Praxent Guard

Guard is a security framework that deploys to every Claude Code project at Praxent. It automatically enforces a curated set of protections across six risk domains — no manual setup per engagement, no relying on individual engineers to remember the rules. Once installed, it runs silently in the background and only surfaces when it catches something that needs your attention.

Guard enforces protections programmatically using Claude Code's hook system — deterministic scripts that intercept the agent's actions before, during, and after tool use. This isn't a checklist or a policy document. It's code that runs every time, without exception, using regex pattern matching, Semgrep static analysis, and entropy-based secret detection.

Guard was purpose-built for environments like Praxent's — where engineers work inside client codebases every day, across projects with different data sensitivity, compliance requirements, and access levels. It brings consistent, auditable AI governance to every engagement from day one, so delivery teams can move fast without introducing new risk.

When you're working inside a client's repository with an agentic coding tool, you're one misconfigured session away from exfiltrating credentials, committing production configs, or touching systems you didn't intend to. That's not theoretical — it's the default behavior of unconstrained agentic tools. Client trust is the most valuable thing Praxent has, and it takes years to build and seconds to damage.

Praxent engineers work across dozens of client environments simultaneously. Each has different data sensitivity, compliance requirements, and access levels. A single baseline framework that enforces the same protections everywhere removes the human error variable — and gives practice directors confidence that agentic tools are being used consistently across every engagement, not just the ones where someone remembered to be careful.

Agentic coding tools are dramatically more capable than autocomplete. They read files, execute shell commands, push code, call APIs, and make decisions across multi-step workflows — all without a human approving each action. That capability is the point. Guard closes the gap between what these tools can do and the discipline required to do it safely at a professional services firm.

Guard runs at three points in every Claude Code action cycle. UserPromptSubmit hooks scan prompts before they reach the model, blocking requests that would initiate a protected operation. PreToolUse hooks intercept tool calls before execution — if the agent tries to read a production config or install a suspicious package, the hook fires first. PostToolUse hooks validate outputs before they persist or propagate. Each hook runs deterministically — no AI judgment, no added latency from model calls, no second-guessing.

Guard doesn't apply a one-size-fits-all lockdown. It deploys via an installer that interrogates each project's context — the type of engagement, the frameworks in use, the likely data sensitivity. Based on that, it applies the right protection profile for the project. The goal is friction-free for normal work, and friction-ful for the things that shouldn't happen.

Guard lives under Praxent's Enablement Accelerator — the collection of frameworks, patterns, and tools that help delivery teams move faster without introducing new risk. It's infrastructure, not process. It doesn't require anyone to fill out a form or run a checklist. It runs automatically as part of project setup, the same way on every engagement.

Guard is the first component of a broader agentic harness being built incrementally. The harness is a layered system designed to govern AI-assisted development at scale — adding more capability at each layer, governed by more intelligence. Before you can trust agentic tools to do more, you need reliable guardrails as the foundation. Guard is that foundation.

Guard V1 is currently being tested by the CoE team across internal projects. It covers the highest-priority risk vectors across all six protection layers. Rollout to delivery teams is imminent. When you're onboarded, Guard installs automatically as part of project setup — no action required on your part.

Guard expands its coverage incrementally — the most critical risk vectors first, additional vectors added as the system matures and is validated in real project contexts. This is not a one-time release with a hard cutover date. It's ongoing domain work. The goal is a system that gets more comprehensive over time without ever becoming so restrictive that it slows down normal work.