Tirith is an open-source terminal security tool written in Rust that intercepts and analyzes shell commands and pasted text in real-time, detecting homograph attacks, pipe-to-shell patterns, ANSI injection, and 80+ other threats across 15 categories before they execute.

Does tirith require an internet connection?

No. Tirith runs entirely offline with zero network calls. All detection logic is compiled into the binary. There is no telemetry, no cloud dependency, and no data leaves your machine.

Tirith processes clean commands in under 0.1ms via its Tier 1 fast gate. Full analysis across all 80+ rules completes in under 2ms. The shell hook adds negligible latency to command execution.

How does tirith detect homograph attacks?

Tirith analyzes hostnames character-by-character, detecting non-ASCII characters, mixed-script usage (e.g., Cyrillic characters mixed with Latin), punycode encoding, and confusable Unicode characters that visually mimic legitimate domain names.

Yes. The Community tier is free forever and includes all 80+ detection rules, shell hooks, MCP server, local audit log, YAML policy system, and SARIF output. Team/Enterprise pricing is available for organizations needing centralized management.

How does tirith work with AI coding agents?

Tirith includes an MCP (Model Context Protocol) server with 7 tools that AI coding agents like Claude Code, Cursor, Codex, and VS Code Copilot call to check commands, URLs, and files for security threats before executing them. Setup is one command: tirith setup claude-code --with-mcp.

What shells does tirith support?

Tirith supports Bash, Zsh, Fish, and PowerShell on macOS, Linux, and Windows. Shell hooks are installed by adding eval "$(tirith init --shell )" to your shell configuration file.

Detection Rules

81 detection rules across 15 categories. All rules run at every tier — no features gated behind paid plans.

Rule IDs are stable identifiers you can use in policy severity_overrides and allowlists.

10Hostname

Homograph attacks, punycode, confusable characters, IDN spoofing

Rule ID	Severity	Description
non_ascii_hostname	CRITICAL	Detects hostnames containing non-ASCII characters that may be visual spoofs of legitimate domains.
punycode_domain	HIGH	Detects internationalized domain names encoded as punycode (xn--) that may disguise malicious domains.
mixed_script_hostname	CRITICAL	Detects hostnames mixing character scripts (Latin + Cyrillic) — a strong indicator of homograph attacks.
confusable_characters	HIGH	Identifies characters that are visually similar to common ASCII letters but are from different Unicode blocks.
idn_homograph	CRITICAL	Full internationalized domain name homograph detection using Unicode confusable mappings.
suspicious_tld	MEDIUM	Flags domains using TLDs commonly associated with abuse or phishing campaigns.
ip_address_hostname	MEDIUM	Detects raw IP addresses used instead of domain names — common in C2 and phishing infrastructure.
excess_subdomains	LOW	Flags URLs with unusually deep subdomain nesting, often used to obscure the actual domain.
lookalike_domain	HIGH	Detects domains that closely resemble popular services (typosquatting, character substitution).
newly_registered_domain	LOW	Flags domains matching patterns common in newly registered or disposable domain infrastructure.

3Path

Non-ASCII paths, homoglyphs, encoded traversal sequences

Rule ID	Severity	Description
non_ascii_path	HIGH	Detects non-ASCII characters in URL paths that may be used to evade path-based security filters.
path_homoglyph	HIGH	Identifies visually similar Unicode characters in URL paths that may disguise the real file being fetched.
encoded_path_traversal	HIGH	Detects percent-encoded directory traversal sequences (..%2f, %2e%2e/) in URL paths.

4Transport

Insecure HTTP, TLS downgrades, URL shorteners, data URIs

Rule ID	Severity	Description
insecure_http	MEDIUM	Flags plain HTTP connections that transmit data without encryption — vulnerable to MITM attacks.
tls_downgrade	HIGH	Detects flags that disable TLS verification (-k, --insecure), exposing connections to interception.
url_shortener	MEDIUM	Detects shortened URLs (bit.ly, t.co, etc.) that obscure the actual destination.
data_uri_scheme	HIGH	Detects data: URIs that embed executable content inline, bypassing external URL inspection.

