AI Egress Proxy: Control What Your Agents Send

What an AI egress proxy does

An AI egress proxy is a forward proxy purpose-built for AI agent traffic. It sits between your agent and every external service the agent contacts. Every outbound HTTP request, MCP tool call, and WebSocket frame passes through it.

The proxy inspects traffic in both directions. Outbound, it scans for leaked credentials, SSRF attempts, and policy violations. Inbound, it scans responses for prompt injection payloads that could compromise the agent on the next turn.

The key difference from allowlisting or blocklisting: an AI egress proxy performs deep content inspection. It doesn’t just check whether a domain is permitted. It checks whether the request body contains your AWS keys encoded in base64.

Agent Process  ──>  AI Egress Proxy  ──>  Internet
     (has secrets,       (inspects traffic,     (untrusted)
      no direct route)    enforces policy)

The agent has credentials but no direct network path. The proxy has the network path but enforces scanning on every byte that crosses it.

Why agents need egress control

Traditional software makes predictable network calls. You can define its behavior at build time. AI agents are different.

Agents hold credentials. They read .env files, access cloud tokens, and use API keys to do their work. The agent process has everything an attacker wants.

Agents make arbitrary HTTP calls. A coding agent fetches documentation, calls APIs, downloads packages, and posts results. The set of outbound requests is not fixed at build time. It changes with every prompt.

Agents call tools. MCP tool calls carry arguments that can contain any data, including secrets an injection told the agent to include. Tool responses carry content that can contain injection payloads.

Agents follow instructions from untrusted input. A prompt injection in a fetched web page, a poisoned MCP tool description, or a malicious repository file can redirect the agent’s behavior. The agent doesn’t know the instruction is hostile.

Without an egress control point, a compromised agent can send your credentials to any endpoint on the internet. No log, no alert, no block. The secret is gone before you know it happened.

Proxy vs gateway vs firewall

These terms overlap. Here is how they map in the AI agent context.

Egress proxy. A forward proxy that handles outbound traffic from agents. Traffic flows through it because the agent is configured (or network-forced) to use it. The proxy inspects content and enforces policy.

Gateway. Usually implies a centralized entry point for inbound traffic (API gateway) or a routing layer for a specific protocol (MCP gateway). Some vendors use “gateway” for outbound filtering too. The distinction is fuzzy.

Agent firewall. The broadest term. An agent firewall combines egress proxy capabilities (HTTP scanning, DLP, SSRF) with protocol-specific inspection (MCP tool calls, WebSocket frames) and network enforcement. It’s the full security boundary around agent traffic.

In practice, if you are scanning outbound agent HTTP and MCP traffic for secrets and injection, you are running an AI egress proxy. If that proxy also handles network policy, audit logging, and protocol-aware inspection, most people call it an agent firewall.

What to inspect

An AI egress proxy needs to inspect more than URLs and headers. Agent threats hide in places traditional proxies ignore.

Credentials in requests

Scan URLs, query parameters, headers, and POST bodies for credential patterns: AWS keys, GitHub tokens, JWTs, private keys, Stripe keys, and dozens more. Attackers encode secrets to evade detection, so decode base64, hex, and URL encoding before pattern matching.

Injection in responses

HTTP responses and MCP tool responses can contain prompt injection. The proxy scans inbound content for injection patterns before the agent processes it. This catches attacks at the network layer, outside the agent’s trust boundary.

SSRF attempts

Block requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata endpoints (169.254.169.254), and link-local addresses. Include DNS rebinding protection: resolve the hostname, verify the IP, then connect. Don’t resolve twice.

DNS exfiltration

Secrets encoded as subdomains (AKIAIOSFODNN7EXAMPLE.leak.attacker.com) leak data through DNS resolution before the HTTP request even completes. The proxy resolves DNS itself and scans the hostname for credential patterns.

MCP tool calls

MCP tool arguments can carry exfiltrated data. MCP tool descriptions can contain poisoned instructions. An AI egress proxy that also handles MCP traffic scans both directions of every tool call. This requires protocol-level awareness, not just byte inspection.

Deployment patterns

There are three common ways to route agent traffic through an AI egress proxy.

Environment variable

Set HTTPS_PROXY so the agent’s HTTP client routes through the proxy. Simple to deploy. The limitation: a prompt injection that gains shell access can unset the variable. Use this as a starting point, not as your only enforcement.

export HTTPS_PROXY=http://127.0.0.1:8888

Sidecar

Run the proxy as a sidecar container alongside the agent. Use network policy (Kubernetes NetworkPolicy, iptables, or container networking) to block the agent’s direct internet access. All traffic must flow through the sidecar. The agent cannot bypass it even if fully compromised.

┌─────────────────────────┐
│  Pod / VM               │
│  ┌───────┐  ┌────────┐  │
│  │ Agent │──│ Proxy  │──── Internet
│  └───────┘  └────────┘  │
│  (no direct egress)     │
└─────────────────────────┘

Hook-based

Some agent frameworks support hooks that intercept tool calls before execution. The hook sends the request through the proxy for scanning. This works for MCP traffic and agent-specific actions (file writes, shell commands) that never touch the network directly.

# Claude Code: one-command setup
pipelock claude setup

How Pipelock works as an AI egress proxy

Pipelock is an open-source AI egress proxy and agent firewall. It handles HTTP, MCP, and WebSocket traffic in a single binary.

DLP scanning. 48 credential patterns with checksum validators. Decodes base64, hex, and URL encoding before matching. Scans environment variable values with Shannon entropy filtering.

Injection detection. Multi-pass normalization pipeline scans HTTP responses and MCP tool responses for prompt injection patterns.

SSRF protection. Blocks private IPs, metadata endpoints, and DNS rebinding.

MCP proxy. Wraps MCP server commands. Scans tool descriptions for poisoning, arguments for credential leaks, and responses for injection.

Audit logging. Structured JSON logs for every scan decision. Ship to your SIEM for incident response.

# Install
brew install luckyPipewrench/tap/pipelock

# Run as HTTP proxy
pipelock run --config pipelock.yaml

# Route agent traffic through it
export HTTPS_PROXY=http://127.0.0.1:8888

# Or set up Claude Code with hooks + MCP proxy
pipelock claude setup

Further reading

• What is an Agent Firewall?: the full architecture around agent traffic
• Pipelock: features, install, and configuration
• MCP Proxy: how Pipelock scans MCP tool calls and responses
• AI Agent Security: hooks, guardrails, and egress inspection compared
• Agent Egress Security: credential leak vectors and defenses
• Pipelock on GitHub