Private Beta
Your agent could be jailbroken right now.
Your agent reads untrusted content every time it runs — webpages, emails, files, tool outputs. Any of that content can hijack it into using its own tools against you. There is no log line that says "I was hijacked." Defend Agents catches the hijack before the tool call goes through.
Install (one line)
pip install sprk3-defend-agents
from sprk3.defend import monitor; monitor(api_key="sk-...")
Works with Anthropic SDK, OpenAI SDK, LangChain, MCP clients. Auto-instruments on import.
What it detects
Indirect prompt injection — hidden instructions in web pages, emails, RAG docs, tool outputs
Tool misuse post-injection — legitimate tools used on attacker's behalf
Agent tamper — heartbeat detects monitoring disabled or bypassed
Behavioral anomaly — tool velocity spikes, entropy shifts, new tool usage
Cross-agent propagation — injected worker output poisons orchestrator
How it works
SDK layer
Hooks LLM calls, tool calls, file access, network requests. Runs IOC matching and trust scoring locally.
Server layer
Receives metadata only. Validates heartbeat. Distributes global IOC patterns.
Heartbeat
Signed runtime state hash every 30s. Server knows instantly if monitoring is disabled.
Trust score
0-100 per session. Decays on injection patterns, velocity spikes, entropy anomalies.
We catch the hijack. We never see the conversation.
Client sees content — IOC matching, trust scoring, entropy analysis all run on your machine
Server sees metadata only — event type, timestamp, trust score, alert flag, pattern ID
Evidence stays local — full session replay at ~/.sprk3/evidence.db on your machine
Same promise as Defend — no file contents, no credentials, no network sniffing
Attack scenarios
01 Coding agent reads poisoned README — agent shells out, SSH keys exfiltrated
02 Support bot processes injected ticket — PII leaks via DB access
03 Browsing agent visits poisoned page — conversation history POSTed to attacker
04 MCP agent reads malicious email — forwards CFO messages externally