5Terminal

ANSI injection, bidi overrides, zero-width chars, control sequences

Rule ID	Severity	Description
ansi_escape_injection	CRITICAL	Detects ANSI escape sequences that can manipulate terminal display, hide commands, or execute code.
bidi_override	CRITICAL	Detects Unicode bidirectional override characters that reverse text display to hide true content.
zero_width_characters	HIGH	Detects invisible Unicode characters (ZWSP, ZWNJ, ZWJ) that can alter command interpretation.
terminal_title_injection	HIGH	Detects escape sequences that modify the terminal title bar, which can be used for social engineering.
control_character_injection	HIGH	Detects non-printable control characters (except common whitespace) embedded in commands or pasted text.

8Command

Pipe-to-shell, dotfile persistence, archive bombs, code substitution

Rule ID	Severity	Description
pipe_to_interpreter	HIGH	Detects piping downloaded content directly to a shell interpreter — the classic supply-chain attack vector.
dotfile_modification	HIGH	Detects commands targeting shell configuration dotfiles (.bashrc, .zshrc, .profile) for persistence.
archive_extraction_attack	MEDIUM	Detects suspicious archive extraction patterns (tar, zip) that may overwrite system files.
command_substitution	HIGH	Detects backtick or $() command substitution in URLs or arguments that execute code during expansion.
background_execution	MEDIUM	Detects commands launched in background (&, nohup, disown) that persist beyond the current session.
base64_decode_execute	HIGH	Detects base64 decode piped to interpreter — through sudo/env wrappers and PowerShell -EncodedCommand.
cloud_metadata_access	HIGH	Detects access to cloud instance metadata endpoints (169.254.169.254) used in SSRF and credential theft.
private_network_access	MEDIUM	Detects commands targeting private/internal network ranges that may indicate lateral movement.

5Environment

Proxy hijacking and environment variable manipulation

Rule ID	Severity	Description
proxy_environment_variable	HIGH	Detects modification of HTTP_PROXY/HTTPS_PROXY variables that redirect all traffic through an attacker.
sensitive_env_export	HIGH	Detects exporting sensitive environment variables (API keys, tokens) that may leak credentials to child processes.
code_injection_env	CRITICAL	Detects environment variables containing executable code that gets evaluated by interpreters.
interpreter_hijack	HIGH	Detects PATH or interpreter variable changes that redirect command execution to attacker-controlled binaries.
shell_injection_env	HIGH	Detects environment variables with shell metacharacters that trigger injection when evaluated.

9Ecosystem

Git, Docker, pip, npm, Web3 — supply-chain attack surface

Rule ID	Severity	Description
git_credential_exposure	HIGH	Detects git operations that may expose credentials via URL-embedded tokens or credential helpers.
docker_privileged_run	HIGH	Detects Docker containers run with --privileged or dangerous volume mounts that escape isolation.
pip_install_untrusted	MEDIUM	Detects pip installing from URLs, git repos, or with --extra-index-url pointing to untrusted sources.
npm_lifecycle_script	MEDIUM	Detects npm packages with suspicious preinstall/postinstall scripts that execute arbitrary code.
web3_wallet_drain	CRITICAL	Detects commands targeting cryptocurrency wallets, private keys, or seed phrases for theft.
supply_chain_registry	HIGH	Detects package installations from alternate registries or with dependency confusion patterns.
git_clone_typosquat	HIGH	Detects git clone of repositories with names similar to popular projects — potential typosquatting.
untrusted_docker_registry	HIGH	Detects pulling Docker images from untrusted or non-standard registries.
vet_not_configured	MEDIUM	Detects package manager installations without supply-chain audit tooling (npm audit, pip-audit).

8Config Security

AI config poisoning, prompt injection, MCP server validation

Rule ID	Severity	Description
config_injection	HIGH	Prompt injection or skill activation triggers detected in AI config files.
config_suspicious_indicators	MEDIUM	Suspicious patterns (permission bypass, safety dismissal) in AI tool configs.
config_non_ascii	MEDIUM	Non-ASCII or invisible Unicode characters in AI tool configuration files.
mcp_insecure_server	HIGH	MCP server configured with insecure HTTP connection instead of HTTPS.
mcp_untrusted_server	MEDIUM	MCP server from untrusted or unknown source.
mcp_duplicate_server	MEDIUM	Duplicate MCP server names that could cause conflicts or shadowing.
mcp_permissive_tools	MEDIUM	MCP server configured with wildcard tool access.
mcp_shell_metachar_args	HIGH	Shell metacharacters in MCP server arguments enabling injection.

