Private beta · By invitation

Coding agents at full speed.With full receipts.

Regain security control while freeing your developers to run faster. Marshal runs inside your VPC — every AI agent session lives in an isolated environment with full audit, credential isolation, and a live policy plane. You set the rules. You see every move.

Request a demo How self-host works

BetaOnboarding select security-first engineering orgs. Limited cohort each quarter.

ws-prod-1·mar-9f2aproxy: healthy

agent@ws-prod-1:~/workspace$ claude
✓ Connected · 14 skills loaded
⚠ Network profile: claude-code

› Refactor the bootstrap progress timeline

Audit · proxy egress · live

● allow● audit● mitm● deny

The problem

AI coding agents are the biggest productivity gain in a decade. They're also the largest unmanaged attack surface in your stack.

Your developers have already turned on yolo mode. Your security team is about to find out. The trade you've been making — let them run loose, or lock them out — is wrong on both sides. The incidents have already started.

Velocity

“It deleted the production database. In nine seconds.”

This isn't hypothetical. It's a logged incident from a coding agent in 2025. The agent had psql because the developer had it. Credentials were in ~/.pgpass, where they've lived for years. Permission prompts were off because they kill flow. Backups were wiped too. The post-mortem found nothing unusual about the setup — that's the point. Every laptop with a coding agent on it tonight is one prompt away from the same five-figure incident.

Tom’s Hardware · 2025 · publicly reported

Visibility

“We have no idea what data left the company.”

This is what a CISO sounds like when their org adopted coding agents without infrastructure for them. Cursor, Devin, Codespaces — every popular agent proxies egress through the vendor's own network. There's no per-request log you can subpoena, no rule you can enforce, no domain you can revoke. 33 npm packages were caught shipping live .env secrets last quarter — the agents that wrote them transmitted those credentials somewhere. You'll learn about the next breach when the notification arrives.

Knostic research · Q1 2026

Governance

“Just block it.”

That's the answer your CISO is about to propose. It's also wrong. Coding agents deliver real, measured productivity wins — Nubank reports 8–12× efficiency, 20× cost savings. Block everything: you lose a generational advantage. Allow everything as-is: you own the next breach. There has to be a third option — one where your CISO becomes an enabler, not a blocker — without losing control for a second. That's what we built.

Nubank case study · Devin · 2025

Autonomy with guardrails

Let the agent fly. Keep the steering wheel.

Regain security control while freeing your developers to run faster. Unattended autonomy and audited containment used to be a trade. Marshal removes it.

Confidentiality

Agents never see your secrets.

The agent process runs with zero access to credentials. Tokens, API keys, and SSH identities are held in a supervisor-only vault and injected into tool subprocesses at invocation time — never into the agent's environment, never into its filesystem. A leak from the agent leaks nothing.

What the agent sees

$ env | grep -E 'KEY|TOKEN|SECRET'
(empty)

$ ls ~/.aws ~/.ssh 2>/dev/null
(empty)

$ cat .env 2>/dev/null
cat: .env: No such file

●0 secrets reachable

Supervisor-only vault

ANTHROPIC_API_KEY→ claude

GITHUB_TOKEN→ git, gh

AWS_ACCESS_KEY_ID→ aws (cp only)

KUBECONFIG→ kubectl (get only)

SSH_PRIVATE_KEY→ ssh, scp

injected per-invocation · never in agent env

Quarantined · ws-incident-074 · 14:02:33

Anomalous DNS pattern · 14 requests to unknown infra

Detector flagged 14 DNS queries to *.exfil-relay.net in under 4 seconds. Session frozen pre-egress.

Pod

frozen

Network

dark

Credentials

revoked

Containment

Quarantine in one click.

Anomalous DNS exfil. A new MITM-flagged domain. A credential request you didn't expect. Quarantine the session — runtime freezes mid-execution, network goes dark, credentials revoke, and the entire state is preserved for forensics. Sub-second. Reversible. Auditable.

