AI Security Posture Management

Secure every AI agent, MCP server, and tool your developers run.

Shomra discovers, scans, and governs the AI agents, MCP servers, and AI tools spreading across your developers and your stack — from the endpoint, to the runtime, to the model — so shadow AI, leaked keys, and prompt-injection never reach production.

No credit card · Install in 60 seconds

shomra — report
$ shomra report

 Discovered 8 AI assets across 4 sources

 files-pro           FAIL   run-shell + leaked GitHub token
 .cursorrules        FAIL   prompt injection + Stripe key
 added expresss      CRIT   known-malicious package
 shadow-gpt-key      HIGH   undeclared OpenAI key in env

3 critical · 2 highview at shomra dashboard
Live trafficshomra/map.v1
laptop-01
cursor
laptop-02
claude-code
laptop-03
windsurf
Shomra
gate + firewall
mcp: files-pro
sandboxed
mcp: postgres
governed
gpt-4o / claude
via proxy
org secrets
screened
allowed callblocked at gateper-agent policy
healthy · 0.42ms overhead
9
Detection classes
Injection, secrets, PII, toxic flow, weak auth & more
100%
Sandboxed scans
Every server runs in a hardened, network-locked sandbox
0
Config required
Zero-config discovery across every dev machine
60s
To first insight
Install the agent and see your posture immediately
What you get

One platform, the entire AI attack surface

From the developer's laptop to the model and back — every layer an AI agent touches, covered by one governed pipeline.

01/Discover
See every AI asset your devs are running
Shadow AI
Inventoried
0-config
Endpoint Agent
Zero-config discovery of MCP servers, rules files, model keys & shadow tools on every dev machine.
1 list
AI Inventory
Every server, endpoint, and asset in one governed list — approve, deny, revoke.
02/Scan & Gate
Vet AI artifacts before they land or merge
Malicious MCP
Cleared
4 engines
Scan Hub
One wizard for repo, ZIP, MCP, and infra scans — unified findings across engines.
static
Workspace Scan
Static analysis of Skills, subagents, hooks, MCP configs & rules. Nothing is executed.
sandboxed
Sandboxed MCP
Every server runs in a hardened, network-locked, disposable Docker container.
pre-merge
Dev Gate
Vet any AI artifact via pre-install hooks & CI with `shomra gate --all`.
03/Protect at runtime
Block dangerous tool calls & poisoned outputs live
Prompt injection
Blocked
inline
Tool-Call Firewall
Blocks dangerous shell commands, risky writes & MCP calls before they run.
bi-dir
Tool-Result Firewall
Screens what a tool returns before it re-enters the agent's context.
drop-in
LLM Guard Proxy
Drop-in OpenAI/Anthropic proxy that screens every prompt & completion.
audit
Policy Center
MONITOR / ENFORCE rollout modes, hit telemetry, and full audit trail per rule.
04/Govern & respond
Close the loop with attack paths & AI fixes
Exploit chain
PR opened
graph
Attack Path Graph
Cross-tool exploit chains an AI agent could actually walk, end to end.
1-click
AI Remediation
One-click, AI-generated fixes opened as pull requests across 4 Git providers.
live
Threat Intel
Live OSV + CISA KEV feeds mapped to MITRE ATLAS & runtime AI activity.
copilot
Ask Shomra
Grounded AI copilot answers over your live findings, servers & endpoints.
Also included:OWASP LLM Top 10 & ATLAS compliance mappingExecutive reportsGitHub / GitLab / Bitbucket / Jira / Azure DevOpsSlack / Teams / Discord / PagerDuty / Splunk / Datadog / ServiceNowNotifications feedFull audit log

Best-practice policy, applied in one click

Don't author rules from a blank page. Start from a curated, framework-aligned pack — every rule lands in Monitor mode so you watch the hits before you enforce.

OWASP LLM Top 10 Guardrails

Broad coverage of the OWASP Top 10 for LLM applications.

OWASP LLM Top 10ATLAS5 rules
Secrets & Credential Defense

Stop live keys leaking through prompts, machines, and installs.

