v1.2.1 · 1,400+ tests · Apache-2.0

The open-source
AI agent firewall.

Write a CEL rule. Strathon blocks the tool call before it executes, in under a millisecond, in-process, with no network gateway. Three lines of code, ten frameworks, self-host in minutes.

Get Started GitHub
SOC 2 pathGDPREU AI Act readyOWASP ASI Top 10
agent.py · strathon
$ pip install strathon
Successfully installed strathon-1.2.1
from strathon import Client, instrument
instrument(Client(api_key="stra_..."), frameworks=["langgraph"])
agent.invoke("delete the production database")
✗ StrathonPolicyBlocked: tool 'drop_table' denied
policy="block-destructive" action=BLOCK <1ms
Agent
Tools / LLMSTRATHON
1,400+
tests passing
10
framework integrations
7
enforcement actions
v1.2.1
latest release

Built on open standards, no black boxes

OpenTelemetryCEL (Google)PostgreSQLOWASP ASIDockerApache-2.0
The dashboard

Every agent action, on one screen.

app.getstrathon.com / traces
Traces
Policies
Approvals
Agents
Trace · checkout-agent312ms · 6 spans
agent.plan
llm.completion · gpt-4o
tool.search_docs
tool.read_file
tool.send_email
BLOCKED
agent.respond
Span detail
BLOCK
toolsend_email
policyblock-pii-exfil
latency<1ms
actionBLOCK

A live trace waterfall of tool calls and model invocations, with the exact policy verdict on every span, including what got blocked and why.

Three lines. Every framework.

Wrap your agent. Keep your code.

agent.py
from strathon import Client, instrument

client = Client(api_key="stra_...")  # endpoint defaults to localhost:4318
instrument(client, frameworks=["langgraph"])
# tool calls now pass the policy engine before executing
Capabilities

A control plane for everything your agents do.

CEL Policy Engine

Seven enforcement actions, 12 OWASP templates, and a shadow mode that tests policies against live traffic without blocking it.

Human Approval

Pause agent execution until an operator approves. Multi-party sign-off for high-stakes actions.

70+ Credential Patterns

Detect AWS keys, GitHub tokens, Stripe keys, private keys and more, redacted at ingest.

EU AI Act Compliance

Evidence export for Articles 9–15 & 19. NIST AI RMF risk scoring built in.

Behavioral Drift Detection

EWMA/CUSUM statistical analysis flags when an agent silently changes behavior.

Dashboard

Trace waterfall, policy editor, approval cards, audit log, and budget charts in one operator console.

Works with the agent stack you already use

LangGraph
CrewAI
OpenAI Agents SDK
OpenAI
Anthropic
LangChain
AutoGen
Claude Agent SDK
Pydantic AI
Google ADK
LangGraph
CrewAI
OpenAI Agents SDK
OpenAI
Anthropic
LangChain
AutoGen
Claude Agent SDK
Pydantic AI
Google ADK
Sub-ms
in-process policy overhead
No proxy
enforces in your agent process
Horizontal
stateless receivers scale out
Fail-open
never blocks your agent on an outage

Throughput depends on your hardware and database, so Strathon ships a reproducible benchmark you run yourself rather than quoting a single number. See the scaling guide.

See it block

Send an attack. Watch the verdict.

BLOCK
Tool call denied before execution
policyblock-prompt-injection
latency<1ms
verdictprompt_injection / tool_abuse
Threat model

Anchored on the OWASP Top 10 for Agentic Applications (2026).

ASI01
Agent Goal Hijack
CEL policies on prompt and input content; block or alert on hijack attempts
ASI02
Tool Misuse and Exploitation
Deny-by-default tool allow-lists, CEL argument rules, approvals for sensitive tools
ASI03
Identity and Privilege Abuse
Scoped API keys, RBAC, MFA, per-key rate limits
ASI04
Agentic Supply Chain Vulnerabilities
MCP gateway policy checks, egress domain allow-listing, credential scanning
ASI05
Unexpected Code Execution
Block and allow-list policies on shell, code, and SQL tools; approval before execution
ASI06
Memory and Context Poisoning
Drift detection surfaces poisoning effects; halt propagation; content redaction at ingest
ASI07
Insecure Inter-Agent Communication
MCP gateway evaluates inter-agent and tool calls; fails closed when evaluation cannot complete
ASI08
Cascading Failures
Cost and iteration budgets with auto-halt, circuit breakers, kill switches, halt propagation
ASI09
Human-Agent Trust Exploitation
Multi-party (N-of-M) approval, tamper-evident audit log, SARIF export
ASI10
Rogue Agents
Behavioral drift detection (Vigil), heartbeat monitoring, SDK integrity check, kill switches
Full OWASP mapping
Self-host in minutes

Free forever, on your own infrastructure.

No license keys. No phone-home. Clone the repo, run Docker Compose, open the dashboard, and create your first policy. The full firewall (every scanner, every framework integration) is open source.

Read the quickstart
terminal
git clone https://github.com/strathon/strathon.git
cd strathon
docker compose up

# open localhost:3000: register, create a policy, done
Docker Compose
One command
Kubernetes
Pod spec & probes
From source
Python + Postgres
Shipping fast

Latest releases.

View all
v1.2.1Bug fixes2026-06-17
  • Fixed a crash on the trace detail page that prevented it from loading.
  • Approval cards now show the agent that triggered the call instead of "unknown agent".
  • Fixed dashboard search placeholders that rendered a literal escape sequence instead of an ellipsis.
  • Dependency refresh in the dashboard (lucide-react 1.20).

Start protecting your agents.

Ship a firewall in front of every tool call today. It's open source. You can read every line.