Watchtower is the command center for Beacon and AgentSH. Centralized policies, approvals routing, SIEM forwarding, and a fleet-wide kill switch.
Beacon secures supervised AI on endpoints. AgentSH secures unsupervised agents in CI, containers, and dev environments. Watchtower governs both from one place.
Desktop AI tools — Claude, ChatGPT, Cursor, Claude Code — monitored and controlled on macOS and Windows with human-in-the-loop approvals.
Learn about Beacon →Headless agents in CI pipelines, containers, sandbox runners, and dev environments — policy enforced at the syscall level with no UI required.
Learn about AgentSH →Allow Claude to reach Anthropic APIs. Block Cursor from unknown registries. Different tools, different policies.
Tight lockdown in production. Broader access in dev. Prompt for deploy actions in CI pipelines.
Prompt before reading secrets paths. Redirect package registries to internal mirrors. Block exfiltration patterns.
Send approval requests to the right on-call team based on policy — Slack, email, or SMS.
Tool, process chain, destination, command, and scope. Reviewers see exactly what is being requested.
When appropriate, cache approvals so teams do not get spammed with the same request.
Splunk, Sentinel, QRadar. Your existing security tools, your existing workflows.
Keep the full record for audits and incident response.
Make AI execution visible in the same pane as the rest of security operations.
Pause AI execution across every endpoint and agent runtime in seconds.
Investigate the incident, update policy if needed, then restore operations.
Halt everything, or target specific teams, environments, or tool types.
agentsh is the open-source runtime that enforces policies on AI agents. Beacon monitors AI desktop tools on your endpoints. Watchtower is the enterprise control plane for both — centralized management, fleet-wide visibility, and compliance integrations.
agentsh runs alongside your AI agents (CI runners, containers, dev environments). Beacon installs on endpoints where AI tools run (laptops, workstations). Watchtower connects to both and provides a single pane of glass for policy management and monitoring.
Linux (full enforcement via eBPF/LSM), macOS (ESF or FUSE-T), and Windows (minifilter driver). Coverage varies by platform.
Yes. Start with agentsh or Beacon on your team's machines, then add Watchtower when you need centralized control or compliance features.
Watchtower provides audit trails and SIEM integration that support SOC 2, ISO 27001, and similar frameworks. We can discuss your specific requirements.
Tell us about your environment and we'll reach out to discuss how Watchtower fits your security needs.
Whether you're exploring AI security for the first time or looking to scale existing deployments, we'll help you find the right approach — from open-source agentsh and Beacon to full enterprise control with Watchtower.