Open Source · L7 Proxy · <1ms Latency · Deterministic — No LLM · Mission-Scoped Policies

The Agentic
Data Firewall

See what your AI agents do to your database — then control it. Deterministic SQL parsing, no LLM in the loop — every decision is auditable and reproducible. An inline L7 proxy that parses every SQL query and blocks violations before they reach PostgreSQL. <1ms added latency. One Go binary.

Get Started — Free Quick Start → See it in action →
FaultWall Dashboard — agent activity, policy violations, query log
terminal
# One binary. One policy file. Blocked queries never reach PostgreSQL.
$ ./faultwall --proxy --listen :5433 --upstream localhost:5432 --policies ./policies.yaml
# Agents connect to port 5433. FaultWall enforces in real-time.
Built With
Go
·
PostgreSQL
·
Docker
·
MCP Protocol
·
eBPF
·
YAML Policies
·
Real-Time SQL Parsing
·
Go
·
PostgreSQL
·
Docker
·
MCP Protocol
·
eBPF
·
YAML Policies
·
Real-Time SQL Parsing
·
5,000+
Lines of Go
10
MCP Tools
1
Dependency
<1ms
Per-Query Latency
Features

Security + reliability
in one binary

Inline proxy that blocks rogue queries before they execute. No instrumentation required.

🛡️

Agent Firewall

An inline L7 proxy that sits between your agents and PostgreSQL. Mission-scoped policies define what each agent can do in YAML — tables, operations, row limits. Everything else is blocked before it reaches the database.

agent: cursor-ai
mission: summarize-feedback
allow_tables: [feedback, reviews]
block_ops: [DROP, DELETE, TRUNCATE]
🔑

Agent Identity

Agents identify via PostgreSQL's application_name: agent:cursor-ai:mission:summarize. FaultWall knows WHO is running WHAT.

Real-Time Enforcement

Queries are parsed and blocked BEFORE reaching PostgreSQL. DROP TABLE? Never executes. SELECT on a table outside scope? Rejected at the proxy.

🔌

Both Query Protocols

Intercepts Simple Query and Extended Query Protocol. Works with psql, psycopg2, pgx, SQLAlchemy, JDBC — every PostgreSQL client.

🧠

Anomaly Detection

Statistical learning builds per-agent baselines. Z-score analysis flags deviations. No LLM, no API keys — runs locally.

🤖

AI-Native (MCP)

10-tool MCP server lets agents check their own policies, view violations, and manage themselves autonomously.

Compatibility

Works with every
managed Postgres

Validated against the stack your team actually runs. Drop-in, wire-level, no driver changes.

🟢
Self-hosted Postgres
12+
🟢
AWS RDS
Postgres 16
🟢
AWS Aurora
Postgres 16.8
🟢
Neon
Serverless PG 17
🟢
PgBouncer
tx + session
🟡
Supabase
pooler — workaround
🟢
Cloud SQL · CrunchyBridge · DO MPG
Expected¹
+0.14ms per query · −15% TPS on cloud latency · zero agent code changes
¹ Same Postgres wire protocol as validated providers; tested path exists, instance not provisioned.  ·  Full compatibility matrix & SCRAM config →
How It Works

Four steps to
agentic protection

1

Write your policy

Define what each agent can do in policies.yaml — allowed tables, blocked operations, row limits, query timeouts. Per agent, per mission.

2

Run FaultWall proxy

Single command to start:

./faultwall --proxy --listen :5433 --upstream localhost:5432 --policies ./policies.yaml
3

Point agents at port 5433

Set application_name in the connection string. FaultWall parses the identity automatically.

postgres://...?application_name=agent:cursor-ai:mission:summarize
4

Queries are checked in real-time

Every query is parsed and checked against the agent's policy. Allowed queries pass through. Violations are blocked — the database never sees them.

Architecture

Inline proxy —
nothing gets past

FaultWall sits between your agents and PostgreSQL, parsing every query in real-time.

🤖

AI Agent

Connects to :5433

🛡️

FaultWall Proxy

Parses SQL · Checks Policy
Port 5433

🐘

PostgreSQL

Only allowed queries
Port 5432

Live Demo

Built for the
confused deputy problem

Your AI agent has valid credentials. A prompt injection tells it to DROP TABLE. FaultWall is the only thing standing between intent and disaster.

faultwall — live query log
🔌 New connection agent=cursor-ai/summarize-feedback
🟢 ALLOWED agent=cursor-ai/summarize-feedback SELECT * FROM feedback LIMIT 100;
🔴 BLOCKED agent=cursor-ai/summarize-feedback   reason=blocked_operation DROP TABLE users;
Deployment

Two modes for every stage

🛡️

Proxy Mode

Primary · Recommended

Inline L7 proxy between agents and PostgreSQL. Every query is parsed and checked against the agent's policy. Violations are blocked before they reach the database.

Blocks before execution
Sub-millisecond latency
Works with RDS/Aurora
📊

Monitor Mode

Visibility · Non-intrusive

For visibility without being in the data path. Polls pg_stat_activity to log agent queries and detect violations. Start here to learn your traffic patterns.

No schema changes
Zero overhead
Log-only mode

🧬 AutoResearch — Self-Tuning Detection

A genetic algorithm continuously evolves detection parameters — sensitivity thresholds, window sizes, baseline intervals — against your real workload. The longer FaultWall runs, the better it understands your database.

60%
Before tuning
100 generations
100%
After tuning · 0 false positives

Enterprise: Kernel-Level Attribution

Need deeper visibility? Our eBPF engine hooks into the Linux kernel's scheduler and block I/O subsystem. Every CPU nanosecond and disk byte attributed to the exact PostgreSQL PID — mapped back to the agent in real-time.

Available for teams running self-hosted PostgreSQL on Linux 5.8+ with PostgreSQL 14–16.

Contact Us →

shreyas@faultwall.com

Your AI agent has database credentials.
FaultWall shows you what it does — and stops what it shouldn't.

Open source. MIT licensed. One binary. Blocked queries never reach your database.

Get Started — it's free →