Modu
Security control plane for AI native development

The security control plane for AI-native development

Protect coding agents, sandboxes, and MCP tools behind one in path gateway. Modu is an in path gateway in front of your coding agents, sandboxes, and MCP tools. Use one gateway or all three. We intercept every request to enforce security policies in real time, prevent data leaks and risky changes, and route work to the right providers, all from the CLI, IDE, and Slack workflows your team already uses, with full visibility into every AI driven change.

Join waitlistView benchmarks
Invite only access. We will send early invite codes as capacity opens up.

Why teams need a security control plane for AI now

AI is already touching your code, infrastructure, and internal tools. Without an in path layer, you cannot reliably control what it does or prove that it stayed within policy.

  • Coding agents can silently change sensitive code and infrastructure files.
  • AI can generate large, complex changes faster than traditional review processes were designed for.
  • Sandboxes can become a new path for data exfiltration and policy bypass.
  • MCP tools can give agents access to tickets, configs, and live customer data.
  • Traditional security and review tools run out of band and react after the fact. Without an in path layer, each agent, sandbox, or tool enforces its own rules, leaving gaps that mistakes and attackers can slip through.
Modu is the in path layer that lets you adopt all of this without losing control, even as AI usage spreads across your engineering org.
Platform
One security control plane, three modular gateways.
Modu centralizes policies, routing, and telemetry and observability for AI native development for engineering, platform, and security teams. Start with any gateway, Coding Agent, Sandbox, or Tools, and add others over time. Everything shares the same security rules, rules of engagement for AI agents and tools, and a single place to audit and observe AI driven activity.
Author time
Coding Agent Gateway
One secure CLI and Slack interface for every coding agent.

Install and manage all major coding agents from one place, like Homebrew but with guardrails. Developers talk to Modu in the CLI, IDE, or Slack. We sit in the path to apply file level policies, secret checks, and routing before any AI generated code touches your repo. If an agent is misconfigured or abused, Modu ensures it still cannot change code outside the paths and policies you set.

  • Single front door for Claude Code, Devin style agents, Cursor, Amp, and more.
  • Author time policies on which files and repos agents can edit.
  • Pre apply checks for secrets, risky diffs, and required tests.
  • Unified prompts, diffs, test results, and cost telemetry and observability.
  • Run public or in org side by side agent benchmarks.
Available standalone, or alongside the Sandbox and Tools gateways.
modu agentsrepo: payments service
policy paths:
allow: src/**
block: infra/**, secrets/**
✓ diff matches policy
$ modu run --task "refactor checkout"
- secrets scan
- tests run
✓ ready to apply and open PR
Run time
Sandbox Gateway
Secure run code API for AI workloads.

When agents need to execute code, they call Modu instead of individual sandbox providers. Modu chooses the right backend like e2b, Daytona, Modal, or Cloudflare, enforces isolation and network rules per run, and returns logs and results through the same secure layer. If a run is compromised or misused, Modu constrains where it executes, what it can reach, and what leaves the sandbox.

  • One SDK and API across multiple sandbox and compute providers, with the ability to switch or fail over without changing your application code.
  • Per execution controls for region, runtime, network access, and limits.
  • Support for ephemeral tasks and longer lived environments.
  • Unified logs, cost, and latency metrics across providers for consistent observability.
  • Easy integration with existing agent frameworks.
Use on its own, or extend the same control plane used by Coding Agent and Tools gateways.
sdk examplenode
import { runSandbox } from "@modu/sandbox"
const result = await runSandbox({
cmd: "npm test",
image: "node:20",
region: "eu-west-1",
network: "isolated"
})
policy: no internet, eu region only
✓ sandbox provisioned on approved provider
✓ logs and exit code recorded to Modu
Tools
Tools Gateway
One gateway and policy wall for AI tools (MCP host).

Agents connect to a single MCP endpoint, Modu. We fan out to your internal and external MCP servers, enforce which tools each agent or user may call, and control what data they can see, with a full audit trail of tool usage. If an agent or user issues unexpected tool calls, Modu enforces least privilege access and blocks sensitive actions by default.

  • Central allow or deny for MCP tools by agent, user, or environment.
  • Scoped, rotated credentials and built in secret redaction.
  • Rate limits and audit logs for every tool call.
  • Enforces data access rules for project, tenant, or region scopes.
  • Works with MCP compatible agents and models out of the box.
Can be deployed independently, then extended with agent and sandbox policies in the same control plane.
mcp policyenv: prod
tool: jira.search
allow: agents.review_bot
scope: project = "payments"
✓ calls allowed within project scope
tool: prod.db.write
✗ blocked by policy
all calls logged to Modu audit trail

How Modu works

Modu is adopted like a dev tool but behaves like a security gateway for your engineering, platform, and security teams. Install once, connect your AI surfaces, set policies, and let the control plane enforce them on every request.

1) Install Modu
Add Modu in the CLI, IDE, or Slack and connect your org to the security control plane. From then on, AI agents, sandboxes, and tools sit behind the same in path layer.
2) Connect agents, sandboxes, and tools
Connect coding agents through the package manager, sandboxes through the SDK or API, and MCP tools through Modu as your MCP host. Start with any gateway, everything shares the same control plane.
3) Set security policies once
In a simple config file or web dashboard, define what agents can edit, where code may run, and which tools each workflow can call. Modu enforces these rules in real time on every request.
4) Run, route, and review
Developers keep using the terminal, IDE, and Slack. Modu intercepts each request, routes it to the right agent and sandbox, applies guardrails, and gives you unified logs, audits, and costs.
Real world benchmarks for agents and sandboxes
We publish independent benchmarks across coding agents and sandbox providers so you can choose the safest and most effective stack and see how Modu routes traffic.
View benchmarks

Adopt AI agents safely and keep your development stack resilient with a modular security control plane.

Modu is the in path gateway in front of your coding agents, sandboxes, and MCP tools. Enforce security policies, prevent data leaks, and keep full visibility and control without forcing developers to change how they work. Start with the gateway that matches your biggest risk, and grow into the full control plane over time.

Join waitlistTalk to us
We will send invite codes as capacity opens up.