- Overview
- Conformance
- About
Status
Conformant
Tier
Core (R1–R6)
Verified
April 2026
Builder Member
Yes
Description
Formal is a protocol-aware reverse proxy that enforces least privilege at the wire-protocol level across data, infrastructure, and AI agent traffic. It sits between identities (humans and AI agents) and resources like databases, warehouses, SSH/Kubernetes servers, and MCP servers, parsing wire protocols natively and evaluating security policies inline on every request.For AI agent workloads, Formal proxies traffic between agents and resources, applying the same policy surface it applies to human-initiated database queries: identity resolution, query-level authorization, PII masking, tool-call filtering, and full audit capture. Because the proxy parses wire protocols natively rather than treating it as opaque TCP traffic, it can make decisions on the specific tool being invoked, the arguments being passed, and the data flowing back.Formal’s relevance to AARM is direct: it operates at the wire-protocol chokepoint where agents call tools, which makes it a natural pre-execution enforcement point for authorization, identity binding, and tamper-evident auditing of autonomous agent activity.Platform capabilities
Universal agent network proxy
Proxies every AI agent network call including databases, infrastructure, and MCP servers. Native MCP protocol parsing enables decisions on the specific tool and arguments invoked rather than opaque TCP metadata.
Eight inline policy actions
Allow, Block, Mask, Filter, Rewrite, Quarantine, Suspend, and MFA — evaluated at three stages of the request lifecycle: session, request, and response.
Identity-aware access control
JIT access scoped to individual commands and data, not just roles, provisioned via Slack and Jira with Okta-integrated, short-lived credentials. Every identity, human or agent, is resolved before policy evaluation.
Panopticon audit layer
Every query, session, and policy decision logged with full context across every protocol. Sub-second search across full history, with export to Splunk, Datadog, or S3.
PII and PHI masking
Query-level data masking for HIPAA, SOC 2, PCI DSS, and GDPR. PII is stripped from agent tool-call responses before reaching the LLM, preventing leakage into model context.
Policy backtesting
What-if analysis runs proposed policies against up to 31 days of historical logs before enforcement, showing exactly which requests would be blocked or masked.
Integration coverage
Formal sits at the wire-protocol layer, so the same proxy governs agent traffic, human database access, and infrastructure sessions through a single policy surface.Protocols and resources
Protocols and resources
One stateless binary handles various protocols including MCP, Postgres, MySQL, MongoDB, Snowflake, BigQuery, ClickHouse, DynamoDB, Redis, S3, SSH, Kubernetes, RDP, HTTP, and gRPC. Native wire-level parsing, not generic TCP passthrough.
AI clients and agents
AI clients and agents
Supports any client or agent, including Claude Code, Cursor, and custom-built agents. No client-side SDK or code changes required — agents point their MCP connection string through the Formal proxy.
Identity and security stack
Identity and security stack
Native Okta integration for SSO and provisioning, with Slack and Jira hooks for just-in-time access requests. Audit logs export to Splunk, Datadog, and S3.
Deployment model
Deployment model
Deployed as a single distroless Go binary in the customer’s VPC via Terraform, Pulumi, Kubernetes, or Docker. Stateless, with sub-10ms p50 overhead. Data never leaves customer infrastructure.
This page is maintained by the AARM Technical Working Group. To report an inaccuracy or request an update, open a GitHub issue.