Your agent anchors to Dryx before it acts. Offline. No model in the loop. The same verdict for the same action, every time.
Free to start. Your workspace never leaves your machine. Patent-pending across 11 filings · macOS 13+.
A real exposure graph: seven risk layers feed one composite the anchor holds fast. Copper marks the single precomputed-dangerous path Dryx already knows to stop.
Watch one moment two ways. An agent is about to run a precomputed-dangerous action — it's been talked into exfiltrating a live token by a prompt buried in a file it read.
The gate reads the action, not the argument — so the injection can win with the model and still lose to the gate. The rest of the time, Dryx says nothing: it's silent on the safe majority and surfaces only the one action it already knows is dangerous. You don't read a dashboard. Your agent already has the answer. Deterministic enforcement of the precomputed-dangerous set where the harness supports a hook; defense-in-depth everywhere else.
Three properties make Dryx an authority instead of another opinion. The operator and the agent move; Dryx stays put, and they take their bearings from it.
The same action gets the same verdict, every time. No model in the loop, no probability, no drift — the verdict is a fixed answer the slow path computed once.
Verdicts run on your machine. Your workspace never leaves it. Any Ecosystem Contribution is opt-in. Point Little Snitch at Dryx and watch nothing leave — the agent talks to it over loopback-only IPC. What touches the network? →
Dryx sits beside your agents, not inside the conversation. There's no prompt to poison, no instructions to override. A sentence in an email can steer a model. It can't move an anchor.
Action Guard is the reflex at the action boundary. It stays out of your way on nearly everything your agent does and speaks up only on an action Dryx already knows is dangerous — a verdict in under 10ms, because the slow path did the heavy analysis once and the hot path just checks the answer.
The gate reads the action, not the argument. A prompt injection can win the whole conversation with the model and still lose at the gate, because the gate isn't reading the conversation — it's reading what the action would actually reach.
The action-boundary reflex is off. Dryx still scans and maps your exposure in the background — it just doesn't weigh in at the boundary.
Every dangerous action is recorded and surfaced, nothing is stopped. This is where most operators start.
Dryx's verdict holds the action until you say otherwise.
Five things have to be true at once for an agent to anchor to something it can trust — all of them meeting at the harness hook, where the action actually happens.
Plenty of tools do one or two. In 2026, Palo Alto acquired Koi for roughly $400M — and named the result Agentic Endpoint Security, in the cloud. That leaves the offline developer-workstation seat open, right below them. That's the seat Dryx takes.
The behavioral baseline isn't a model that thinks harder at runtime — it's a precomputed input the policy compiles from. It covers more, it never thinks more. That's how the verdict stays deterministic.
Most security tools ask you to trust their marketing. We'd rather you check ours. Each line below links to the thing that proves it — a CI run, a signed release record, a published key.
Secure agent work has three roles, and Dryx is exactly one of them.
You. You hold the intent and the authority, and you keep the right to override any verdict.
Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini — and any MCP server. The intelligence doing the work on your behalf.
Dryx. The offline, deterministic reference the agent consults before it acts.
The agent reaches the Anchor through the Authority Anchor MCP: seven read-only tools, all attestation, no write access — get_overview, get_posture, list_findings, analyze_skill_or_mcp, check_mcp_server, check_action_allowed, report_reasoning.
Every Dryx user is an Operator — the role that holds authority in the Triad. There's no sign-up wall and no account to create; being an Operator isn't a list we keep, it's what you're doing the moment Dryx is running on your Mac. That's the house.
It's a closing, capped founding cohort — opened once, then closed. The honor is being early and being on the record for it, not keeping anyone out: Dryx is free for every Operator, and the Free tier ships real capability on day one.
The charter is delivered by email, so it's honored whether you buy direct or from the App Store; the badge is local and in-app. The Lifetime price is direct-download only. The honor is yours either way.
And instead of a wall of testimonials, we keep a Wall of Receipts: real, anonymized findings from real workspaces — the live token a trusted MCP was holding, the cron job nobody remembered, the cross-agent path that turned one compromise into three. What Dryx actually caught, not what people said about it. A trusted publisher can still be the top finding — provenance is not safety.
The Secrets layer is free for every Operator. Here's what people ask before they install — answered plainly.
No. Your workspace never leaves your machine and verdicts run offline; any Ecosystem Contribution is opt-in. You can verify it with Little Snitch — the agent reaches Dryx over loopback-only IPC. What touches the network? →
No. Dryx sits beside your agents, not in the conversation. The gate reads the action, not the argument — an injection can win with the model and still lose at the gate.
A verdict comes back in under 10ms. The slow analysis runs once; the hot path just checks the precomputed answer, and Dryx stays silent on the safe majority of actions.
Dryx maps every AI agent on your Mac — Claude Code, Claude Desktop, Cursor, Codex CLI, Cline, GitHub Copilot, Windsurf, Gemini, Ollama, LM Studio, and any other — and any MCP-capable agent can consult the Authority Anchor before it acts.
Yes — the Secrets layer, findings summaries, Skill Shield analyses, and integrations are free. Pro adds the other six risk layers, remediation, Drift, Context Shield, monitoring, and exports. Pricing is finalized at launch.
No. Enforce runs through the notarized direct-download helper. App Store users get the voluntary reflex plus passive monitoring — the agent still consults Dryx, it just isn't armed to hold the action.
Exact Free / Pro tiers and the Founding Member Lifetime are finalized at launch. The Lifetime deal rides the direct-download build for the first cohort of Operators.
One list, three intents. Tell us what brought you and which agents you run, and we'll reach out before launch.
Free to start. Your workspace never leaves your machine. No telemetry — we only get the email and the answers you choose to give.