Coding agents at
full speed.
With full receipts.
Regain security control while freeing your developers to run faster. Marshal runs inside your VPC — every AI agent session lives in an isolated environment with full audit, credential isolation, and a live policy plane. You set the rules. You see every move.
AI coding agents are the biggest productivity gain in a decade. They're also the largest unmanaged attack surface in your stack.
Your developers have already turned on yolo mode. Your security team is about to find out. The trade you've been making — let them run loose, or lock them out — is wrong on both sides. The incidents have already started.
“It deleted the production database. In nine seconds.”
A logged incident from a coding agent in 2025. It had psql because the developer did. Credentials sat in ~/.pgpass. Prompts were off. Backups were wiped too.
“We have no idea what data left the company.”
Cursor, Devin, Codespaces — every popular agent proxies egress through the vendor's own network. No per-request log, no rule to enforce, no domain to revoke. 33 npm packages shipped live .env secrets last quarter.
“Just block it.”
The answer your CISO is about to propose — and it's wrong. Nubank reports 8–12× efficiency, 20× cost savings. Block everything and you lose a generational advantage. Allow everything and you own the next breach.
Let the agent fly. Keep the steering wheel.
Unattended autonomy and audited containment used to be a trade. Marshal removes it.
Agents never see your secrets.
The agent process runs with zero access to credentials. Tokens, keys, and SSH identities live in a supervisor-only vault and inject into tool subprocesses at invocation time — never into the agent's environment, never its filesystem. A leak from the agent leaks nothing.
Block the verb, not just the host.
Marshal inspects every tool invocation by verb and argument. Allow aws s3 cp. Deny aws s3 rm. Permit kubectl get. Block kubectl delete. The agent gets exactly the verbs you authorized — no more.
Yolo mode, with a net.
Run agents in unattended --dangerously-skip-permissions mode without the cold-sweat moment. Every tool call routes through the tool guardrail; every byte of egress through the inspection plane; every credential request is gated. The blast radius is bounded by manifest, not by attention.
“Deleted the production database in nine seconds.” Not here.
Marshal intercepts every database connection at the wire-protocol level — Postgres, MySQL, MongoDB, Redis, and friends — so policy lands on the statement, not just the host. Allow SELECT, GET, UPDATE … WHERE. Deny ALTER TABLE, DROP, FLUSHDB. The credentials never reach the agent, and the nine-second incident never compiles.
Quarantine in one click.
Anomalous DNS exfil. A new intercept-flagged domain. A credential request you didn't expect. Quarantine the session — runtime freezes mid-execution, network goes dark, credentials revoke, and the entire state is preserved for forensics. Sub-second. Reversible. Auditable.
Built for the way developers actually work.
The fastest things you do on your laptop — bridged ports, fast iteration, real collaboration — extended into the space and across every agent you have running.
Bridged ports, both ways.
Local Postgres, Ollama, staging tunnel — exposed into the space. The agent's dev server at :3000 — exposed back. Both directions, automatically.
Open in your IDE — VS Code, Cursor, Windsurf, and more.
Every space registers in your SSH config — it shows up in Connect to Host… for VS Code, Cursor, Windsurf, JetBrains, and any other Remote-SSH client. Click it and edit remotely as if local.
Pause. Resume. Zero compute between.
Pause the space — state snapshots to encrypted storage in your VPC, the meter stops. Resume tomorrow on a cheap spot, exactly where you left off.
Mission Control — orchestrate them all.
Run dozens of agent sessions at once and drive them from one pane. See what each is doing, what it is blocked on, and what is waiting on you — then triage, freeze a runaway, approve a gate, or jump straight into any session.
Ready on boot.
Pick a manifest, get a runtime — any toolchain pre-baked, every org tool already authenticated to the scopes your security team approved. Open the terminal. Start typing.
Pair, share, hand off.
Share a live link with a teammate. Read-only spectator mode for reviewers. Every collaborator sees the same terminal, audit log, and policy plane. Sessions outlive the originator.
Ephemeral envs, per task or test.
