Open Source · Self-Improving · Apache 2.0

The immune system
for AI agents.

Agent security that gets smarter with every tool call. Runtime governance, AI-powered threat intelligence, and coverage that compounds — autonomously. 2.7 µs overhead.

Start Free View on GitHub

$pip install navil && navil secure

200

Base attack vectors

Agent-native categories

Up to 94%

Schema token reduction

2.7 µs

Per-message overhead

How It Works

Every tool call. Intercepted. Governed.

Navil sits between your AI agents and MCP servers — inspecting, enforcing, and learning from every request in real time.

🤖

AI Agent

Claude, GPT, Cursor,
custom agents

→

NAVIL PROXY

Identity &
delegation

Policy
enforcement

Anomaly
detection

Threat
intel

→

⚙️

MCP Server

Tools, APIs,
resources

Every anomaly detected locally is anonymized and shared. Every proxy protects every other proxy.

Runtime Security

Intercept. Not Scan.

Static scanners check code before it runs — and miss 98.3% of threats. Navil intercepts every tool call at the moment of execution.

Static Scanning	Navil Runtime Interception
Checks source code before deployment	Inspects every tool call in real time, as it happens
Misses runtime attacks (tool poisoning, credential exfiltration, session manipulation)	Catches tool poisoning, data exfiltration, privilege escalation, and novel attacks
Rules degrade immediately as new threats appear	12 anomaly detectors with adaptive baselines that learn from your traffic
Catches 1.7% of agent threats	Covers the other 98.3%

An MCP server can have perfectly clean source code and still be weaponized at runtime. A tool description can change between install and execution. A prompt injection can redirect tool calls mid-session. Navil catches all of this because it's in the path — not watching from the sidelines.

Cost Optimization

Save Up to 94% on Schema Tokens

MCP servers expose ALL tools to ALL agents — even tools the agent doesn't need. That's your money burning on unused context.

GitHub MCP alone dumps 90+ tool schemas consuming 50,000+ tokens per session. Most agents use 3–5 tools. You're paying for the other 85. Navil's context-aware tool scoping shows each agent only the tools it needs. Define scopes once, save on every single call.

Before

90 tools

50,000+ tokens · $$$

After

3 tools

~2,800 tokens · $

# Before: agent sees all 90+ GitHub tools (50,000+ tokens)
# After: agent sees only what it needs (3 tools, ~2,800 tokens)
navil scope set code-review --tools "get_pull_request,create_review,list_files"

50,000 → 2,800 tokens per session

Policy Enforcement

Block Dangerous Tool Calls Before They Execute

Define exactly what each agent can and can't do. YAML rules, not hope.

YAML-driven tool/action allow-lists. Per-agent rate limiting. Data-sensitivity gates. Path-based restrictions for secrets and sensitive files. No more "the agent probably won't do that." Now it can't.

rules:
  - action: deny
    tools: ["fs_write", "shell_exec"]
    paths: [".env", "*.pem", "~/.ssh/*"]
    reason: "Secrets are read-only"
  - action: deny
    tools: ["http_request"]
    domains: ["*.pastebin.com", "*.ngrok.io"]
    reason: "Block known exfiltration endpoints"
  - action: allow
    tools: ["*"]
    rate_limit: 100/min

Your agent can read your codebase but can never touch your secrets.

Data Protection

Your Secrets Stay On Your Machine

824 malicious skills found in the OpenClaw registry. Navil makes sure they can't phone home.

🔒

Exfiltration Blocking

Detects and blocks outbound data exfiltration attempts. API keys, SSH keys, and environment variables never leave your machine.

🔎

Credential Scanning

Every tool response is scanned in real time for plaintext credentials, tokens, and secrets — intercepted before they reach the network.

⚠️

Permission Flagging

Flags over-privileged tool permissions and suspicious data access patterns as they happen, not after the fact.

The Immune System

A biological immune system
for your agent stack.

Navil doesn't just detect threats — it learns from them, generates new defenses, and distributes immunity across every node in the network.

🦠

Antigens

568 detection patterns across 36 categories — the MITRE ATT&CK of agent security

🛡

Antibodies

Detection rules and policies auto-generated for each known attack pattern

🧬

Immune Memory

Patterns verified across deployments become permanent shared defenses

🔄

Adaptive Immunity

Novel threats automatically generate new antigens and antibodies — the system evolves

🔍

Runtime Monitoring

568 detection patterns across 36 attack categories. Static scanning catches 1.7% of threats. Navil catches the other 98.3% — at execution time.

🧠

Self-Improving Intelligence

Novel threats automatically become new defenses. The engine discovers, learns, and deploys — autonomously. Coverage improves every week without a single engineer touching it.

