Open source · Apache 2.0

Default-deny egress for untrusted workloads.

A compromised workload can't exfiltrate what it never had. iron-proxy enforces default-deny egress and injects real credentials on-the-fly. Your workload never sees them.

View on GitHubRead the docs
Egress audit logstreaming
TimestampDestinationVerdict
16:41:54pypi.org/simple/requests/allowed
16:42:00api.openai.com/v1/chat/completionsallowed
Hostapi.openai.com
Path/v1/chat/completions
MethodPOST 200
Duration1,243 ms
Ruleapi.openai.com
Sent4.0 KB
Received8.0 KB
Timestamp16:42:00
Secret injected
NameOpenAI API Key
EnvOPENAI_API_KEY
IDsec_01h
Hostsapi.openai.com
16:42:09sketchy-domain.io/exfildenied
16:42:31github.com/ironsh/iron-proxy.gitallowed
16:42:45registry.npmjs.org/expressallowed
The problem

Every workload you don't fully control can reach the internet.

AI agents, CI/CD pipelines, and third-party code all get outbound network access by default. They also get your secrets. Exfiltration is one curl away.

The solution

Control what gets out. Audit everything else.

iron-proxy sits between your workload and the internet. It terminates TLS, enforces your allowlist, and swaps proxy tokens for real credentials at egress.

Default-deny egress. TLS-terminating proxy with full payload inspection, not just SNI.

Secret injection at the boundary. Workloads get proxy tokens. Real credentials are swapped in at egress.

Per-request audit log. Every outbound connection logged as structured JSON. OTel-ready.

Workloadiron_proxy_oaiiron-proxyapi.openai.com on allowlistSwap proxy token for real secretLog request + verdictsk-real-key...api.openai.comWorkloadPOST /exfil403 denied + loggedsketchy.io/exfil
Scale

iron-proxy is how you start iron.sh is how you scale

The control plane for iron-proxy deployments.

When you have fifty workloads across three environments, YAML doesn't cut it. Manage policy, secrets, and audit logs from one place.

POLICY

Centralized policy management

Define and push allowlists across all your proxies. Version policies. Audit changes. No more YAML drift across hosts.

SECRETS

Secrets integration

Pull credentials from Vault, AWS KMS, or your existing secrets manager. iron-proxy resolves them at egress so secrets never touch the workload.

OBSERVABILITY

Aggregated audit logs

Every egress decision from every proxy, queryable in one dashboard. OTel-native export to your existing observability stack.

DETECTION

Alerting & anomaly detection

Get notified when a workload tries to reach something it shouldn't. Catch compromised code before it becomes an incident.

Use cases

Built for anything you don't fully trust.

AI agents & copilots

Your agent runs code, calls APIs, installs packages. It's one prompt injection away from exfiltrating your credentials. Contain the blast radius at the network boundary.

Claude Code · LangChain · Custom agents

CI/CD pipelines

Every npm install and pip install runs third-party code with full network access. Supply chain attacks like the Trivy/TPCP incident just need one outbound connection.

GitHub Actions · Jenkins · GitLab CI

Third-party code

Plugins, integrations, customer-submitted code, webhooks. If it can reach the internet, it can exfiltrate. Default-deny egress is the first line of defense.

Sandboxed execution · Plugin systems

Control the boundary.

Start with iron-proxy in five minutes. Talk to us when you're ready to manage policy at scale.

Try iron-proxyTalk to us about iron.sh