Every manifest can spin up a full dev environment or an ephemeral test stack — Docker Compose, Kubernetes-in-Kubernetes, or a just-in-time GPU spot instance. One per task, zero conflict, zero cleanup.
CLI first. Web wraps it.
Every action in the web UI is a CLI command. A local daemon handles port forwarding, SSHFS mounts, and keepalive — so the web terminal feels native even when the pod is across a continent.
Disconnect-proof sessions.
Wi-Fi drops, laptop sleeps, train tunnel happens — your session keeps running in your VPC. Reconnect and the agent picks up mid-thought. Mosh-style local buffer means zero re-typing.
Your files, mounted in.
Your repo, workspace, and dotfiles mounted into the space over SSHFS. Edit in your IDE, the agent sees it instantly. Edit in the space, your editor reloads. No git push-pull dance, no drift.
Even docker build goes through the build integrity sentinel.
Build containers are where supply-chain attacks hide. Marshal routes Docker-in-Docker build egress through the build integrity sentinel. Every fetch during a build is logged, policy-checked, and revocable.
The agent reads the room first.
Every session opens with an auto-generated briefing — toolchains installed, credentials wired, network profile live, what’s in the workspace. The agent starts oriented instead of probing blindly.
Rewind the whole space.
SOONThe agent went off the rails 4 minutes ago? Rewind the entire space — files, env, network state, audit log position — to any checkpoint. Branch from there. The agent has no time machine. You do.
Every dollar, in view.
SOONLive per-session, per-tool, per-agent spend — surfaced in the session, not extracted from a JSONL at 2 AM. Set spending caps that auto-pause. No more “why did this run $400 overnight?”
The agent asks for your eyes.
When the agent hits a hunk that needs human judgment, it pings you inside Marshal. Open the diff, leave inline comments on the lines that matter, suggest replacements. Marshal sends a structured response back — comments and edits — so it picks up exactly where you left off. No tab-switching. No copy-paste. No losing context.
The agent built it. See it running.
The agent starts a dev server in the space — Marshal gives it a real https:// URL. Review the running page right inside the dashboard, next to the terminal, and click through it as the agent iterates — or pop it into its own tab. Hot-reload and WebSockets pass straight through. Marshal probes each port first, so it only ever offers the ones that actually speak HTTP — never your Postgres socket.
Security gets proof. Developers get freedom. Platform gets control.
Three stakeholders, three different definitions of success — the same platform delivers all three without trade-offs.
One product owns both ends.
Every other tool is one shape: it lives on your laptop (no audit), runs in someone else's cloud (no policy), gives you a workspace (no agent guardrails), exposes a sandbox over an SDK (not for interactive work), or boxes the agent in a local microVM (HTTP-only interception, protects one laptop, not your org). Marshal is all of them at once — plus the policy plane in the middle, covering HTTP, raw TCP, database wire protocols, and build traffic.
Bring your own agent. Or three.
Marshal is the substrate — not the agent. Eight agents ready today. Run one this morning, bake off three this afternoon, change your mind by Friday. Your isolation, audit, and policy plane stay the same.
Three planes. One trust boundary. Your VPC.
A daemon on the developer's laptop bridges ports, files, and auth over a single HTTPS tunnel. A control plane in your cluster runs sessions, manifests, RBAC, the policy plane, and the audit log. Each session gets its own isolated pod where the agent runs sandboxed — its network egress through the inspection plane, database connections through the database control plane, build traffic through the build integrity sentinel, tool calls through the tool guardrail, and MCP servers inside the MCP isolation sandbox. Nothing leaves the boundary unaudited, and Marshal never sees your traffic.
Your cluster. Your VPC. Your audit trail.
Marshal deploys into your infrastructure — AWS, GCP, Azure, on-prem, or air-gapped. Postgres and Redis in your VPC. Audit data in your storage. Credentials in your KMS. We never see your traffic.
Be first to know when Marshal opens up.
We ship in focused cohorts. Leave your email and we will reach out when the next one opens.
Low volume. High signal.
Questions security teams actually ask.
The short version of what separates Marshal from a laptop, a vendor cloud, a remote dev env, or a local sandbox.