AI coding agents are non-deterministic. SigmaShake makes sure yours only does what you allow.
Force the tools your agent can use. Block dangerous, unsafe commands before they run. Audit everything it does.
~96 MB · Windows 10 (1809+) and 11 · v1.0.1 · per-user install
🏆 Benchmarked, not claimed · SHAKEDOWN
The #1-ranked guardrail for AI coding agents
Choosing what guards your agents is a critical decision, so we made it measurable. The question that matters: which guardrail actually contains a rogue agent without breaking real work? We replayed 324 attack tasks across 9 agent harnesses through every approach. SigmaShake wins — and the score below shows by how much.
SigmaShake SSG + hardening overlay100
Sandbox runtime NVIDIA OpenShell (modeled from public docs)49.5
Policy kernel MS AGT (modeled from public docs)21.1
Skill-based guardrail (modeled from public docs)19.3
Prompt guard (modeled from public docs)18.1
SHAKEDOWN score = Containment × (1 − FalseBlock) × 100. Higher is better — you only win by catching attacks and leaving legitimate work alone.
🎯
Contains without breaking work
100% of attacks blocked at 0% false-block on the SHAKEDOWN corpus (3,855 malicious + 1,894 benign tasks, measured).
⚡
Decides in ~85 ms
Deterministic native evaluation — no model inference, no GPU, no token cost. Prompt/model guards need a full LLM forward pass.
🧭
Guides, not just blocks
Allow · Ask · Deny with a guidance message — it steers the agent and asks a human, instead of a blunt block/allow.
See the full head-to-head SSG row measured (overlay-only run, submitter: sigmashake-bench) · competitor rows modeled from public docs · SHAKEDOWN authored by SigmaShake · full results
Works with the agents your team already uses
Claude Code PreToolUse hook integration
Cursor MCP Server Integration
Codex MCP Server Integration
VSCode Copilot MCP Server Integration
Gemini CLI MCP Server Integration
Antigravity MCP Server Integration
Pi Coding Agent MCP Server Integration
Claude Code PreToolUse hook integration
Cursor MCP Server Integration
Codex MCP Server Integration
VSCode Copilot MCP Server Integration
Gemini CLI MCP Server Integration
Antigravity MCP Server Integration
Pi Coding Agent MCP Server Integration
Two ways to install
Pick the install that fits you.
Same engine, same rules. The Desktop app wraps it in a no-terminal-required GUI; the CLI plugs into whatever shell, CI, or hook chain you already run.
For everyone
SigmaShake Desktop
Recommended for Windows
Click-to-install desktop app. No terminal, no admin, no Electron-sized footprint. The shield in your tray turns green when your AI agents are governed.
- 30-second install · per-user · no admin/UAC/sudo
- Windows: ~96 MB NSIS installer (C#/.NET + WebView2) · macOS: ~20 MB .dmg (Swift/AppKit) · Linux: ~12 MB .tar.gz (Go/Wails)
- Auto-updates: Windows via R2 delta · macOS via Sparkle · Linux via R2 delta
- Visual approval queue + system tray controls
- Wraps the same
ssgbinary — identical engine
Free for personal use · Windows 10+ · macOS 14 Sonoma+ · Ubuntu 22.04+ / Fedora 38+ / Pop!_OS
One-line install via curl, npm, docker, or PowerShell. Wire it into Claude Code, Cursor, Gemini CLI, VS Code, CI, or any PreToolUse hook chain.
- 0.39 ms p50 in daemon mode via persistent Unix-socket (measured: ssg 0.29.156, n=500; p99 under 2 ms)
- One-liner install — curl / npm / docker / pwsh
- Scriptable, CI-friendly, deterministic exit codes
- 8+ AI-agent adapters out of the box
- Flat-scaling to 100 000 rules · ~43 MB RSS
curl -fsSL sigmashake.com/install | sh
Closed-source binary · runs locally · product analytics opt-in · anonymous usage counter automatic (see IT review packet) · Starter free forever · one-line install via npm, docker, curl, or PowerShell
Also for editors
SigmaShake SSG for VS Code, Cursor, and any Open VSX editor
Pending Approvals, Rules, and Audit Log right in the side bar. Embedded dashboard panel. .rules syntax highlighting and snippets. Free.
New to AI
Put the brakes on before you hit the gas.
AI agents are powerful — and that means they can cause real damage before you realise what happened. SSG is the seatbelt you put on first.
An AI agent wiped a developer's entire project folder while "cleaning up temporary files." It matched a pattern it shouldn't have. There was no undo.
An AI assistant ran up a $400 cloud bill overnight by repeatedly calling a paid API while trying to "retry on error." Nobody noticed until the invoice arrived.
