arcis

Shipped @arcis/mcp 1.0. Seven prompt-injection payloads fire at an MCP server on every CI run. The test is the spec. The test passes. https://t.co/0fTyR4ORjD

Your XSS filter blocks <script>. Does it block the same six characters in fullwidth form? Most pre-2023 detectors do not. https://t.co/opxq3PIxvE

Agent security has four layers: identity, pre-deploy testing, observability, defense. Only the defense layer can refuse a request in flight. The other three are advisory by structure. https://t.co/SxSF8TC06H

The WAF and the application see the same HTTP request differently. The attacker only needs to live in the seam. https://t.co/dpBCCWWwha

If you want the full thesis behind Arcis - what it is, what it does NOT do, and the inside-the-app argument, the launch post is the cleanest place to start. 5-minute read. https://t.co/5WUeQ0Gebm

2026 reality: every app is now three apps. A request app. A model app. A tool app. The WAF protects the request app. Nothing protects the other two. That's the gap Arcis is in.

Arcis conformance status: 154/154 tests pass across Node + Python + Go Same input → same verdict in all three SDKs Drift = failed CI = no release Cross-SDK parity is the only metric that matters once a tool ships in multiple languages.

Hello world. Open-sourced Arcis. Security middleware that runs inside your web app instead of in front of it. For developers tired of WAFs that block `' OR 1=1` and miss everything else. Node, Python, Go. https://t.co/erAA6C1hbU