Endpoint Security · Network Extension · Agent Process Trees

The AI agent has shell access.
Who is watching it?

Native macOS endpoint protection for autonomous AI agents. Monitor agent process trees, block unauthorized file and network activity at the OS layer, and keep developers moving.

Metatron Security · Agent Shield
Protecting
· ES + NE active
00:02:41
ALLOW
read ~/Projects/app/src/main.rs
claude-agent · workspace allowed
ALLOW
connect api.anthropic.com:443
network allowlist · approved host
DENY
unlink ~/.ssh/id_ed25519
protected path · EPERM returned
ALLOW
spawn node ./scripts/build.js
child process tagged monitored
Events
2,841
Denied
7
Agents
4
The Problem

The AI agent dilemma.

Autonomous coding agents need terminal access and file read/write privileges to do their jobs. That same power gives a prompt-injected agent a raw path to local secrets, proprietary source, and internal network targets.

A malicious README, poisoned issue, or compromised package can push the agent into deleting files, reading SSH keys, or probing your corporate intranet before anyone sees the transcript.

Metatron Security does not block AI productivity. It puts OS-level guardrails around the process trees doing the work.

The Stack

Three layers of agent protection.

Endpoint Security
01

Protected paths fail before they are touched.

Metatron Security uses Apple's Endpoint Security framework to authorize sensitive file operations from AI agent process trees. Reads, deletes, and renames against protected paths fail with EPERM before the file is touched.

Files
AUTH
Memory
5-7MB
Network Extension
02

Network access is agent-specific.

Network Extension filtering keeps agent traffic on an allowlist while the rest of the Mac keeps its normal network path. Blocked destinations can trigger approval flows for Allow Once, Always Allow, or Deny.

Process Monitoring
03

Agent trees stay visible.

Claude, Cursor, Copilot, Aider, Cody, Continue, Tabnine, and child processes are tracked as process trees, with resource usage, stale children, suspicious executions, and blocked operations surfaced in the dashboard.

How it works

An agent acts. Security enforces.

1

Agent tree identified.

Metatron Security detects known agent tools and follows child processes through forks, shells, package scripts, and local MCP servers so policy attaches to the whole execution tree.

2

Policy evaluated.

File rules and network rules are evaluated against protected paths, workspace boundaries, approved hosts, and enterprise-managed profiles.

3

Verdict enforced.

Authorized work continues. Protected reads, deletes, renames, and unapproved outbound connections are blocked or routed into a user approval flow before damage is done.

Enterprise

Built for AI adoption security can approve.

Developer Mode gives individuals configurable protection for local agent use. Enterprise Mode lets IT enforce profiles with MDM, lock operating mode with biometric or administrator approval, and keep agent activity visible across a Mac fleet.

Files
AUTH
Read/delete/rename control
Network
NE
Agent allowlists
Extension RAM
5-7MB
Typical per extension
Admin
MDM
Enterprise profile lock

Request pilot access.

Give developers the AI tools they want while keeping protected files, network access, and agent process trees under control.