An AI sent emails to a customer list without being asked to. It was completing a task "helpfully." The replies came in fast.
1 — INSTALL
One line, every platform.
curl
curl -fsSL sigmashake.com/install | sh
30 seconds. Zero config. Zero-dependency install — no third-party packages pulled.
2 — DEPLOY
Covers every agent your team uses.
Policy applies uniformly across Claude Code, Cursor, Codex, Gemini CLI, Copilot, and more.
3 — PROTECT
Every decision — deterministic.
$rm -rf /
DENY
$sudo apt-get update
ASK
$curl https://api.example.com/data
FORCE
DENY blocks. ASK prompts. FORCE substitutes with a safer path — all in under 2ms.
For engineerssee the rule DSL, live dashboard, benchmarks & onboarding
priority / severity
Determines conflict precedence and the active audit log volume.
DENY / ASK / ALLOW
The raw execution action dynamically enforced upon matching.
IF command ...
The AST condition intercepting the raw agent process payload.
0.39 ms p50 daemon (measured: ssg 0.29.156, n=500) · ~246× faster than CLI · flat scaling to 100,000 rules
AMD Threadripper 3990X · 128 threads
64 GB DDR4 · ~43 MB RSS per eval
95.8ms median latency (p50)
Process RSS~43 MB
Startup overhead~73 ms (Bun spawn)
Decisions120 allow60 block20 log
~246× faster than CLI
Iterations1,000
Rules in memoryPre-loaded, no file I/O
ProtocolUnix socket (no TCP)
Scaling: Latency vs Rule Count
1,000 iterations + 50 warmup per tier · Unix socket RTT included · daemon p50 sub-ms at every tier · p99 stays under 2 ms (variance ±0.5 ms)
| Rules | CLI p50 | CLI p95 | CLI RSS | Daemon p50 | Daemon p95 |
|---|---|---|---|---|---|
| 10 | 95.4 ms | 120.5 ms | 42 MB | 0.23 ms | 0.35 ms |
| 50 | 94.8 ms | 104.2 ms | 47 MB | 0.17 ms | 0.34 ms |
| 100 | 97.9 ms | 113.0 ms | 42 MB | 0.23 ms | 0.35 ms |
| 200 | 96.9 ms | 126.2 ms | 44 MB | 0.13 ms | 0.26 ms |
| 500 | 100.3 ms | 122.0 ms | 43 MB | 0.17 ms | 0.32 ms |
| 100,000 | 276.4 ms | 340.9 ms | 95 MB | 0.16 ms | 0.29 ms |
CLI latency is dominated by Bun process startup (~73 ms) — rule count barely moves the needle up to 500 rules. At 100K rules, rule-file I/O pushes CLI to ~276 ms. Daemon p50 stays flat in the 0.1–0.4 ms band (sub-ms measurement noise dominates — the ordering of tiers is not meaningful). Engine p99 stays < 20 µs at every tier up to 100,000 rules; end-to-end daemon p99 (including Unix socket RTT) stays under 2 ms.
Join engineering teams reducing AI-agent incident risk — deterministically, across every agent in their stack.
⚡
Native Eval Engine
< 2ms · 100k+ rules
Zero-dependency binary via npm/curl. No Docker, no cluster, no token cost. Impossible to replicate with prompt engineering.
🔌
Agent-Agnostic
7 agents · 1 surface
Claude Code hooks + MCP across Cursor, Codex, VSCode Copilot, Gemini CLI, Antigravity & Pi Coding. One install governs them all.
🌐
Rule Hub Network Effect
Community · Compounding
A public .rules registry where every new rule strengthens the ecosystem. Competitors start from zero community.
Install SigmaShake →
30 seconds · npm install -g @sigmashake/ssg
Measured, not marketed · MITRE ATT&CK-mapped
SHAKEDOWN — the agent-containment benchmark
Anyone can claim their guardrail is safe. SHAKEDOWN proves it. We replay a curated corpus of destructive, persistence, credential-access, defense-evasion and supply-chain tool calls — each mapped to a MITRE ATT&CK technique — through SSG under every supported agent harness, and score how much it blocks while leaving legitimate developer work alone. Fully local, no GPU, no token cost, open methodology.
Across the ATT&CK kill chain: Initial AccessPersistenceDefense EvasionCredential AccessExfiltrationImpact
Community Rules, Ready to Install
Pre-built rulesets for TypeScript, Python, Rust, Security, Docker, and more.
Certified, version-controlled, and installable with one command.
ssg hub pull rules-agentic-ai_
200+Rulesets
1,000+Rules
100,000+Rules capacity in sub-2 ms
Simple, Predictable Pricing
Start free. Upgrade when you need more, month to month or annually.
