Vendor comparison

Pipelock vs iron-proxy

Content scanning vs boundary secret rewriting. Two different approaches to agent egress.

Reviewed: April 2026
Read: 5 min

Want the runtime boundary, not just another checklist?

Pipelock vs iron-proxy is content scanning vs boundary secret rewriting. Two open-source Go proxies solving agent egress from different angles.

The short version

Pipelock is an open-source network proxy. It scans HTTP, MCP, and WebSocket traffic for credential leaks, prompt injection, SSRF, and tool poisoning. Runs locally as a single binary. Works with any agent whose traffic is routed through it.

iron-proxy is an open-source Go egress firewall for AI agents, created by mslipper. Its core approach combines a domain allowlist with boundary secret rewriting: the proxy holds the real secrets, and the sandbox only ever sees placeholder tokens that get rewritten on the way out. That means a compromised sandbox cannot leak real credentials because it never had them.

Pipelock inspects content. iron-proxy protects credentials at the identity boundary. Same transport (Go egress proxy), different threat model focus.

Feature comparison

Feature	Pipelock	iron-proxy
Architecture	Network proxy (single binary, self-hosted)	Network proxy (self-hosted, Go)
Primary scope	HTTP, HTTPS, CONNECT, WebSocket, MCP content scanning	Domain allowlist, TLS-terminating payload inspection, boundary secret rewriting
Domain allowlist	Yes	Yes (primary mechanism)
DLP (credential scanning)	48 built-in patterns, encoding-aware, env leak detection	Boundary rewriting (sandbox never holds real secrets)
Prompt injection detection	25 patterns, 6-pass normalization	Not documented in public docs
Tool poisoning	Rug-pull drift detection + description scanning	Not documented in public docs
SSRF protection	DNS rebinding, private IP, metadata blocking	Not documented in public docs
MCP awareness	Yes (bidirectional content scanning)	Not documented in public docs
WebSocket support	Yes	Yes (documented in public docs)
Encoding evasion handling	Base64, hex, URL decode on scan inputs	Not documented in public docs
Boundary secret rewriting	No (capability separation by deployment)	Yes (core feature)
Process sandbox	Yes (Landlock + seccomp + netns)	Not documented in public docs
Tamper-evident logging	Yes (hash-chained flight recorder)	Not documented in public docs
Compliance mappings	OWASP, NIST, EU AI Act	Not documented in public docs
Source availability	Open source (Apache 2.0 core)	Open source
Self-hosted	Yes	Yes
Pricing	Free (Apache 2.0), Pro starts at $49/mo	Free (open source)

When to pick Pipelock

You want content inspection across HTTP, WebSocket, and MCP. Pipelock scans outbound requests for 48 credential patterns (base64, hex, and URL encoding aware) and runs 25 injection patterns through 6 normalization passes on scanned responses. Tool descriptions and tool call arguments get the same treatment. If your threat model includes prompt injection, tool poisoning, or data exfiltration hidden inside request bodies, that content inspection layer matters.

You need MCP-specific awareness. Pipelock parses MCP framing, scans tool descriptions for poisoning, detects rug-pull drift when a previously-trusted tool changes its prompt, and inspects tool call arguments and responses. Agents using Claude Code, Cursor, or Codex with MCP servers get that protection automatically once routed through the proxy.

You want SSRF protection out of the box. Pipelock blocks requests to private IP ranges, cloud metadata endpoints, and link-local addresses, with DNS rebinding protection baked in. Whether iron-proxy’s DNS layer applies similar protections is not documented in public docs.

When to pick iron-proxy

Your primary concern is credential exposure inside the sandbox. iron-proxy’s boundary secret rewriting is a genuinely different approach. The proxy holds the real API keys and tokens. The sandbox (or agent process) gets a placeholder. When the agent makes an outbound request, the proxy swaps the placeholder for the real secret on the egress path. A compromised sandbox cannot leak real credentials because it never had them. Pipelock does not do this.

You want a focused, minimal egress firewall. iron-proxy is scoped tightly around domain allowlisting and boundary secrets. If that covers your threat model and you want something small to audit and run, the focused scope is a feature, not a limitation.

You are building an identity-first sandbox model. If your architecture already treats the agent sandbox as untrusted and wants the proxy to be the trust anchor for credentials, iron-proxy’s model maps directly to that design. The placeholder-token pattern is the feature you are shopping for.

Architecture differences

Pipelock and iron-proxy answer different questions.

iron-proxy asks: How do we stop the sandbox from ever seeing real secrets? iron-proxy acts as a TLS-terminating proxy with full payload visibility, not just SNI inspection. The primary answer is boundary secret rewriting. The sandbox runs with fake tokens. Every outbound request passes through the proxy, which substitutes real credentials at the edge. A malicious tool response or compromised process cannot exfiltrate what the sandbox does not hold.

Pipelock asks: What is actually in the traffic flowing through? The answer is content scanning. Every request body gets checked for leaked credentials, encoded secrets, and prompt injection. Every tool description and tool response gets checked for poisoning. SSRF attempts get blocked at the resolver.

These are compatible designs. iron-proxy protects credentials by never letting them reach the sandbox. Pipelock protects against injection and data leaks by inspecting what moves across the wire. You can run both, with iron-proxy handling the credential boundary and Pipelock handling content inspection.

Third-party feature descriptions are based on public materials reviewed in April 2026. Features and capabilities may change. Check each project’s current documentation for the latest.

Frequently asked questions

What's the difference between Pipelock and iron-proxy?

Both are open-source Go egress proxies for AI agents. Pipelock scans HTTP, WebSocket, and MCP traffic for credential leaks, prompt injection, SSRF, and tool poisoning. iron-proxy enforces a domain allowlist and uses boundary secret rewriting, where the proxy holds the real credentials and the sandbox holds placeholder tokens that the proxy swaps in on the way out. Different approaches to the same problem.

Does iron-proxy scan MCP traffic?

Based on public docs, iron-proxy focuses on domain allowlisting and boundary secret rewriting rather than MCP-specific scanning. Pipelock scans MCP content bidirectionally, inspecting tool descriptions, tool call arguments, and tool responses for injection and credential leaks.

Can I use Pipelock and iron-proxy together?

Yes. They operate at different enforcement layers. iron-proxy’s boundary secret rewriting protects credentials from ever being visible inside the sandbox. Pipelock scans the content flowing through the proxy for injection, tool poisoning, and data leaks. One protects credentials at the identity boundary. The other inspects what flows through.