Guardbase launches Coding Agent Attack Matrix — framework for coding agent threat modeling
Claude Code Security

Secure Claude Code across your fleet.

Claude Code runs shell commands, edits files, and calls MCP servers with your developers' permissions. Guardbase sees how it's configured, catches the risky setups, and checks every action before it runs.

Watch out for

The Claude Code setups that go wrong.

Claude Code runs with your developer's permissions, so its configuration decides what it can reach. These are the settings, often changed to remove friction, that quietly widen that reach. Detection for them is on our roadmap.

settings.json

Permission prompts turned off

defaultMode set to bypassPermissions, or broad rules added to permissions.allow. Every action runs without a check.

Sandbox

Sandbox weakened or escaped

sandbox.enabled off, allowUnsandboxedCommands on, or a wide excludedCommands list. Commands like docker then reach the whole host.

MCP

Unreviewed MCP servers

Servers added in user or project scope that nobody vetted. STDIO servers run as unsandboxed children of the agent, outside the bash sandbox entirely.

CLAUDE.md

Poisoned memory files

CLAUDE.md and memory files load every session. Instructions planted there run as if they came from the user, on every run after.

Telemetry

Detection turned off

OTEL environment variables stripped from settings.json. The primary signal for everything above goes dark from the next session.

Skills

Skills from anywhere

Skills install from arbitrary paths and load instructions the agent will follow. Nobody reviews what they contain.

Coding Agent Attack Matrix

See exactly how Claude Code gets abused.

45 techniques across 12 tactics, from indirect prompt injection to credential theft to destructive git operations. Each with detection signals and the managed-settings control that stops it.

Open the matrix
How Guardbase secures it

See the config, control the actions, keep it that way.

Inventory

See the configuration

Guardbase reads Claude Code's settings, permission rules, hooks, MCP servers, and skills across every laptop, and flags the misconfigurations above.

Runtime

Check every action

Native hooks route every tool call through Guardbase before it runs. Allow, block, redact, or ask the user, based on identity, context, and risk.

Managed settings

Controls developers can't remove

Enforced through Claude Code managed settings, which take precedence over user, project, and local settings and cannot be overridden.

Guardbase flagging an unsanctioned MCP server on a device running Claude Code
An unvetted MCP server flagged on a device, with how to resolve it
How it hooks in

Native hooks, no changes to the agent.

Claude Code can call out to a hook on each event: before a tool runs, after it runs, and when a prompt is submitted. Guardbase registers on all of them, so every command, file edit, MCP call, and prompt routes through your policy. Deployed through managed settings, the hooks can't be removed by the developer.

managed-settings.json read-only
// deployed via managed settings
{
"hooks": {
"PreToolUse": [{ "matcher": "*", "hooks": [
{
"type": "http",
"url": "https://guardbase-tenant/hooks/claude/pre_tool_use",
"headers": { "Authorization": "Bearer …" }
}
]}],
"PostToolUse": [ ],
"UserPromptSubmit": [ ]
}
}

Bring Claude Code under control.

See discovery, runtime control, and the gateway running against a setup like yours.

FAQs

Common questions.

Claude Code is safe to adopt when it's governed. A default install is reasonable, but it runs shell commands, edits files, and calls MCP servers with a developer's full permissions, and its configuration can widen that reach. Guardbase inventories how it's configured across your fleet and controls every action at runtime.

No. Guardbase hooks into Claude Code through its native hook system and managed settings. Developers keep their workflow; the controls run underneath it.

No. The hooks are enforced through Claude Code's managed settings, which take precedence over user, project, and local settings and can't be overridden on a managed device.

Yes. Guardbase inventories both local and remote MCP servers, and can route them through a governed gateway that checks tool descriptions and requests at runtime.

Claude Code today, with Cursor, Codex, Gemini CLI, OpenCode, and Amp on the same footprint. Policies are enforced identically across all of them.

More questions? Book a call →

See Claude Code under control.

Book a demo and watch a risky Claude Code action get stopped before it runs.