Secure the AI writing your code.

Coding agents read your repo, your secrets, and your env files, then send context to models you do not control. Bastion adds inline guardrails across every IDE and CLI agent your team uses.

[Problem]

Your coding agent has the keys to the repo.

Agents are fast because they have broad access. That same access is what makes them dangerous when no one is watching what leaves.

01

Secrets ride along with context.

Agents send source code, API keys, and environment variables to external models as part of normal completions.

02

Agents reach further than you think.

An agent with repo access can read production config, SSH keys, and internal tools, often beyond what any single task needs.

03

Every developer runs a different one.

Cursor here, Copilot there, Claude Code in the terminal. Each is a separate surface with separate risk and no shared control.

[How it works]

Guardrails the agent never feels.

Bastion sits inline as a transparent proxy across every client, so the same policies apply whether code is leaving an IDE, a CLI, or an API call.

Inline guardrails

Block secret exposure and detect source code leaving through an agent, before the request reaches the model. Redact rather than block, so completions keep working.

Context visibility

See exactly what code context each agent sends, to which model, so you can answer what left and prove what did not.

One layer across every surface

IDE, CLI, and API are covered by the same proxy and the same policies. New clients are detected and held until you approve.

Limit what agents can touch

Draw hard lines around what an agent can reach. No SSH keys, no production, no tools you never sanctioned.

[Clients]

Every coding agent, one policy.

Cursor, GitHub Copilot, Windsurf, Claude Code, and whatever ships next. Bastion is client agnostic, so a new agent inherits your existing guardrails the moment it shows up.

CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
HermèsHermès
OpenClawOpenClaw
ClineCline
Aider
ZedZed
Continue
CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
HermèsHermès
OpenClawOpenClaw
ClineCline
Aider
ZedZed
Continue
HermèsHermès
OpenClawOpenClaw
ClineCline
Aider
ZedZed
Continue
CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
HermèsHermès
OpenClawOpenClaw
ClineCline
Aider
ZedZed
Continue
CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
ClineCline
Aider
ZedZed
Continue
CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
HermèsHermès
OpenClawOpenClaw
ClineCline
Aider
ZedZed
Continue
CursorCursor
Claude CodeClaude Code
GitHub CopilotGitHub Copilot
WindsurfWindsurf
HermèsHermès
OpenClawOpenClaw

[Trust]

Works everywhere. Leaks nothing.

Transparent AI proxy

All agent traffic flows through Bastion's transparent proxy with negligible latency. Developers never notice it is there.

  • >Around 100ms at P99, invisible against multi-second completions
  • >Real-time inspection of prompts, responses, and tool calls
  • >Works across IDE, CLI, and API traffic
  • >Coexists with your VPN and DNS proxy

Manage via MCP, stream to your SIEM

Configure Bastion from the AI tools your team already lives in, and send AI signals to your existing stack.

  • >Review policies and inventory over the Model Context Protocol
  • >Built on OpenTelemetry for Splunk, Datadog, and Sentinel
  • >Fleet-wide deployment via any MDM
  • >One-click install and removal

Privacy by design

Detection runs locally on the device. Nothing leaves your network by default, and logging is opt-in.

  • >Detection engine runs locally on the endpoint
  • >Nothing leaves your network by default
  • >Request and response logging is opt-in
  • >Your intellectual property stays yours

[FAQ]

Frequently asked questions

Cursor, GitHub Copilot, Windsurf, and Claude Code today, plus new clients as they emerge. Because Bastion is client agnostic, a new agent is covered by your existing policies the moment it connects.

No. Redaction happens in under 5ms on the device, and the proxy adds around 100ms at P99, invisible against the multi-second responses agents already take.

It targets leaks, not productivity. Bastion redacts or blocks secrets and sensitive context on the way out, while the agent still receives a usable prompt and returns its suggestion.

Fleet-wide through any MDM, with one-click install and removal. There are no per-developer setup steps, and you can manage policies over MCP from the tools your team already uses.

[Coverage]

One proxy. Every surface.

This is one of four layers in Bastion's AI governance module. Explore the rest.

[Get Started]

Let your team ship with AI, safely.

Put one guardrail across every coding agent your team runs, then watch what leaves in monitor-only mode before you enforce.