# Imunify.ai

> Security layer for AI agents. Real-time visibility and kernel-level threat detection & prevention.

Imunify.ai is a security product that monitors and controls what AI agents do on Linux servers. It intercepts every file access, network connection, process execution, and tool call at the Linux kernel level — blocking credential theft, data exfiltration, prompt injection, and harmful operations before they complete.

## Key Facts

- **Product**: Imunify.ai — AI Agent Security Layer
- **Company**: CloudLinux Inc. (makers of Imunify360, protecting 60M+ websites)
- **Category**: AI Agent Runtime Security / IDS / IPS
- **Platform**: Linux (kernel 5.4+)
- **Website**: [imunify.ai](https://imunify.ai/)
- **Status**: Priority Access Program (onboarding hosting providers)

## What It Does

Imunify.ai provides five layers of interception plus human-in-the-loop approval:

1. **Kernel-Level Enforcement**: eBPF, fanotify, and seccomp intercept every file read, process execution, and network connection before it completes. Cannot be bypassed or disabled by the AI agent. Self-defending — if the sensor tries to kill the security layer, the sensor is terminated instead.

2. **Application-Layer Security (AppHook)**: Lightweight plugin intercepts every AI tool call and message before execution. Detects prompt injection, blocks credential access, requires human approval for shell commands. Fail-closed — if unavailable, all operations blocked.

3. **HTTP Proxy & Content Scanning**: Transparent HTTPS interception scoped to the agent process tree. Scans outbound requests and response bodies for secrets, PII, and leaked credentials using Aho-Corasick keyword matching and regex patterns.

4. **Cross-Event Correlation**: Analyzes full chains of events within an AI agent's turn. Individual events may be safe (reading .env, making HTTP request) but the sequence together indicates data exfiltration. Configurable rules: count, distinct, ordered chain, cross-layer conditions.

5. **Human-in-the-Loop**: Suspicious operations are held until a human approves or denies via Telegram, Discord, or Web Panel. Options: allow once, allow per session, allow always. 750+ configurable YAML rules across 13 threat categories.

## What It Prevents

- Credential theft (SSH keys, AWS credentials, API tokens, cloud configs)
- Sensitive data exfiltration (emails, PII, secrets sent to external endpoints)
- Privilege escalation (sudo, su, pkexec, sbin binaries)
- Prompt injection attacks (instruction override, role reassignment, encoded payloads)
- Network-based attacks (SSRF to cloud metadata, lateral movement, C2 connections)
- Supply chain risks (npm, pip, curl held for human approval)
- Multi-step attack chains (credential read followed by network exfiltration)

## Target Audience

- Hosting providers offering AI-enabled VPS hosting
- Server administrators running AI coding sensors (OpenClaw, Claude Code)
- Infrastructure teams deploying autonomous AI agents on Linux servers
- Security teams needing visibility into AI agent behavior

## Supported AI Agents

- **Full integration**: OpenClaw (application hooks + kernel enforcement)
- **Coming soon**: Claude Code
- **Kernel-level protection**: Any AI agent running on Linux (agent-agnostic syscall interception)

## Technical Stack

- Imunify Sensor with eBPF/seccomp/fanotify syscall interception
- Python server (FastAPI + async gRPC) with SQLite
- mitmproxy for transparent HTTP/HTTPS interception
- Next.js web panel for management
- YAML-based policy engine with 750+ rules across 13 categories
- Telegram, Discord, and Web Panel for human-in-the-loop approvals

## How It Compares

Unlike prompt guardrails (NeMo Guardrails, Guardrails AI) that filter text at the application layer, Imunify.ai enforces at the Linux kernel level — below the application, below the runtime, below the agent framework. If a sensor is jailbroken or prompt-injected, application-layer guardrails fail. Kernel-level enforcement cannot be bypassed because it operates in kernel space, not in the agent's process space.

Unlike container sandboxes (Docker, gVisor, E2B), Imunify.ai inspects at the syscall level. A container doesn't know if the sensor is reading README.md or .ssh/id_rsa — both are allowed file reads. Imunify.ai sees the path, checks it against rules, and blocks credential access while allowing legitimate work.

## Research

- [When an AI Agent Can Send Email, It Can Also Send Your .env](https://imunify.ai/blog/ai-agent-email-exfil-himalaya/) (2026-04-17): how OpenClaw's built-in himalaya mail skill turns into a data-exfiltration channel, why tool-call-layer regex and LLM-level safety both fail on renamed secret files, and how fanotify-based kernel interception catches the actual bytes.
- [LiteLLM Supply Chain Attack: How 12 Lines of Code Compromised 95 Million Downloads](https://imunify.ai/blog/litellm-supply-chain-attack/) (2026-03-26): deep technical analysis of the March 2026 TeamPCP supply chain attack against LiteLLM, covering credential theft, Kubernetes lateral movement, and persistent backdoors.

## Links

- [Website — imunify.ai](https://imunify.ai/)
- [Blog](https://imunify.ai/blog/)
- [News & Updates](https://imunify.ai/news)
- [Parent brand — Imunify360](https://www.imunify360.com/)
- [Company — CloudLinux](https://www.cloudlinux.com/)