📊

Coverage Scoring

Run navil test and get a real number: "84.7% of known patterns blocked." See gaps by category. Measure your posture, don't guess.

🌐

Community Threat Network

Every anomaly detected locally is anonymized and shared. Every proxy protects every other proxy. More users, more signal, better detection.

🛡

AI Policy Builder

Closed-loop policy engine: observe → detect → suggest → approve → enforce. AI writes governance rules from your agents' actual behavior. You sign off.

🔑

Credential Governance

OIDC token exchange with scope narrowing and cascade revocation. No more API keys hardcoded in configs or shared across agents.

Measurable Security

Know your coverage score.
Not just "we're secure."

navil test runs 568 detection patterns across 36 categories against your proxy and tells you exactly what's covered and what's not. CI/CD integration via --threshold 90.

Read the docs

AI Governance

AI Writes Your Security Policies. You Just Approve.

Closed-loop governance: observe → detect → suggest → approve → enforce.

Observe

Watches how agents use tools in prod

Detect

Finds patterns: which tools, how often, what data flows

Suggest

AI writes specific policy rules from observed behavior

Approve

You review and approve (human-in-the-loop, always)

Enforce

Policies enforced in real time at the proxy

$ navil policy suggest
  Based on 7 days of observed behavior:
  ✓ Agent "code-review" uses 3 of 90 GitHub tools → scope to 3
  ✓ Agent "deploy" calls shell_exec 12x/day → rate limit to 20/day
  ⚠ Agent "research" accessed .env 2x → recommend deny rule
  Apply all? [y/N]

Most teams write security policies after an incident. Navil writes them before one — by learning how your agents actually behave and proposing rules that match reality.

Navil's AI features work with any LLM — Claude, GPT, local models. Bring your own API key or use the built-in engine.

Auto-Remediation

Self-Healing. Not Just Self-Detecting.

When Navil finds a problem, it fixes it — automatically.

🔍

Config Drift Detection

Monitors your MCP configuration continuously. Detects when it drifts from your approved security baseline — exposed ports, missing auth, new unvetted servers.

🛠

Auto-Remediation

Misconfiguration detected? Navil automatically fixes it or proposes a fix. No ticket queue. No waiting for the next sprint.

⚡

Anomaly Response

When an anomaly detector fires, Navil doesn't just alert — it automatically tightens policies, quarantines the suspicious agent, or blocks the tool call chain.

🔁

Continuous Learning

Every remediation action feeds back into the policy engine. Future detections get faster. False positives decrease. The system sharpens itself.

Alert fatigue kills security. Navil doesn't just tell you something's wrong — it fixes it.

Threat detected

Analyzed by AI

Policy updated automatically

Enforced network-wide

Observability

See Everything Your Agents Do

Full audit trail. Every tool call. Every file touched. Searchable.

📋

Audit Log

Complete record of every tool call, file access, and response. Filter by agent, server, time range, or threat category.

📈

Trust Scores

Per-agent trust scores based on behavioral analysis. Anomaly timelines show when and why trust dropped.

📊

Dashboard

Real-time fleet visibility. Policy violation alerts. Coverage trends over time.

✅ Complete audit trail for compliance workflows. Export full agent activity logs with one command.

navil audit export --format csv --range 30d --agent "deploy-bot"

Threat Intelligence

The MITRE ATT&CK
of agent security.

568 detection patterns. 36 attack categories. 1M+ combinatorial scenarios. Published as open data.

Take the Security Assessment

824+

Malicious MCP skills found — 8% of all packages in the OpenClaw registry are actively hostile

Attack categories from multi-modal smuggling to agent collusion — the most comprehensive agent threat taxonomy published

1M+

Combinatorial attack scenarios across industry, modality, and attacker profile — CC BY-SA 4.0 open data

Auto

Self-improving: novel threats discovered in the wild are automatically converted into new detection rules and distributed

Navil Radar

Live threat intelligence.
From the entire network.

See what the community is detecting in real time. Every Navil proxy contributes anonymized threat signals — filtered by MCP, CLI, or all protocols. The radar is the immune system's nervous system.

View Radar Weekly Digest

Integrations

Works With Everything You Already Use

One command. Zero config changes.

Works with any MCP client

🔌

Any MCP Client

Navil wraps your mcp_config.json — if your agent uses MCP, Navil works. No plugins, no adapters, no vendor-specific setup.

💻

CLI Tools

gh, kubectl, aws, and any CLI binary. PATH-prefix shims extend governance beyond MCP to everything your agents touch.

⚙️

CI/CD

GitHub Actions integration. Every PR that touches an MCP config gets scanned automatically. Results in the Security tab.

If your agent uses MCP, Navil works. One command wraps every server in your config.

