LOCAL PROXY · CLAUDE CODE · 0 TELEMETRY

You can't unsend
a secret.
Make sure you
never send one.

A local proxy that intercepts Claude Code prompts and masks API keys, tokens, and personal data before they leave your machine. Sub-2ms. No workflow changes.

See live demo →
14 days freeNo cardGDPR-readymacOS · Windows · Linux
Powered by
// LIVE PROXY · INTERCEPT1.4ms
OUTGOING · MASKEDSAFE TO SEND
12DATABASE_URL="postgresql://admin:[redacted_pwd_01]
13STRIPE_KEY=[redacted_stripe_01]
14AWS_SECRET=[redacted_aws_01]
15USER_EMAIL=[redacted_pii_01]
Built for
Claude Code
Cursor
Copilot
Codex
Continue
v2.0 · Build 421
01 / The Problem

Every prompt is a potential leak.

"I'm just asking it to refactor a function." And yet, Claude Code just uploaded your entire .env to the cloud.

You ask for help with that function. Your IDE loads the file. Which imports from a config module. Which your agent includes in context. Which contains your production database URL.

This is what gets sent to Claude right now, with no protection:

You can't watch every prompt. Your team can't either.

One .env in context. One secret in a comment. One moment of inattention. This is not a theoretical risk — it's happening in every coding session, right now.

POST · api.anthropic.com/v1/messagesUNFILTERED
→ full access to your AWS account
→ production database credentials
→ your entire payment processing (Stripe live)
→ your full codebase and org repos
→ user PII in logs and tests
02 / Live Demo

Write what you'd send to Claude.
See what leaves your machine.

This runs in your browser with the same rules Tigermole applies locally. Nothing is sent to any server.

tigermole · session
MASKING ACTIVE
// Your prompt to Claude CodeUNPROTECTED
TIGERMOLE
— ms
// What goes out to the cloudSAFE
# .env.production DATABASE_URL=[redacted_pg_url_01] STRIPE_KEY=[redacted_stripe_01] AWS_ACCESS_KEY=[redacted_aws_access_01] AWS_SECRET_KEY=[redacted_aws_secret_01] GITHUB_TOKEN=[redacted_github_01] ADMIN_EMAIL=[redacted_email_01]
6 secrets masked6 types detected345 bytes
03 / Detection Engine

85+ types. Compiled in. Zero configuration.

If it shouldn't leave your network, Tigermole catches it. Rules written in Rust, compiled into the binary. No remote updates, no telemetry.

CAT · IA
AI & API Keys

OpenAI · Anthropic/Claude · Google Gemini · Mistral · Cohere · Perplexity · Replicate · HuggingFace

sk-ant-…sk-…AIza…co-…
CAT · CLOUD
Cloud & Infrastructure

AWS · Azure · GCP · Terraform Cloud · HashiCorp Vault · DigitalOcean · Vercel · Netlify

AKIA…hvs.…do_…ya29…
CAT · DB
Databases & Connection Strings

PostgreSQL · MySQL · MongoDB · Redis · Elasticsearch · Supabase — full connection strings with embedded passwords

postgresql://mongodb+srv://redis://
CAT · DEVOPS
Code & DevOps

GitHub · GitLab · npm auth · PyPI · CircleCI · Jenkins · Bitbucket

CAT · PAYMENTS
Payments & Auth

Stripe · Twilio · SendGrid · OAuth secrets · JWT secrets · RSA/EC private keys

CAT · GDPR · ART. 4
Personal Data (GDPR Art. 4)

Email addresses · ID/passport numbers · Credit cards (Luhn-validated) · IBAN · SSN

PERFORMANCE
Sub-2ms latency at P50

P50 < 2ms · P95 < 10ms. Benchmarked with Criterion on real payloads up to 8KB. You won't feel it.

P50 · 1.4ms
P95 · 8ms
0
15ms
ARCHITECTURE
Zero external connections

Tigermole makes no outbound connections except to forward your (now sanitized) traffic to Claude and a latency ping to verify the connection. No telemetry. No cloud dependencies. The only thing that leaves your machine is code without secrets.

0 telemetry0 cloud depsoffline-first
Fail-safe guarantee

If something fails,
the request is blocked.
Never the other way around.

Most tools let data through when they're unsure. Tigermole does the opposite. If the masking engine fails for any reason — panic, timeout, parse error — the request is blocked entirely. It will never forward unmasked data. Ever. This is not a setting. Not a toggle. It's how it's built.

// engine.rs
match engine.mask(&payload) {
  Ok(safe)  => forward(safe).await,
  Err(_)   => reject_with_503(),
}
// covered by 47 explicit tests
// non-configurable. by design.
View all 97 detection rules
Who it's for

Every role has a reason to protect their prompts.

From individual developers to compliance teams.

CTOs & Security leads

One deploy. GDPR audit reports included.

Ships via your existing toolchain — MSI · PKG · DEB. Structured audit logs, no extra process overhead.

Dev teams

Zero accidental key leaks.

Policy enforced at the admin level, invisible at the user level. Your most junior dev can't leak what they can't see.

DPOs & Compliance teams

Tamper-proof logs for regulators.

Every masked event recorded with what, when, and why. Defensible documentation without building custom tooling.

Individual developers

Use AI freely on any codebase.

Even on client code. Stop second-guessing what landed in the model's context window.

05 / Pricing

Start free. Scale when you need it.

14-day free trial on all plans. No credit card required.

T-01
Individual
For solo developers
9,99€/ month
per user · monthly billing
  • 1 developer · 1 machine
  • 85+ detection rules
  • macOS · Windows · Linux
  • Community support
Most popular
T-02
Team
For engineering teams
29,99€/ user / month
per seat · monthly billing
  • Everything in Individual
  • Audit log signed with ED25519 (optionally X25519-encrypted with your key · ENC2: prefix)
  • JSON export of the audit log
Calculate seats5 devs
Monthly total149,95€ / mes
More than 20 seats? for volume pricing.
SLA
T-03
Enterprise
For CTOs and compliance teams
Custom
volume pricing · >20 seats
  • Everything in Team
  • Custom detection rules
  • Custom volume-based pricing
  • Tailor-made app build with your branding and rules
  • SLA + dedicated support
  • Custom onboarding

14-DAY TRIAL · NO CARD · CANCEL ANYTIME

You can't unsend a secret.
But you can make sure you never send one.

No card. No cloud account. No config changes.
Installed in 60 seconds.

MACOS 12+ · WINDOWS 10+ · UBUNTU 20.04+

Your privacy, your choice

We use essential cookies to keep the site working, and — only with your consent — analytics and advertising cookies. Read our Privacy Policy.