launch iron-dome security ai-agents behaviour

Introducing Iron Dome — Behaviour Protection for AI Agents

Drakon Systems · 24 February 2026 · 5 min read

Your AI agent can run shell commands. It can send emails, call APIs, delete files, and spawn sub-agents that do all of the above. Most of the time, that's exactly what you want. The problem starts when it's not.

ShieldCortex's defence pipeline has always protected what goes into your agent's memory — scanning for prompt injection, credential leaks, and poisoned content before it's stored. But once the agent decides to act, there's been nothing standing between it and the outside world.

Today we're releasing Iron Dome — a behaviour protection layer that controls what your agent can do, not just what it remembers. It's free, local, and takes two commands to set up.

The Threat Nobody Talks About

Memory defence is half the problem. The other half is what happens after the memory is compromised. Consider three scenarios that every agent developer should be thinking about:

Prompt injection that triggers action. Your agent reads a webpage containing hidden instructions. Instead of just storing bad data, it follows the instructions — runs a shell command, fires an API request, or quietly modifies files on your system. The defence pipeline caught the poisoned input, but the agent already acted on it before the scan completed.

PII leakage through agent behaviour. An agent processing sensitive data — student records, financial information, medical notes — encounters a crafted prompt that causes it to include that data in an outbound API call or log file. The data was never poisoned. It was legitimate content that the agent was manipulated into exposing.

Sub-agent escalation. Your agent spawns a sub-agent with elevated permissions. The sub-agent, operating with less oversight and a different context window, performs destructive actions the parent agent would never have been allowed to do directly. The attack surface multiplied without anyone noticing.

These aren't hypothetical. They're the natural consequence of giving autonomous agents the ability to act in the real world. The defence pipeline protects inputs. Iron Dome protects outputs.

What Iron Dome Does

Iron Dome sits between your agent and every action it takes. Six capabilities, one purpose — making sure your agent only does what it should.

  • Injection Scanner — scans text for prompt injection patterns before they reach your agent's decision layer
  • Instruction Gateway — validates which instruction channels your agent trusts (terminal, email, webhook, API) and blocks everything else
  • Action Gate — blocks or requires approval for dangerous operations like send_email, delete_file, execute_code, and api_call
  • PII Guard — detects sensitive data (names, dates of birth, medical information, financial records) and prevents it from leaving the system
  • Kill Switch — trigger phrase (default: "cortex halt") pauses memory creation instantly while Iron Dome stays active
  • Sub-Agent Control — restricts what spawned sub-agents can access and do, preventing privilege escalation

Iron Dome doesn't replace the defence pipeline — it completes it. Think of it this way:

Input → [Defence Pipeline] → Memory → [Iron Dome] → Action

Together, they form a complete security envelope around your agent. Poisoned data can't get in. Dangerous behaviour can't get out.

Profiles — Security That Fits Your Context

Not every agent needs the same level of protection. Iron Dome ships with four pre-configured profiles so you don't need to be a security expert to get started.

School — GDPR-strict. Blocks 12 PII categories including pupil names, dates of birth, medical information, and SEN data. Trusted channel: terminal only. Built for education environments handling safeguarding data.

Enterprise — Financial and HR protection. Blocks salary data, account numbers, and internal communications. Designed for agents processing business-sensitive information.

Personal — Lighter touch for individual developers. Catches credential leaks, destructive commands, and obvious dangers without getting in the way of your daily workflow.

Paranoid — Everything requires approval. Fourteen action types gated. For high-security environments or when you simply don't trust the agent yet.

Pick a profile. Activate it. You're protected. Customise later if you need to — every profile is a starting point, not a cage.

Getting Started

Install or update ShieldCortex:

npm install shieldcortex

Activate a profile in your agent code:

import { ironDome } from 'shieldcortex';
 
// Pick a profile that fits your environment
ironDome.activate('personal');

Or activate from the CLI:

shieldcortex iron-dome activate --profile personal

That's it. Iron Dome is now monitoring every action your agent takes — blocking injections, gating dangerous operations, and catching PII before it leaks. Open the dashboard at localhost:3030 and click the Dome tab to see it working in real time.

Cross-Device Visibility

If you're running agents across multiple machines — dev laptops, CI runners, production servers — ShieldCortex Cloud Pro gives you Iron Dome analytics across all of them. See which devices are blocking injections, track action gate decisions, and spot PII violations from one dashboard.

Explore Iron Dome capabilities →

Read the docs →

View on GitHub →

ShieldCortex is open source under the MIT licence. Built by Drakon Systems.