Airlock — External content is evidence, not instruction.
Now in public beta

The source-to-sink firewall for agent web browsing.

Airlock strips prompt injection, hostile instructions, and hidden content before your agent ever sees it. The protocol that makes agentic browsing safe by default.

View on GitHubJoin the waitlist
The Problem

The web is hostile to agents.

Modern AI agents read web pages to gather information, follow links, and take actions on behalf of users. That makes them targets.

Prompt injection via hidden text

Adversarial content buried in CSS, alt text, or off-screen HTML that overrides agent instructions when parsed.

Memory write gates

Links that, when followed, silently instruct the agent to modify its own system prompt or memory store.

Compromised link injection

Embedded URLs that redirect to attacker-controlled domains after the page renders.

Example attack pattern

A prompt injection attempt might look like an off-screen <div> seeded with hidden instruction text, designed to override agent behavior when parsed. Airlock's scanner catches and strips it before the agent ever processes the content.

The browser layer is the gap. Most AI security investment goes into model hardening or RAG pipelines. Almost none goes into what the agent actually reads.

How it works

Simple. Consistent. Invisible to the agent.

1
Agent requests URL
2
Airlock Scanner
Fetches, parses, sanitizes
3
Evidence Packet
Clean text, safe URLs, stripped content
4
Agent receives sanitized content only
What gets stripped
  • Hidden or off-screen HTML containing injection text
  • JavaScript-rendered content that could alter agent behavior
  • Links that trigger memory-write or instruction-override sequences
  • Any <script>, <style>, <iframe>, and embedded media that can't be statically verified
What gets preserved
  • Clean, readable text content
  • Safe outbound links
  • Structural metadata — headings, lists, code blocks — for context
Static scan mode first. Rendered scan mode coming later.
Open Source

MIT licensed. Free forever for self-hosted.

The Airlock scanner library is open source under the MIT license. Self-host it, run it locally, fork it, extend it — no strings.

GitHub
github.com/theagentdeck/airlock
NPM
@airlock/scanner — coming soon
PyPI
airlock-scanner — coming soon
Watch
Watch repo for v0.1.0
“The protocol is the moat; the scanner is the wedge. We open-sourced the wedge because a moat that only benefits the wealthy isn't a moat.”

Need it running without managing infrastructure?

A hosted Airlock API is coming. Same scanner, zero ops overhead.

Join waitlist

One email. No spam. Launch notification only.

Pricing Preview

Start free. Scale when you're ready.

Starter
$29/mo
Solo developers, first agent ops
  • 5,000 scans/month
  • Self-hosted scanner
  • Community support
Pro
$99/mo
Growing teams, production agents
  • 50,000 scans/month
  • Audit log (30 day retention)
  • Priority email support
  • Private packets, no watermark
Scale
$299/mo
Multi-agent ops, serious throughput
  • 1,000,000 scans/month
  • Audit log (1 year retention)
  • Slack support
  • 5 seats included
Enterprise
$1,500+/mo
Large orgs, custom contracts
  • Unlimited scans
  • Dedicated infrastructure
  • SLA + dedicated CSM
  • Custom integrations

Enterprise? Talk to us.