Skip to main content
Secure · MCP Firewall
The unsafe action never runs
FORG inspects every MCP tool call on-device and blocks the dangerous ones before they execute — then proves it with a hash-chained audit trail.
3attack classes blocked
On-deviceblocked before execution
Metadata-onlycapture, no payloads
Ed25519signed releases
14tools supported
8.5MBon-device agent
three attack classes
Caught on-device, before execution
Exfiltration
An agent trying to ship your secrets or code somewhere it should not go.
Tool-poisoning
A malicious MCP server feeding hostile instructions into the agent loop.
SSRF
A tool call reaching into your internal network or metadata service.
Detection
Blocked by type (illustrative)
Detections are privacy-preserving: metadata only, never your prompts or code. Each block lands in a tamper-evident, hash-chained ledger you can export.
How privacy works →Blocked by type · illustrative
Exfiltration24
Tool-poisoning14
SSRF9
Block the next incident
The firewall is on by default the moment your agent connects.
Start 14-day trial