# Works with any MCP client — one command
pip install navil && navil wrap mcp_config.json
# GitHub Actions
- uses: navilai/navil-action@v1

Performance

Invisible overhead.
Real numbers.

Per-message pipeline	Mean / p99
Full pipeline	2.7 µs / 6.1 µs
JSON parse	0.9 µs / 2.0 µs
Policy lookup	0.5 µs / 1.2 µs
Anomaly scan	0.3 µs / 0.8 µs

Session wall-clock	Overhead
Light (5 calls)	+0.5 ms
Medium (50 calls)	+1.4 ms
Heavy (500 calls)	+12.3 ms

< 0.1% of total session time on real workloads.

Not a guardrail — we don't filter prompts or moderate outputs. We govern tool execution.

Not a static scanner — our engine learns and improves autonomously.

Not a gateway — no centralized infrastructure required. Runs where your agents run.

Not proprietary — open-source core is Apache 2.0 forever.

Pricing

Start free. Scale when ready.

No credit card required. The open-source core is Apache 2.0 forever. Commercial tiers add scale, not lock-in.

Community

$0 /forever

Individual devs. Get started with agent governance.

25 agents / 25 API keys
60 req/min
11 anomaly detectors
568 threat patterns
48h-delayed threat patterns

Pro

$59 /mo

Teams shipping agents to production.

50 agents / 50 API keys
1,000 req/min
Real-time threat feed
CI/CD SARIF output
Slack & Discord webhooks

Growth

$129 /mo

Growing teams with compliance needs.

100 agents / 100 API keys
5,000 req/min
Basic OIDC
5 custom threat rules
Email support (48h SLA)

Team

$299 /mo

Full governance for production fleets.

250 agents / 500 API keys
10,000 req/min
Full OIDC + delegation chains
Unlimited custom rules
Fleet analytics + 8h SLA

Enterprise

Custom

On-prem, air-gapped, or hybrid.

10,000+ agents / keys
100,000 req/min
Cascade revocation + SSO
On-prem / air-gapped deploy
SLA guarantees + dedicated

Security that gets smarter
while you sleep.

Self-improving AI threat intelligence. 568 detection patterns. 36 attack categories. Coverage that compounds. One pip install.

Start Free — No Credit Card

Static Scanning

Navil Runtime Interception

Checks source code before deployment

Inspects every tool call in real time, as it happens

Misses runtime attacks (tool poisoning, credential exfiltration, session manipulation)

Catches tool poisoning, data exfiltration, privilege escalation, and novel attacks

Rules degrade immediately as new threats appear

12 anomaly detectors with adaptive baselines that learn from your traffic

Catches 1.7% of agent threats

Covers the other 98.3%

Per-message pipeline

Mean / p99

Full pipeline

2.7 µs / 6.1 µs

JSON parse

0.9 µs / 2.0 µs

Policy lookup

0.5 µs / 1.2 µs

Anomaly scan

0.3 µs / 0.8 µs

Session wall-clock

Overhead

Light (5 calls)

+0.5 ms

Medium (50 calls)

+1.4 ms

Heavy (500 calls)

+12.3 ms

The immune systemfor AI agents.

Exfiltration Blocking

Credential Scanning

Permission Flagging

Runtime Monitoring

Self-Improving Intelligence

Coverage Scoring

Community Threat Network

AI Policy Builder

Credential Governance

Know your coverage score.Not just "we're secure."

How exposed is your agent stack?

Config Drift Detection

Auto-Remediation

Anomaly Response

Continuous Learning

Audit Log

Trust Scores

Dashboard

Live threat intelligence.From the entire network.

Any MCP Client

CLI Tools

CI/CD

Invisible overhead.Real numbers.

Security that gets smarterwhile you sleep.

The immune systemfor AI agents.

Exfiltration Blocking

Credential Scanning

Permission Flagging

Runtime Monitoring

Self-Improving Intelligence

Coverage Scoring

Community Threat Network

AI Policy Builder

Credential Governance

Know your coverage score.Not just "we're secure."

How exposed is your agent stack?

Config Drift Detection

Auto-Remediation

Anomaly Response

Continuous Learning

Audit Log

Trust Scores

Dashboard

Live threat intelligence.From the entire network.

Any MCP Client

CLI Tools

CI/CD

Invisible overhead.Real numbers.

Security that gets smarterwhile you sleep.

The immune system
for AI agents.

Know your coverage score.
Not just "we're secure."

Live threat intelligence.
From the entire network.

Invisible overhead.
Real numbers.

Security that gets smarter
while you sleep.

The immune system
for AI agents.

Know your coverage score.
Not just "we're secure."

Live threat intelligence.
From the entire network.

Invisible overhead.
Real numbers.

Security that gets smarter
while you sleep.