Velocity

Yolo mode, with a net.

Run agents in unattended --dangerously-skip-permissions mode without the cold-sweat moment. Every tool call routes through the supervisor; every byte of egress routes through the proxy; every credential request is gated. The blast radius is bounded by manifest, not by attention.

ws-yolo-1·yolo modemarshal: supervising

agent@ws-yolo-1:~/workspace$ claude --dangerously-skip-permissions
──────────────────────────────────────────────
● Migrating user_sessions table to soft-delete
● Updating 14 call sites across 6 packages
● Running tests… (312/312 pass)
› Drafting PR description

Tool calls

847

Egress

234

Blocked

Escalated

Blocked · req_8f3a214:02:11

claude-code · ws-prod-1

attemptedWrite infra/production.tfruleterraform.production · write requires justification

Reasoning · agent

“The RDS migration needs db.r6g.xlarge for the 6-hour backfill window. The current db.r6g.large will throttle on insert rate. Reverting after migration completes.”

- instance_class = "db.r6g.large"
+ instance_class = "db.r6g.xlarge"

You decide:⌘ ↵ approve

Block first

The agent doesn’t apologize. It justifies.

No “oops, sorry I deleted the database” moments. Risky moves get blocked mid-execution by manifest. The agent has to reason about why it needs the action — and you decide. Write to a prod file, fetch from a new domain, request a credential: each one stops, the agent submits a justification, you approve or deny. The agent earns the action — or it doesn't happen.

Control

Block the verb, not just the host.

Mid-session policy isn't only about domains. Marshal inspects every tool invocation by verb and argument. Allow aws s3 cp. Deny aws s3 rm. Permit kubectl get. Block kubectl delete. The agent gets exactly the verbs you authorized — no more.

agent terminal · live

$ aws s3 cp ./build s3://artifacts/v1.4.2/
upload: ./build/index.js to s3://artifacts/v1.4.2/index.js
✓ 14 files uploaded · 3.2 MB
$ aws s3 rm s3://artifacts/v1.3.0/ --recursive
✗ marshal: blocked by tool-policy rule
  rule: aws.s3.destructive · deny
  request a one-time exception? [y/N]

tool-policy.yaml · cloud-readonly8 rules

allowaws s3 cpverb-match

allowaws s3 lsverb-match

denyaws s3 rmverb-match

denyaws s3 rbverb-match

allowkubectl getverb-match

allowkubectl describeverb-match

denykubectl deleteverb-match

denykubectl applyverb-match

Skills & MCPs · ws-prod-15 injected · 1 alert

mcp

github-mcpv2.1.0

scope: PRs · issues only

✓

mcp

slack-mcpv1.4.3

scope: #eng-only

✓

mcp

langchain-mcpv0.18.2

CVE-2026-1234 · vulnerable dependency

skill

marshal-docsv3.0

scope: markdown only

✓

skill

security-policiesv1.2

scope: markdown only

✓

Skills and MCPs run isolated · zero credential access · revoke fans out to all sessions in <1s

Supply chain

Skills and MCPs, on a leash.

Skills (markdown injected) and MCP servers (tools the agent calls) expand what your agent can do. They're also a supply-chain you can't see into. Marshal injects them in isolation — they never touch your credentials, never reach your filesystem, never speak directly to your network. Scope each skill/MCP per session. When a CVE lands in a dependency, revoke it across every running session in under a second. The capability stops working before the next request fires.

Developer experience

Built for the way developers actually work.

The fastest thing you do on your laptop — bridged ports, fast iteration, real collaboration — extended into the space and across every agent you have running.

Local ↔ Runspace

Bridged ports, both ways.

Your local Postgres, Ollama, staging tunnel — exposed transparently into the space. The agent's dev server at :3000 — exposed back to your laptop. Marshal's daemon proxies both directions, automatically.

postgreslocalhost:5432→space:5432

ollamalocalhost:11434→space:11434

dev serverspace:3000←localhost:3000

agent APIspace:8080←localhost:8080

Environments

Ephemeral envs, per task or test.

