Agent Runtimes
CLaude COde
Cursor
VSCode
Codex
SDK / REST
Prompt
Tool call
Ingress
Blekline Control Plane
Blekline masks and enforces prompts and tool calls before models and APIs, redacts responses on the return path, with metadata-only audit for security review.
Open core
MCP + API gateway
Metadata-only audit
Ingress
Mask / ENforce / Block
Egress
REsponse / MAsk
Audit
Metadata EXport / SIEM
Masked
Enforced
Audited
Models
Claude
OPenai
Gemini
POlicy
Enoforced
Tool CAlls
MCP servers / internal APIs / Webhooks
Integrates with your Stack
One policy plane between agent runtimes and models, APIs, and MCP tools.
Mask and enforce on ingress, response governance on egress, metadata-only audit.
AI-first Infrastructure
Define Your AI Governance Protocol
01 - AGENT Interaction GOVERNANCE
CASB
DLP
Blekline
Where policy runs: agent boundary vs network vs SaaS app.
02 - AI Security Boundaries
Ingress Mask and enforce prompts and tool calls before models and MCP tools.
Egress Response mask on the return path, redact before agents see output.
Audit Metadata-only trail. Activity, CSV export, SIEM for Enterprise.
Three boundaries. One control plane.
03 - INfrastructure for regulated verticals
Built for teams that need agent governance with EU data path, SIEM evidence, and self-hosted control.
With your team in mind
One Platform, built for where you already work
Terminal headless pipelines
01
02
[03]
Made for coders and developers
Wire Blekline via npx or the TypeScript/Python SDK.Tool calls are evaluated before execution; prompts are masked before they leave your environment.
Claude Code
Codex
npx @blekline/mcp-server
SDK / REST
MCP
01
02
[03]
Add @blekline/mcp-server to project MCP config
Use the proxy in dev to mock risky tools; enforce the same policies in prod. Works with Cursor Agent, Continue, and GitHub Copilot MCP.
Cursor
VSCode
Continue
GitHub Copilot
SDK / API01
02
[03]
Govern agent calls from your application
TypeScript/Python SDK or REST — mask, enforce, and audit from your backend before content hits models or tools.
@blekline/client
/api/mask
Ingress gateway
Terminal headless pipelines
01
02
[03]
Made for coders and developers
Wire Blekline via npx or the TypeScript/Python SDK.Tool calls are evaluated before execution; prompts are masked before they leave your environment.
Claude Code
Codex
npx @blekline/mcp-server
SDK / REST
MCP
01
02
[03]
Add @blekline/mcp-server to project MCP config
Use the proxy in dev to mock risky tools; enforce the same policies in prod. Works with Cursor Agent, Continue, and GitHub Copilot MCP.
Cursor
VSCode
Continue
GitHub Copilot
SDK / API01
02
[03]
Govern agent calls from your application
TypeScript/Python SDK or REST — mask, enforce, and audit from your backend before content hits models or tools.
@blekline/client
/api/mask
Ingress gateway
Install in Seconds
Install in Seconds
o1 - Connect
Point MCP clients or SDK at Blekline proxy (blw_ token, workspace).
