE THROUGH THE PROXY
agent process
wants the network
EGRESS INSPECTION PLANE
● allow approved hosts● audit logged + passed● intercept inspected● deny blocked
the internet
only what policy allows
every allow / audit / intercept / deny is tapped to the audit log in your storage. Database wire-protocol rides the database control plane; docker-build traffic rides the build integrity sentinel — same policy engine.
HTTPS ONLYNo port opening, no SSH gateways, no inbound firewall holes. VPN- and ZeroTrust-friendly (Tailscale · Twingate · Cloudflare Access).
08 / SELF-HOST FIRST

Your cluster. Your VPC. Your audit trail.

Marshal deploys into your infrastructure — AWS, GCP, Azure, on-prem, or air-gapped. Postgres and Redis in your VPC. Audit data in your storage. Credentials in your KMS. We never see your traffic.

BYO KMS · VaultAir-gap compatibleSSO / SCIM · OIDC
DEPLOY.SH
# Receive a private Helm chart on accepted beta
helm install marshal ./marshal-<release>.tgz \
--namespace marshal --create-namespace \
--set kms.vaultAddr=https://vault.your-co \
--set audit.sink=s3://your-bucket/audit \
-f values.yaml
# reachable at https://marshal.your-co.internal
09 / STAY IN THE LOOP

Be first to know when Marshal opens up.

We ship in focused cohorts. Leave your email and we will reach out when the next one opens.

GET UPDATES

Drop your email. We'll reach out when the next cohort opens and keep you posted on what Marshal ships.

We'll reach out when something is worth your time.
WHAT YOU GET

Low volume. High signal.

01
Early access
Subscribers get first look at each new cohort before we open the waitlist publicly.
02
Product updates
We share architecture decisions, new capabilities, and the reasoning behind them — not a newsletter, more like a changelog with context.
03
Occasional outreach
If your use case is a strong fit, we may reach out directly — no cold sequences, just a relevant conversation when the timing makes sense.
10 / FAQ

Questions security teams actually ask.

The short version of what separates Marshal from a laptop, a vendor cloud, a remote dev env, or a local sandbox.

A local microVM sandbox protects one laptop from one agent — real isolation, but it stops at the machine’s edge. Most local sandboxes also only intercept HTTP: they can swap or redact tokens in-flight, but the agent still holds the actual database password, still speaks raw TCP to Redis, still runs docker builds with unchecked egress. Marshal goes further: the database wire protocol is intercepted at the statement level (the agent connects to a local socket and never holds real DB credentials), raw TCP and build traffic each route through their own dedicated governance plane — the TCP flow sentinel and the build integrity sentinel — and credential injection happens at request time to the declared destination only — so a misrouted credential attempt is blocked and logged, not just swapped. On top of that, Marshal is the org-wide layer: sessions run in your VPC on your cluster, every byte of egress is governed by the egress inspection plane, and any session can be quarantined or have its policy revoked live. Same instinct as a local sandbox — keep the agent boxed — extended to a whole team, with the central policy and audit trail a security org needs to sign off.

Bring AI agents inside. On your terms.

Marshal ships in focused cohorts. Leave your email and we will reach out when the next one opens — no pitch, no drip, just an invite.

We'll reach out when something is worth your time.