14 Photos and videos
May 21
Huge launch. Self-hosted agent systems are the future, and egress enforcement is what makes them safe.
iron-proxy is the egress layer inside centaur. We went deep on the hard parts like OAuth brokering, HMAC signing, and Postgres MITM for RLS.
May 21
Open Sourcing Centaur: Multiplayer, self-hosted, secure agents for Slack.
Centaur has been transforming how @paradigm and @tempo invest, build and research.
Now you can run it yourself on infrastructure you control. Instructions below.
1
1
16
1,761
May 19
This is really cool to see. Self-hosted sandboxes default-deny egress is the future. Most iron-proxy users are already running agents in their own VPCs; now they can run Claude Managed Agents there too.
Live from Code with Claude London: we're launching self-hosted sandboxes (public beta) and MCP tunnels (research preview) in Claude Managed Agents.
Run agents inside your own perimeter, with your security controls applied by default.
1
287
May 12
iron-proxy now supports MCP inspection and policy enforcement. Whitelist exactly the tools your agent needs, and audit every call.
This is where other tools like Squid fall short. They understand URLs, but not the protocols agents are actually speaking.
2
4
24
1,779
May 12
This is available in iron-proxy v0.23.0 . Release notes here: github.com/ironsh/iron-proxy…
190
May 11
Pin versions, set a minimum release age, and run an egress proxy in front of anything running potentially untrusted code. Do this now, before this happens again next week.
May 11
🚨 BREAKING: 84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attack, adding suspected CI credential-stealing malware.
Socket flagged every malicious version within six minutes of publication. This is a developing story.
1
256
May 10
Seeing more and more folks opting to bring their own compute rather than using sandboxes. Boring EC2 instances / k8s pods often work just fine.
1
154
Apr 27
The deletions will continue until egress control improves
1
325
Apr 23
1/ Malware continues to dump secrets on GitHub. Today's Bitwarden CLI backdoor is just the latest of many examples.
Hostname allowlists can't tell good GitHub traffic from bad. You need a filter that actually understands the GitHub API. Here's how.
1
1
5
608
Apr 23
4/ At this point everything left looks legitimate. As a final layer of defense, add a judge transform to read the request body in flight and classify it against a policy you write in English:
1
1
128
Apr 23
5/ This matters especially for coding agents. Even if the agent gets prompt-injected into posting a "comment" full of secrets, the comment still has to pass the judge.
If your agent can reach GitHub, today's a good day to secure it.
iron.sh
110
Apr 22
New in iron-proxy v0.15: the judge transform. Give your config a prompt, and it'll evaluate matching requests against it via an LLM. Support both Anthropic and OpenAI backends.
Default-deny still applies: the judge can only reject.
Release notes: github.com/ironsh/iron-proxy…
2
3
519
Apr 20
IMO putting secrets in env vars is an antipattern. The Vercel thing makes that clear. Workloads shouldn't have secrets at all. Keep them in a vault instead and have an egress proxy inject them on the way out. This will seem obvious in a year.
2
3
69
14,105
Apr 15
iron-proxy v0.12.0 adds AWS SSM Parameter Store support.
We added Secrets Manager on Monday. We're adding SSM today. Supports SecureString decryption, JSON key extraction from parameter values, and TTL-based refresh without restarting the proxy. Get secure, proxied credentials wherever you run your stuff.
Release notes: github.com/ironsh/iron-proxy…
2
307
Apr 15
This is a big deal. It's how we think about agent execution at iron[.]sh too. Treat sandboxes as interchangeable, then do all the security-critical stuff like secret management outside. iron-proxy supports this natively.
Apr 15
Build long-running agents with more control over agent execution.
New capabilities in the Agents SDK:
• Run agents in controlled sandboxes
• Inspect and customize the open-source harness
• Control when memories are created and where they’re stored
4
809
Apr 14
iron-proxy v0.10.0 is out! We've added support for resolving secrets directly from AWS Secrets Manager. Store your credentials in ASM, and the proxy injects them in at the network layer.
This is the direction: stop handing secrets to untrusted code. Let it call APIs without giving it keys.
Release notes: github.com/ironsh/iron-proxy…
1
2
33
2,936
Apr 13
Cloudflare agrees: you need an egress proxy between untrusted workloads and the internet. We've been building exactly this, in the open, at iron.sh.
Cloudflare Sandboxes is now GA.
Agents need more than prompt windows. They need terminals, interpreters, live environments, and secure secrets
Now they can: pull code, install repos, run tests, debug failures, iterate
The engineering loop that actually ships code.
blog.cloudflare.com/sandbox-…
9
58
12,542