Every manifest can spin up a full dev environment or an ephemeral test stack — Docker Compose, full Kubernetes-in-Kubernetes, or a dedicated just-in-time spot instance (GPU on demand). One per task, one per test run, zero conflict, zero cleanup. Tear down on completion.

docker-compose.yml4 services

k8s-in-k8skind cluster

GPU spot · g5.xlargeus-east-1

Control surface

CLI first. Web wraps it.

Every action in the web UI is a CLI command. A local daemon handles port forwarding, SSHFS mounts, and keepalive — so the web terminal feels native even when the pod is across a continent.

$ marshal new --manifest claude-code

$ marshal forward 5432:postgres

$ marshal share ws-prod-1 --reviewer

$ marshal mission-control

Collaboration

Pair, share, hand off.

Stuck on a session? Share a live link with a teammate. Working with a reviewer? Read-only spectator mode. Every collaborator sees the same terminal, the same audit log, the same policy plane. Sessions outlive the originator.

ws-incident-072 · 3 active

MCMayaowner

JLJamiepair

SRSamreviewer (read-only)

share link: marshal.your-co.internal/s/9f3a

Orchestration

Mission Control — one glance.

Every running agent, every cost, every policy state, every blocked request — in one pane. Triage incidents, freeze runaways, approve waiting requests without opening N tabs.

ws-prod-1

MC$0.42

ws-feat-204

SR$1.18

ws-incident-074

MC$0.31

ws-onboarding

JL$0.04

Resilience

Disconnect-proof sessions.

Wi-Fi drops, laptop sleeps, train tunnel happens — your session keeps running in your VPC. Reconnect and the agent picks up mid-thought. Mosh-style local buffer means zero re-typing, zero context loss.

ws-prod-1 · session continuity

14:02:11●disconnected (Wi-Fi)

14:02:11⟳reconnecting…

14:02:12✓tunnel restored · 0.4s

14:02:12↻3 events replayed

14:02:12✓agent: still thinking

zero context lost · zero re-typing

Time travel

coming soon

marshal rewind 10m.

The agent went off the rails 4 minutes ago. Rewind the entire space — files, env, network state, audit log position — to any checkpoint. Branch from there. The agent has no time machine. You do.

ws-prod-1 · timeline12 checkpoints

T-10m↑ rewind targetnow

$ marshal rewind 4m

Cost

coming soon

Every dollar, in view.

Live per-session, per-tool, per-agent spend — surfaced in the proxy, not extracted from a JSONL file at 2 AM. Set spending caps that auto-pause. No more “why did this run $400 overnight?” moments.

ws-prod-1 · spend (live)

$0.42/ $5.00 capauto-pause armed

claude · opus$0.31

proxy egress$0.04

storage$0.07

Filesystem

Your files, mounted in.

Your repo, your workspace, your dotfiles — mounted into the space over SSHFS. Edit in your IDE, the agent sees the change instantly. Edit in the space, your editor reloads. No git push-pull dance. No drift.

~/projects/marshal⇄/workspace

📄src/router.tsxinstant

📄docs/architecture.mdinstant

📄package.jsoninstant

📁node_modules/space-only

Inline review

The agent asks for your eyes.

When the agent hits a hunk that needs human judgment, it pings you inside Marshal. You open the diff, leave inline comments on the lines that matter, suggest replacements. Marshal sends a structured response back to the agent — comments and edits — so it picks up exactly where you left off.

No tab-switching. No copy-paste. No losing context.

review · rv_3f2asrc/auth/login.tsx

45    export function Login(){
46      const user = useAuth()
47      if (user.email) {
48        return <Dashboard />
49      }

MCMayaline 47 · just now

Also handle the SSO path from the new manifest — should land here, not after a re-render.

