Skip to content
Qwady Docs

ThornGuard Overview

The AI Agent Security Gap

Section titled “The AI Agent Security Gap”

The Model Context Protocol (MCP) is a revolutionary standard that allows AI assistants (like Claude) to connect directly to external tools, databases, and APIs. However, this creates a massive security vulnerability: AI Agents are inherently unpredictable.

If you give an AI access to a database or a codebase, it is vulnerable to:

  1. Prompt Injection / Ingress Threats: An attacker tricks the AI into executing a malicious command (e.g., rm -rf / or DROP TABLE users).
  2. Data Exfiltration / Egress Threats: The AI reads sensitive data (PII, API Keys) and accidentally outputs it into the chat, sending it to third-party LLM providers.
  3. SSRF (Server-Side Request Forgery): The AI attempts to scan or access internal, private cloud networks.

Enter ThornGuard

Section titled “Enter ThornGuard”

ThornGuard is a lightning-fast, edge-deployed API gateway built by Qwady Solutions. It acts as a transparent, Zero-Trust proxy between your AI Client and your upstream MCP tools.

Instead of connecting Claude directly to your database or GitHub repository, you connect Claude to ThornGuard. ThornGuard deeply inspects the traffic, redacts sensitive data on the fly, and securely proxies the request to your tool.

Core Security Pillars

Section titled “Core Security Pillars”

Ingress Protection

Deep JSON-RPC packet inspection instantly blocks dangerous AI-generated payloads before they reach your infrastructure.

Egress DLP (Data Masking)

Actively parses live Server-Sent Event (SSE) streams to redact PII (Social Security Numbers, AWS Keys, emails) into [THORNGUARD REDACTED] tags.

Tamper-Proof Audit Trail

Full observability into what your AI agents are doing. Every connection, blocked request, and successful tool call is securely logged.

Identity Masking

Transparently proxies OAuth handshakes and rewrites HTTP headers, allowing strict clients to securely authenticate without triggering anti-phishing alarms.

Global Edge Architecture

Section titled “Global Edge Architecture”

ThornGuard operates entirely on Cloudflare Workers.

  • Zero Latency: By running on the edge, ThornGuard intercepts and processes packets physically close to the user, adding minimal overhead to MCP requests.
  • Instant Validation: Subscriptions and licenses are managed via the Polar.sh API but heavily cached in Cloudflare KV memory for instant authorization.
  • Asynchronous Logging: Audit logs are pushed to a Cloudflare D1 (SQLite) database, ensuring that database writes never block or slow down the AI’s response stream.