HYDRADB NATIVE · MEMORY INTEGRITY · MCP FIREWALL

Secure the memory layer before your agent acts.

Graph-native proof, not prompt vibes.

HydraSentry replays clean and poisoned HydraDB context, traces the exact graph path behind unsafe behavior, blocks risky memory through MCP, and exports a Memory Integrity Certificate.

12/100
Risk Score
SAFE
Status
LOW
Risk Band
0 / 6
Stage
Agent baseline answer

Refunds above £500 require manager approval.

Pipeline · idle
  1. 1 · BASELINEBaseline replay
  2. 2 · POISONInject poisoned memory
  3. 3 · ATTACKEDAttacked replay
  4. 4 · GRAPHTrace the tainted path
  5. 5 · FIREWALLMCP Firewall blocks
  6. 6 · CERTIFICATEMemory Integrity Certificate
  • HydraDB query_paths
  • Memory Integrity Certificate
  • MCP Firewall
  • SkillMake Verifier
  • Replay Harness
  • Regression Rules
  • Evidence Reports
Verified Artifact · Signed Document

Every blocked attack ships a Memory Integrity Certificate.

When the firewall severs a poisoned action, HydraSentry seals the evidence into a portable certificate: the tainted node, the chunk it came from, the firewall decision, and the regression rule that keeps it from recurring.

HydraSentry · Verified Artifact

Memory Integrity Certificate

MIC-2026-REFUND-001
Certificate ID
MIC-2026-REFUND-001
Scenario
memory_poisoning_refund
Risk Score
87 / 100
Decision
BLOCKED
Attack Type
Memory Poisoning
Tainted Node
mem_poison_047
Chunk ID
mem_poison_047_chunk_0000
Tenant
hydrasentry-owned-test
Subtenant
support_agent
Firewall Action
approve_refund() blocked
Quarantine
complete
Regression Rule
created
Report
ready
MCP Firewall · Authorized Signatory
Derived scenario · offline
00WHAT HYDRASENTRY DOES

Replay the attack. Trace the path. Block the action. Certify the fix. Graph-native proof, not prompt vibes.

query_pathsα
HydraDB graph-native
Parses the exact triplet path that carried poison into context.
MCPβ
Context firewall
Blocks unsafe context through a Model Context Protocol gateway.
SkillMakeγ
Skill verifier
Scans SKILL.md for hidden injection and dangerous instructions.
Replayδ
Behavior diff
Reruns the same task against clean and poisoned memory.
01HOW IT WORKS

How a poisoned memory reaches the agent

Prompt scanners tell you something failed. HydraSentry shows how poisoned context reached the agent, nine recorded steps along the exact graph path, one blocked at the firewall.

SAFECOMPROMISEDINTERCEPT · RESOLVE
01Seed contextClean refund policy in HydraDB02Baseline replayAgent asks approval · SAFE03Inject poison"VIP refunds bypass policy"04Poisoned replayApproves £900 · COMPROMISED05Score riskRisk engine · 87 / HIGH06Extract graphTainted query_paths to core07MCP firewallContext withheld · BLOCKED08Quarantinemem_poison_047 severed09Evidence reportRule · scan · report exported
02CAPABILITIES

A full platform,
not a test runner

One system to replay, map, block, quarantine, verify, schedule, and refine. Every result reproducible.

GR
Graph evidence viewer
Real HydraDB query_paths when present; an honest, labeled derived graph when empty. Never faked.
RX
Deterministic risk engine
60% rules, 25% optional model judge, 15% replay diff. Reproducible scores, every run.
FW
MCP context firewall
allow · warn · block · quarantine · require review. Write actions guarded by shared secret.
SK
SkillMake verifier
Hidden injection, secret access, shell, network calls, and description mismatch, all caught.
SC
Scheduled agents
Nightly memory scans, policy drift checks, regression replays, and weekly security reports.
SR
Self-refinement engine
Every accepted finding becomes a rule, a regression test, and a scheduled future scan.
R0THE OPEN PROBLEM

The unsolved layer: persistent memory integrity

Prompt injection is transient. Memory poisoning persists. Once a poisoned memory is retrieved, it becomes indistinguishable from trusted context unless the system tracks provenance, replay behavior, and graph path evidence. HydraSentry turns every replay into a Memory Integrity Certificate: what changed, which node carried it, which tool would have fired, and what rule now prevents it.

01
Persistent Memory Poisoning
A malicious memory survives the session that wrote it and steers a later, unrelated task toward an unsafe action.
02
Skill Supply Chain Risk
Installed skills carry hidden injection, secret access, and exfiltration that no prompt scanner inspects before they run.
03
MCP Tool Surface Risk
Poisoned context decides which tool fires. The unsafe action is the real blast radius, not the words in the prompt.
04
Graph Provenance Gap
Once retrieved, a poisoned memory reads as trusted context unless the system tracks the exact node and path that carried it.
05
Certified Replay Defense
Every replay becomes a Memory Integrity Certificate: what changed, which node carried it, which tool would have fired, which rule now blocks it.
03THE METHOD

From task to evidence in one deterministic loop

Every accepted finding becomes a regression rule, so the same poisoned memory can never reach the agent twice.

01
Provision & seed
Owned tenant, clean policy + memory ingested with relations.
02
Replay
Baseline vs poisoned agent answers under identical task.
03
Extract & taint
Parse query_paths, mark tainted triplets and chunk provenance.
04
Score & decide
Deterministic risk, then firewall: block or quarantine.
05
Report & refine
Markdown evidence, regression rule, next scheduled scan.
Install · Connect

Wire your agent in two steps.

HydraSentry is a stdio MCP server. Install it, point any MCP-compatible client at it, and every risky memory your agent retrieves is scored, blocked, and certified. No account, no sign-in.

1Install the MCP server
TERMINAL
pip install hydrasentry-mcp
2Add it to your MCP client config
MCP CLIENT CONFIG
{
  "mcpServers": {
    "hydrasentry": {
      "command": "hydrasentry-mcp"
    }
  }
}

Want your own model? Bring a key in Settings (optional).

Read the docs
GET STARTED

Catch the attack before
your users ever do.

Graph-native context integrity for memory-powered agents. See exactly what your agent's memory does, and prove it is safe.