+ if (config.sso) return <SSOLogin />

1 comment · 1 suggestion

Ready on boot

Go? Python? Node? Already in.

Pick a manifest, get a runtime — any toolchain combo you want, pre-baked. gh auth, aws sso, kubectl — already authenticated to your org, with the credential scopes your security team approved. Network policy is already in place. Nothing from your laptop, nothing to install.

Open the terminal. Start typing.

bootready in 4.2s

Toolchains

go1.24

python3.13

node22

rust1.84

bun1.1

deno2.0

ruby3.4

java21

Authenticated · scoped

✓gh authscoped to org

✓aws ssocp-only

✓kubectlget-only

✓gcloudread-only

✓docker registryprivate

✓npmprivate mirror

Live preview

The agent built it. See it running.

The agent starts a dev server in the space — Marshal gives it a real https:// URL. Open it in a new tab or watch it live inside the dashboard, right next to the terminal. No local daemon, no localhost tricks, no mixed-content fights. Hot-reload and WebSockets pass straight through.

Marshal probes each port first, so it only ever offers to browse the ones that actually speak HTTP — never your Postgres socket. Every preview is its own origin, reachable only by people on that space.

Send a teammate the link. They see exactly what you see.

🔒3000-x7f2.preview.marshal.codes

↗

● live · HMR

Ports:3000http:5432tcp:8080http

Built for three audiences

One product, three jobs.

Marshal is bought by the team — and the buyers don't agree on what matters. Developers want frictionless sessions; platform leads want declarative control; security wants proof. Each gets what they need from the same system.

For developers

Boot fast. Run loose. Feel local.

Spin up a space in seconds — every toolchain pre-baked, every tool already authenticated to your org, your laptop bridged in. Yolo without the cold-sweat moment. Pair on a session, hand it off, swap agents mid-week. The agent loop runs at the speed you always wanted.

Yolo without the cold sweat — Marshal supervises in the background
Every toolchain pre-baked. Every org tool already authenticated.
Bridged ports + SSHFS file mounts — laptop and space feel local
Pair, share, hand off live sessions to teammates
Mission Control across every running session
Pick any agent — Claude Code, Codex, Cursor, OpenCode, …

For platform leads

Manifests over snowflakes.

Every environment a developer can spin up is defined in code — image, toolchains, MCPs, skills, network profile, credential scopes, cost caps. Golden paths inherit and override. Versioned and rolled back like any other artifact. New developers `marshal connect` and they ship in 60 seconds — with exactly the controls your security team approved.

Declarative manifests with golden-path inheritance + override
Versioned + rollback-able like any other artifact
Org RBAC + invitations + SSO + audit retention
Cost caps + quotas per team, per session, per agent
BYO model providers — proxy keys, attribute spend per team
Per-task envs — Docker Compose · K8s · GPU spot
Deploys into your VPC, your KMS, your cluster
One platform, every coding agent your team picks

For security & CISO

Receipts, not promises.

Every byte of egress flows through the Marshal MITM Proxy. Every tool call passes a deny-first gate. Every credential stays in the supervisor vault. Every skill and MCP runs isolated, revocable in seconds. You see what happened. You can stop it mid-execution. The audit log is yours, in your VPC. Security becomes an enabler, not a blocker — without losing control for a second.

Per-request audited egress + live rule mutation
Block-first agent gate — must justify before acting
Per-verb tool policy (allow `aws s3 cp`, deny `aws s3 rm`)
Credentials never reach the agent — or MCPs, or skills
CVE in a dependency? Revoke across every session in <1s
One-click session quarantine — freeze, revoke, preserve forensics

The Marshal difference

One product owns both ends.

Other platforms either live on your laptop (no audit), or own the pod (no laptop bridge), or run sandboxes via SDK (not for interactive sessions). Marshal does all three — plus the policy plane in the middle.