5Rendered Content

Hidden CSS, color-matched text, comment instructions, PDF hidden text

Rule ID	Severity	Description
css_hidden_content	HIGH	Content hidden via CSS (display:none, visibility:hidden, opacity:0, font-size:0).
color_hidden_content	HIGH	Text hidden via similar foreground/background colors (contrast ratio < 1.5:1).
hidden_html_attributes	MEDIUM	Hidden HTML attributes containing instructions invisible to users but readable by AI.
comment_instructions	MEDIUM	HTML/Markdown comments containing instructions targeting AI agents.
pdf_hidden_text	HIGH	Sub-pixel rendered PDF text (font-size < 1px) invisible to readers but parseable by LLMs.

2Cloaking

Server-side cloaking detection — different content for bots vs browsers

Rule ID	Severity	Description
server_cloaking	HIGH	Server returns different content to AI bots vs browsers.
clipboard_hidden_content	HIGH	Clipboard contains hidden content not visible in the UI.

1Policy

Custom blocklists and organizational security policies

Rule ID	Severity	Description
domain_blocklist	CRITICAL	The target domain matches a known-malicious entry in the configured blocklist.

10Credential Detection

AWS keys, GitHub PATs, Stripe/Slack/SendGrid tokens, private keys, entropy-based secrets

Rule ID	Severity	Description
aws_key_detection	CRITICAL	Detects AWS access key IDs and secret access keys in commands or arguments.
github_pat_detection	CRITICAL	Detects GitHub personal access tokens (ghp_, github_pat_) in commands.
stripe_token_detection	CRITICAL	Detects Stripe API keys (sk_live_, sk_test_) in commands or environment.
slack_token_detection	HIGH	Detects Slack bot tokens (xoxb-), user tokens (xoxp-), and webhook URLs.
private_key_block	CRITICAL	Detects PEM-encoded private key blocks (RSA, EC, ED25519) being transmitted or exposed.
entropy_based_secret	MEDIUM	Detects high-entropy strings likely to be secrets or tokens using Shannon entropy analysis.
sendgrid_token_detection	HIGH	Detects SendGrid API keys (SG.) in commands or environment variables.
anthropic_api_key	HIGH	Detects Anthropic API keys (sk-ant-) in commands or environment variables.
gcp_service_account	HIGH	Detects GCP service account JSON key files being exposed or transmitted.
npm_token_detection	HIGH	Detects npm authentication tokens (npm_) in commands or .npmrc references.

5Data Exfiltration

curl/wget uploads, env var leaks, command substitution sending data to external hosts

Rule ID	Severity	Description
curl_data_upload	HIGH	Detects curl uploading sensitive file contents via -d @file to remote servers.
curl_file_upload	HIGH	Detects curl uploading files via -T/--upload-file to remote servers.
wget_post_file	HIGH	Detects wget --post-file uploading local file contents to remote servers.
env_var_exfiltration	HIGH	Detects sending sensitive env vars ($AWS_SECRET_ACCESS_KEY, etc.) to external hosts.
command_substitution_exfil	HIGH	Detects command output (whoami, hostname) exfiltrated via URL params or POST bodies.

3Code Scanning

Obfuscated payloads, dynamic code execution, secret exfiltration in JS/Python files

Rule ID	Severity	Description
dynamic_code_execution	MEDIUM	Detects dangerous function calls near b64decode or atob() patterns in scanned JS/Python files.
obfuscated_payload	MEDIUM	Detects long base64-encoded strings decoded and executed in scanned files.
suspicious_code_exfiltration	MEDIUM	Detects HTTP calls (fetch, requests.post) passing sensitive data in scanned files.

3Post-Compromise

Process memory scraping, Docker escalation, credential file sweeps — TeamPCP-inspired

Rule ID	Severity	Description
proc_memory_scraping	CRITICAL	Detects access to /proc/*/mem used to scrape secrets from running process memory.
docker_remote_escalation	CRITICAL	Detects Docker socket access or remote API calls used to escalate host privileges.
credential_file_sweep	HIGH	Detects enumeration of known credential file paths (.aws/, .ssh/, .gnupg/) inspired by TeamPCP attack.