FAQ

An AI agent firewall is a new category of endpoint security that intercepts, classifies, and governs everything AI agents try to execute on your machine — at the OS level, in real time. TURI is the first AI agent firewall built for macOS.

No — and it doesn't try to. Your EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender) is excellent at fleet-wide threat detection and known-bad process blocking. TURI adds what EDR can't: agent identity. It classifies whether a process was spawned by an AI agent or a human, and applies different policy based on that distinction. See the full comparison.

Your EDR correlates process trees and blocks known-bad chains — that's valuable and TURI doesn't replace it. But your EDR applies the same policy to node whether it was spawned by a developer in Terminal or by Cursor acting on a prompt injection. It blocks node → osascript because that's suspicious for any parent — but it can't apply different policy for AI-initiated vs. human-initiated execution of the same binary. TURI adds that layer: agent classification, MCP tool governance, and behavioral rules that understand agentic session context.

Yes. TURI uses Apple's multi-client Endpoint Security API— macOS supports multiple ES clients running simultaneously. Each client receives independent AUTH events and makes independent decisions. TURI's system extensions coexist with CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and other ES-based agents. No kernel extension, no conflict. If you encounter a specific compatibility issue, we want to know — design partners get direct engineering support.

macOS is where the AI agent attack surface is densest: 80%+ of AI coding tool usage (Cursor, Claude Code, Windsurf) happens on Mac. Apple's Endpoint Security framework is the most advanced user-space security API on any desktop OS — no kernel extension required. We started where the threat is highest and the enforcement API is strongest. Windows and Linux are on the roadmap.

TURI has two enforcement planes: sync and async. Sync enforcement (process governance, file access control, NE domain blocklist) handles the first gate — ungoverned runners get blocked, sensitive file access gets denied, blocklisted domains get dropped. All of this happens on the first action. Async behavioral detection handles the contextualgate: was this action part of a multi-step chain? Did a secret read precede an egress attempt? That's inherently a second-action judgment — and it triggers quarantine + VerdictCache flush so the nextaction in the chain is blocked synchronously. EDR's inline blocking uses static signatures or ML on single-event features. TURI's async engine uses a causal graph with session context. Different tools for different threat models. See enforcement guide.

macOS Sandbox is static and app-scoped — it restricts what a single signed app can do. TURI governs agent-driven execution chains dynamically: cross-process, cross-tool, with behavioral rules that understand multi-step attack patterns like secret-read → egress or npm → osascript. The Sandbox can't classify AI vs. human actions, correlate causal chains, or prompt you before a tool call completes.

Default is usually monitor/observation: telemetry and alerts, few sync denies. The secure baseline + labs show when execBlocked and install gates appear.

Typically detect (alert), not block, until you enable the supply-chain gate and harden behavioral rules. See the npm supply chain and evaluation gaps.

No — that is cloud/cluster runtime. TURI is macOS laptops and Mac CI. See explicit non-coverage.

Yes. Process governance and policy classify agent processes without agent integration.

Not always. Check enforcement_mode AND in-app Observation mode. Platform integrity may still enforce.

Via a local JSON policy file deployed by your MDM.

MacFirewall is the internal engineering codename; TURI is the product brand and the name you'll see across this site.