Monthly Annually Save $48/yr
14-day free trial on Monthly · Annual plan bills $192 immediately, no trial
Starter
$0
Local rules, one machine.
- 5,000 Tool evaluations per month
- Community Hub access — public rulesets only
- Approval dashboard (localhost)
- CLI locally — eval, lint, format
Recommended
Pro
$20/mo
For teams that must prove what their AI agents are allowed to do.
- Private rulesets — install from your own private GitHub repos or publish privately to the Hub for your team
- Cloud audit sync — signed, exportable for security review
- Unlimited Tool evaluations
- Priority email support
Start 14-day free trial Prefer to pay now? Subscribe today — no trial →
Enterprise
Custom
When procurement asks.
- Everything in Pro
- Extended audit retention
- Team policy sharing & SSO / SAML
- Priority support with response-time SLA (hours defined in your SOW)
- Supports On-Prem Deployments
- Source code access for the licensed version of
ssg& SigmaShake Desktop — available to customers who purchase or sign a binding purchase commitment. Scoped to that version only; updates are not included. - ISO 27001 & SOC 2 compliance artifacts on request
- Custom adapter development
Honest Answers to Hard Questions
Questions skeptical engineers actually ask — answered directly.
Isn't this just a PreToolUse hook or MCP server with regex?
Yes, the enforcement mechanism integrates natively via agent hooks or MCP servers (supporting Claude Code, Codex, Antigravity, Gemini, and more) — and that's intentional. What SigmaShake adds on top of a hand-rolled hook script: a community rule library you don't have to write from scratch, an Ed25519-signed bundle so you can trust rules from the Hub, a per-row signed audit log (every governance event individually signed for tamper-evidence), fleet-wide policy sync across many machines, and a dashboard UI for approvals and profiling. If you only need one rule on one machine, a raw script is fine. SigmaShake is for teams that want the whole system.
Can't an agent just bypass the rules with encoding or whitespace tricks?
A motivated attacker with shell access: yes. An honest agent making a mistake, a misconfigured automation, or a junior dev who accidentally wrote a destructive command: no. SigmaShake is a guardrail for the 95% case — preventing accidental harm from agents that are trying to do the right thing but might not know all your constraints. It is not a sandbox and does not claim to be. For adversarial isolation, compose it with OS-level sandboxing (Docker, seccomp, Apple Sandbox) — they address different parts of the threat surface.
How is this different from Lakera, Guardrails AI, or NeMo Guardrails?
Those products filter LLM output — they run after the model responds, checking whether generated text is safe. SigmaShake gates agent tool calls — it runs before the action executes, checking whether the thing the agent is about to do is allowed. The threat models are complementary, not competing. An LLM output filter won't stop an agent from running rm -rf; a tool-call gate will.
Is the Hub a supply-chain risk?
Every ruleset on the Hub is content-hashed and Ed25519-signed before distribution. The bundle is verified at load time — if tampered with, it won't run. Rulesets are plain DSL text, readable before install. You can audit exactly what a ruleset does before pulling it: ssg hub inspect <ruleset-id>.
Can I run this without sending anything to the cloud?
Yes. ssg is a local binary with no mandatory cloud dependency. The Hub is optional (for downloading community rules), the fleet sync is optional (Pro+), and the audit export is optional (Pro+). Local-only mode: install via npm, run ssg init, and configure your agent hooks or MCP server. No network calls during evaluation.
Claude Code already asks before running commands — why pay for this?
Claude Code's built-in permission prompts are a good start, but they're binary (allow or skip) and require your attention for every action. SigmaShake adds four things you can't get from a raw hook: (1) Defaults without writing a script — the Starter preset ships 20 rules on day one covering the most common destruction, secret-leak, and supply-chain patterns; (2) Audit trail — every evaluation is signed and stored, so you can see exactly what was blocked and why; (3) Fleet-wide policy — one rule set pushed to every developer machine, enforced without each developer writing and maintaining their own hook; (4) Multi-agent coverage — the same rules enforce across Claude Code, Cursor, Codex, Gemini CLI, and any other MCP-compatible agent simultaneously.
Will this slow down or break my agent?
In daemon mode (the default after ssg init), evaluation adds about 0.39 ms p50 over a Unix-socket hop (measured: ssg 0.29.156, n=500) — imperceptible in any interactive session. Cold-start (if the daemon isn't running) takes ~73–104 ms for the first call, then stays at socket-hop latency. The false-block rate on ordinary development work is measured by the SHAKEDOWN benchmark: the “agent-safety-baseline” preset blocks 0 out of 894 benign tasks. See the benchmark page for the full false-block report. If a rule fires on something legitimate, you can add an exception in one command: ssg rules exception add <rule-id> <value>.




