Capability	Devin	e2b
Runs inside your VPC (your cluster, your KMS)		~
Self-hostable · no traffic ever sent to Marshal		~
Credentials never reach the agent process	~	~
Audited egress proxy (every request, every byte)
Per-verb tool policy (allow cp, deny rm)
Block-first agent gate (agent justifies before acting)	~
One-click session quarantine (forensic preserve)
MCP & Skill isolation + CVE-wide revoke

✓ shipped · ~ partial / behind feature flag · ✗ not available · based on public docs as of May 2026

Agent agnostic

Bring your own agent. Or three.

Marshal is the substrate — not the agent. Run Claude Code today, Codex tomorrow, Cursor on the experiments branch. Pick, swap, evaluate, change your mind. Your isolation, your audit, your policy plane stay the same. Security never blinks. Developers stay at the speed of light.

Supported · 3 ready · 7 coming soon

Claude Code

Anthropic

Codex

OpenAI

Cursor

OpenCode

Open source

soon

Aider

Open source

soon

Cline

VS Code

soon

Goose

Block

soon

OpenHands

All Hands AI

soon

Copilot CLI

GitHub

soon

Amazon Q

AWS

soon

+ custom agents via manifest.agent — anything CLI-callable

swap.sh

# yesterday
$ marshal new --manifest claude-code

# today, same project
$ marshal new --manifest codex

# side-by-side bake-off
$ marshal new --manifest cursor --fanout 3

Same isolation. Same audit. Same policy. Switch the agent, keep everything else. The lock-in goes away.

Architecture

Three components. All in your VPC.

A daemon on your developer's laptop bridges ports, files, and auth into the session. A control plane in your cluster runs sessions, manifests, policy, and the audit log. An isolated runtime per session holds the agent — and routes every byte of egress through the Marshal MITM Proxy. We deploy all three into your infrastructure. Marshal never sees your traffic.

Everything over HTTPS.No port opening, no SSH gateways, no inbound firewall holes. Outbound HTTPS only — VPN-friendly, ZeroTrust-friendly (Tailscale · Twingate · Cloudflare Access). Your laptop and cluster reach Marshal the same way they reach GitHub.

Self-host first

Your cluster. Your VPC. Your audit trail.

Marshal deploys into your infrastructure — AWS, GCP, Azure, on-prem, or air-gapped. Postgres and Redis in your VPC. Audit data in your storage. Credentials in your KMS. We never see your traffic.

Request beta access →Read the architecture doc

BYO KMS · AWS · VaultAir-gap compatibleSSO / SCIM via OIDC

deploy.sh

# 1. Provision Postgres + Redis in your VPC (or we bring our own)
# 2. Receive a private Helm chart on accepted beta
# 3. Deploy into your cluster

helm install marshal ./marshal-<release>.tgz \
  --namespace marshal --create-namespace \
  --set kms.vaultAddr=https://vault.your-co \
  --set audit.sink=s3://your-bucket/audit \
  -f values.yaml

# Marshal control plane is now reachable
# at https://marshal.your-co.internal

100%

Egress requests logged

per-request, never sampled

< 4 ms

Median network overhead

measured on dev clusters

Credentials in agent process

enforced at runtime

Your VPC

Where it runs

AWS · GCP · Azure · on-prem

Beta program

Get on the Marshal beta.

We're onboarding a small cohort of security-first engineering orgs each quarter. If you want AI coding agents inside your stack — without bringing the risk in with them — let's talk.

What to expect

30 minutes, real product

Demo on your stackLive walkthrough on a sample agent session — the audit log streams in real time. No sales deck.
Architecture reviewWe share the deployment topology, network requirements, and how Marshal lands inside your VPC.
Security questionnaireBring your standard vendor security review — we have the answers ready.
Pilot scopeIf it’s a fit, we co-design a 30-day pilot with success criteria you set.

Bring AI agents inside. On your terms.

Your CISO becomes an enabler, not a blocker — without losing control for a second. Marshal is in private beta with security-first engineering orgs putting AI agents in production today.

Request a demo How self-host works →