Last week, we wrote about giving our AI assistant persistent memory with Claude Cortex. We showed how an AI agent that remembers your decisions, your architecture, and your preferences across sessions transforms from a tool into a genuine collaborator.
This week, we're protecting it. Not just our agent — every agent.
The Growing Threat
AI agents are everywhere. Claude Code, OpenClaw, Moltbot, LangChain agents, AutoGPT, CrewAI — they're writing code, managing infrastructure, processing emails, and making decisions on our behalf. And increasingly, they all have persistent memory — the ability to remember context between sessions.
This is powerful. It's also dangerous.
On January 31st, 2026, Palo Alto Networks' Unit 42 published a warning about a new class of cyberattack: persistent memory poisoning in AI agents. The premise is straightforward and alarming: if an attacker can plant malicious content in what your AI agent remembers, they've compromised every future interaction.
Not for one session. Permanently.
Think about what your AI agent processes in a typical day. Emails, web pages, documents, API responses, Slack messages. Any of these could contain hidden instructions that get saved to memory. And once something is in your agent's memory, it influences every future conversation.
Traditional cybersecurity doesn't cover this. Your firewall protects your network. Your antivirus protects your files. Nothing protects what your AI agent remembers.
What ShieldCortex Does
ShieldCortex is a universal security layer that sits between any AI agent and its memory. Claude Code, OpenClaw, Moltbot, LangChain, AutoGPT, CrewAI — if it has persistent memory, ShieldCortex protects it. Every time something is written to memory, ShieldCortex scans it. Every time something is read from memory, ShieldCortex filters it. Everything is logged.
Think of it like Cloudflare for AI memory — universal middleware that works with any agent framework. You don't change how your agent works. You add a protective layer in front of what it remembers.
The 6 Defence Layers
1. Input Sanitisation
Before anything else, ShieldCortex strips control characters, null bytes, and other malformed input that attackers use to smuggle payloads past downstream parsers. This is the cheap, fast first line — nothing exotic survives a clean.
2. Pattern Detection
A regex-based prompt-injection firewall scans every incoming memory for hidden instructions, command injection, and encoded payloads. If someone hides a [SYSTEM: ignore previous instructions] in an email your agent processes, the firewall catches it before it reaches storage. The pattern set covers tool injection, scope escalation, data exfiltration, persistence, supply chain, agent manipulation, and stealth instruction families.
3. Semantic Analysis
Pattern matching only catches what you've already seen. ShieldCortex compares incoming content against an embedding corpus of known attack styles, so novel phrasings of familiar tactics still get flagged even when they don't trip a regex.
4. Structural Validation
JSON, YAML, and other structured payloads get integrity checks before they're trusted. Malformed structure is one of the loudest signals that something is trying to confuse the agent's parser into doing something it shouldn't.
5. Behavioural Scoring
Trust isn't static. ShieldCortex scores every memory by source reliability and tracks anomalies over time — direct user input scores highest, agent-generated content scores lowest, and unusual patterns get downweighted. This addresses the most sophisticated attack Palo Alto Networks warned about: attackers planting small, innocent-looking fragments over days or weeks that combine into a complete exploit. New memories are cross-referenced against recent entries, looking for pieces that form attack chains.
6. Credential Leak Detection
Detects passwords, API keys, personal information, and other sensitive data across more than 25 patterns covering 11 providers, with entropy analysis for the unknown ones. Decoded content is scanned too, so base64-wrapped secrets don't slip through. If your agent accidentally tries to store a database connection string in memory, ShieldCortex catches it and either redacts or quarantines it.
Every operation is recorded in a complete forensic audit trail — what was stored, when, from what source, what trust score it received, and whether it was allowed, quarantined, or blocked. If something goes wrong, you can trace exactly what happened.
Why We Built This
We didn't build ShieldCortex because we thought it would be a good product idea. We built it because we needed it.
At Drakon Systems, we run AI agents in production — across OpenClaw, Claude Code, and custom setups. Our own assistant, Jarvis, has persistent memory across sessions. When we built Claude Cortex (our open-source memory system), we immediately started thinking about what happens when that memory is targeted.
We run agents that process emails, read web content, and interact with external services. Every one of those touchpoints is a potential vector for memory poisoning. We needed a defence layer, and nothing existed — not for Claude Code, not for LangChain agents, not for any of the multi-agent frameworks gaining traction.
So we built one. Then we made it agent-agnostic, because the threat doesn't care which framework you use. Then we open-sourced it, because every team running AI agents with persistent memory has the same exposure — most just don't know it yet.
Getting Started
ShieldCortex is free to install and use. The full 6-layer defence pipeline — input sanitisation, pattern detection, semantic analysis, structural validation, behavioural scoring, and credential leak detection — is included at no cost, alongside the local dashboard and audit log.
npm install -g shieldcortex
npx shieldcortex setup
That's it. ShieldCortex configures itself with your AI agent (Claude Code, OpenClaw, or any MCP-compatible setup), installs automatic hooks, and starts protecting your memory immediately.
Already have existing memories? Run a scan. Ask your agent: "Scan my memories for threats." ShieldCortex will analyse everything stored and flag anything suspicious.
What's Coming
ShieldCortex today is a local defence layer. It's powerful, but it's just the beginning.
We're building:
- SaaS Dashboard — centralised monitoring across all your agents, with real-time alerts and threat visualisation
- Team Management — role-based access, shared threat intelligence, and coordinated defence policies
- Enterprise Features — compliance reporting, integration with existing SIEM tools, and custom defence rules
- Continuous Monitoring — always-on scanning that doesn't wait for memory operations to trigger
The local tool will always be free. The cloud platform will be for teams that need visibility across multiple agents and environments.
The Bottom Line
If you're running AI agents with persistent memory — Claude Code, OpenClaw, Moltbot, LangChain, AutoGPT, CrewAI, or anything else — you have an unguarded attack surface. Memory poisoning is real, it's been flagged by major security firms, and it's only going to get more common as AI agents become more prevalent.
ShieldCortex is the defence layer that should have existed from day one. Universal middleware for any AI agent's memory. We built it because we needed it. Now it's yours.
Try ShieldCortex free:
npm install -g shieldcortex
npx shieldcortex setup
GitHub: github.com/Drakon-Systems-Ltd/ShieldCortex
ShieldCortex is open source under the MIT licence. Built by Drakon Systems.