import { BleklineClient } from "@blekline/client";
const blekline = new BleklineClient({
baseUrl: "https://app.blekline.com",
workspaceToken: process.env.BLEKLINE_WORKSPACE_TOKEN!,
metadata: { clientSurface: "sdk" },
});
const { maskedText, decision } = await blekline.mask({
text: "Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
platform: "MyAgent",
});
const tool = await blekline.enforceToolCall({
toolName: "run_shell",
arguments: { cmd: "curl https://api.internal/deploy" },
platform: "MyAgent",
});
console.log(maskedText, decision?.action ?? tool.action);
// mask | allow | blockimport os
from blekline_client import BleklineClient
client = BleklineClient(
workspace_token=os.environ["BLEKLINE_WORKSPACE_TOKEN"],
base_url="https://app.blekline.com",
client_surface="sdk",
)
masked = client.mask(
text="Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
platform="MyAgent",
)
print(masked["maskedText"], masked.get("decision"))
tool = client.enforce_tool_call(
tool_name="run_shell",
arguments={"cmd": "curl https://api.internal/deploy"},
platform="MyAgent",
)
print(tool["action"], tool["entitiesMasked"])# Mask PII & secrets before model context
curl -sS https://app.blekline.com/api/mask \
-H "Content-Type: application/json" \
-H "x-blekline-workspace-token: blw_..." \
-H "x-blekline-client-surface: sdk" \
-d '{
"text": "Email alice@corp.com — deploy with AKIAIOSFODNN7EXAMPLE",
"platform": "REST"
}'
# Evaluate tool call before execution
curl -sS https://app.blekline.com/api/mcp/enforce-tool-call \
-H "Content-Type: application/json" \
-H "x-blekline-workspace-token: blw_..." \
-d '{
"toolName": "run_shell",
"arguments": { "cmd": "curl https://api.internal/deploy" },
"platform": "REST"
}'// .cursor/mcp.json or claude_desktop_config.json
{
"mcpServers": {
"blekline": {
"command": "npx",
"args": ["-y", "@blekline/mcp-server"],
"env": {
"BLEKLINE_API_URL": "https://app.blekline.com",
"BLEKLINE_WORKSPACE_TOKEN": "blw_...",
"BLEKLINE_CLIENT_SURFACE": "claude-desktop"
}
}
}
}
// Tools the agent can call:
// blekline_mask_prompt({ text: "alice@corp.com ..." })
// blekline_evaluate_tool_call({
// toolName: "run_shell",
// arguments: { cmd: "curl https://api.internal/deploy" }
// })o2 - Define
Policies for tool args, response mask rules, scope grants.
o3 - Prove
Activity log, audit export, SIEM forward (Governance).
New Standard for Safe AI Integration.
AI-first Infrastructure
Optimized for LLMs and AI Agents
06 - COmparison
Why Blekline?
Without Blekline
With Blekline
Secret in tool args
Reach model or sandbox
Blocked before execution
PII in prompt
Sent to vendor
Masked at ingress
Model responses
Sensitive data flows back
Redacted on return path
MCP tool calls
Ungoverned
Allow · mask · block per policy
Audit
Scattered logs, no single view
Metadata-only, CSV + SIEM
07 - OPen-core, scaled for business
Built for Developers. Scaled for Enterprise.
08 - FAQ's
Frequently asked questions
CISO's, CTO's and DAta protection officers
Who sees our data when Blekline enforces policy?
Masking runs over HTTPS to apply detection; audit defaults to metadata only — decisions, tool names, counts, not raw prompts. For stricter control, run the ingress sidecar in your VPC so enforcement stays inside your network.
What happens if a model or tool tries to exfiltrate PII mid-workflow?
Blekline can mask or block at ingress (prompts, tool args) and redact on the return path before your agent consumes the response. You get a defensible allow/mask/block record per interaction, not just a post-hoc alert.
Will this slow down how we ship agents?
No rip-and-replace. Wire one path — MCP proxy, SDK, or ingress gateway — and expand from there. Open-core packages let security review the code while engineering keeps shipping.
Compliance and Legal Officers
Can we defend this in a regulator or customer audit?
Yes — if you scope it correctly. Blekline logs policy outcomes at the agent boundary with exportable metadata. It supports your controls; it does not replace your RoPA, DPIA, or lawful-basis analysis.
What contractual assurances do we get on processing and subprocessors?
Standard DPA, published subprocessors, and privacy documentation for diligence. EU residency and VPC deployment are available on enterprise terms. Default SaaS is US-hosted — flag that in your transfer assessment.
Does masking satisfy data minimization, or do we still own classification?
Masking operationalizes minimization at execution time. You still own what counts as personal data, retention, and high-risk AI obligations under the EU AI Act. Blekline is the control layer; legal judgment stays with you.
Finance Executives
Is this a productivity tool or a risk-control line item?
Risk control. You are buying governed agent execution — enforceable policy and audit evidence — not another seat on ChatGPT. Price it like security infrastructure, not like an AI subscription.
What does a pilot actually buy us versus a full rollout?
One production workflow with measurable outcomes: entities masked, tools blocked, violations logged. Enough to justify platform spend or kill the bet before a multi-year commitment.
How do we compare this to building it ourselves?
In-house means MCP enforcement, policy streaming, audit schema, and multi-vendor ingress — quarters of eng time on non-differentiating work. Blekline compresses that to weeks with evidence your board can read.