SecretsPCI-adjacent3 rules
Prompt-Injection Defense

Catch injection at the gateway, in tools, and at install.

OWASP LLM01ATLAS3 rules
MCP Governance Baseline

A safe default posture for every governed MCP server.

MCPSupply chain4 rules
PII & Data Protection

Keep personal and sensitive data out of prompts and endpoints.

PrivacyGDPR-adjacent3 rules
Agentic Runtime Hardening

Lock down what autonomous agents can do at runtime.

AgenticATLAS4 rules
How it works

Live in minutes, governed for good

Every AI asset in your org flows through the same four-stage pipeline — discovered on the endpoint, scanned in a sandbox, gated before install, and governed at runtime.

Discover
MCPs, keys, rules
8 assets
Scan
static + dynamic
sandboxed
Gate
pre-install + CI
block / allow
Govern
policy + response
audit trail
01
Install the agent

Drop one command into your dev environment. The endpoint agent inventories every AI asset and key on the machine — no manual mapping.

02
See your posture

A single dashboard scores your AI attack surface, ranks the riskiest findings, and shows exactly where shadow AI and leaked secrets live.

03
Set policies & screen

Approve safe servers, block the rest, and let the Dev Gate and runtime firewall screen every install and every tool call — before they ever execute.

From zero to governed in five commands

1
Create your account and grab an API key

Sign up free, then copy your dgx_live_… key from the dashboard.

# Sign up at shomra.dev, then copy your key
export SHOMRA_KEY=dgx_live_XXXXXXXXXXXXXXXXXXXXXXXX
2
Install and enroll the agent

One npm install, one init command. The agent enrolls this machine into your org.

npm install -g @shomra/agent
shomra init --key dgx_live_…
✓ Enrolled this machine into your org
3
Discover what's actually running

Scan the machine and print a posture report — MCP servers, rules files, model keys, all of it.

shomra scan
shomra report
✓ 4 assets analyzed — 1 high-severity finding
4
Gate risky artifacts before they land

Run the Dev Gate on any file, folder, or the whole machine.

shomra gate .mcp.json
BLOCK · risk 100/100 · leaked AWS key
shomra gate --all --strict
5
Turn on the runtime firewall

Hook the local agent runtime and start the LLM guard proxy.

shomra install-hook
✓ Installed the Shomra runtime firewall
shomra llm-proxy --port 4141

Start free, scale when you're ready

Every plan includes the endpoint agent, sandboxed scans and the runtime firewall.

Developer
$0

For individual developers securing their own AI stack.

  • 1 developer
  • Endpoint agent on 1 laptop
  • 100 MCP / tool scans / month
  • Public MCP registry lookups
  • Community Slack support
Start free
Most popular
Team
$29/dev / month

billed annually · 5 dev minimum

For engineering teams putting guardrails around AI adoption.

  • Up to 25 developers
  • Unlimited MCP & agent scans
  • Runtime firewall (10M tokens / mo)
  • GitHub / GitLab + IDE integrations
  • AI remediation → pull request
  • Email support · 1 business day
Start 14-day trial
Business
$69/dev / month

billed annually · 25 dev minimum

For security teams governing AI across the whole org.

  • Unlimited developers & servers
  • Runtime firewall (100M tokens / mo)
  • SSO / SAML + SCIM provisioning
  • Custom policies & role-based access
  • SOC 2 report + audit log export
  • Priority support · 4h response SLA
Start 14-day trial
Enterprise
Custom

For regulated orgs with self-hosted or air-gapped needs.

  • Self-hosted / VPC / air-gapped
  • Unlimited tokens & scans
  • Custom DPA, MSA & security review
  • Dedicated CSM + Slack Connect
  • 24/7 support with 1h P1 SLA
Talk to sales

Prices in USD. No credit card to start.

Get your AI attack surface under control

Discover the shadow AI you can't see, scan the servers you depend on, and govern every agent — in one place.

No credit card Install in 60 seconds Hardened sandbox