TutorialMarch 20265 min read

Secure Your Agents in 3 Lines of Code

You're shipping an AI agent to production this week. Here's how to add security without touching your agent logic — no refactoring, no new abstractions, no changes to your prompts or tool definitions.

The decorator API

The fastest way to add Rune is the @shield.protect() decorator. Wrap any function that calls an LLM or executes a tool — Rune scans inputs before execution and outputs after, automatically.

agent.py

from rune import Shield

shield = Shield(api_key="rune_live_...")

@shield.protect(agent_id="my-agent")
async def call_tool(name, params):
    return await agent.run(name, **params)

That's it. Three lines: import, initialize, decorate. Works with any Python agent framework — OpenAI, Anthropic, LangChain, CrewAI, or your custom agent.

What gets scanned

Input scanning

Every input to your protected function is scanned for prompt injection, social engineering, and manipulation patterns before your code runs.

Output scanning

Every return value is scanned for data leakage — API keys, credentials, PII, and sensitive information that shouldn't leave the system.

Tool call interception

When your agent calls external tools, Rune checks the tool name, parameters, and context against your security policies and threat patterns.

What gets blocked

Here's what happens when a prompt injection hits your protected agent. The attacker embeds instructions in user input, and Rune catches it before execution:

Terminal output

[Rune] Scanning input... threat detected
[Rune] Type: prompt_injection | Severity: critical
[Rune] Action: BLOCKED
[Rune] Detail: Embedded system override instruction
       detected in user input. Attempted tool hijack
       targeting send_email.
[Rune] Event logged → runesec.dev/events

The malicious tool call never executes. The event appears in your dashboard with full context — the raw input, the detected threat type, the severity, and the action taken.

Going further

Define policies as code. Write YAML policies that control which tools each agent can call, what parameters are allowed, and what data can flow in and out. Check them into version control alongside your agent code.

Use the dashboard. Every event Rune processes shows up in real time. Per-agent risk scores, event timelines, and alert routing to Slack, email, or webhooks.

Framework-specific integrations. For deeper integration, check out our LangChain, OpenAI, Claude, CrewAI, and MCP guides for native middleware and client wrapper integrations.

Start shipping securely

Three lines of code. Every tool call scanned. Free plan includes 10K events/mo — deploy in under 10 minutes.

Start Free Read the Docs