Connection lost
Trying to reconnect…
Server didn't respond
Recovering…
Your AI agent needs production access — not your SSH key.
emisar is one governed MCP server that connects Claude, Cursor, ChatGPT — any AI agent — to your infrastructure. One server covers production access, debugging, alerting, runbooks, and internal ops — so a new capability is another pack, not another MCP server to roll out to every client. Your agent reads real production state to debug what it shipped and help work incidents. Safe reads run on their own. A risky change waits for a human to approve it. No SSH key, no always-on access, every call on the record.
Free for 3 runners · No credit card · Apache-2.0 open-source runner
With eyes on production
Your AI is brilliant. And blind.
Claude, Cursor, and ChatGPT reason about your stack all day — but they can't see it running. emisar gives your agent eyes on production. It reads live logs, metrics, hosts, datastores, and the network, so its plan matches what's actually running. It catches its own mistakes. It works incidents beside you. And it stops for you only when a change is actually risky.
Starts from real state
Before it writes a line, the agent reads live logs, metrics, configs, and process state. Its plan is based on what's actually running — not a stale guess from training data.
Debugs what it shipped
Deployed something that misbehaves? The agent inspects the running result, finds its own mistake, and proposes the fix. You don't have to gather the context for it.
Works the incident
When the page fires, it triages across the fleet, lines up logs against metrics, and narrows the cause. Then it hands you a fix it can run the moment you approve.
The change waits for you
When the fix actually changes something, that's the one moment you step in — one approval, scoped and logged. Everything safe runs without you.
How it's done today
Today, your AI agent is either:
Three common setups for letting an agent act — and each fails the same way: no gate before the action, no trustworthy record after.
Given a raw SSH key
Full shell on prod. The model is "creative." A malformed request can become
rm -rf /var/lib/postgresql
with no policy gate and no durable record of why it happened.
Wired to a custom tool server
Two engineers built a custom MCP server in a weekend. It hardcodes one cluster, swallows stderr, has no approval flow, and lives in a repo nobody dares touch.
Asked to "/runbook" in Slack
Twenty-three slash commands, three owners, two of whom left in 2024. Write-only output, lost in channel scrollback, and the audit trail is whatever you remember from the postmortem.
Three pillars
A catalog, a gate, and a ledger.
Every request is handled the same way. Each action declares what it can do and carries a risk tier — low, medium, high, or critical. The policy you set decides which tiers need a human to approve. The runner re-checks the request before it runs. Then every call is recorded twice — to the searchable audit in the portal, and to a hash-chained journal on the runner host.
Versioned action catalog
Packs live in git, and each one is fingerprinted by its contents. The AI sees only the actions you declared — it can't ask for anything else. Change a pack and emisar stops running it until an admin trusts the new version. A new surface — another datastore, your alerting stack, an internal API — is one more trusted pack on the same gate, not another MCP server to roll out to every client.
schema_version: 1 id: linux.systemctl_status title: "Systemd unit status" kind: exec risk: low args: - name: unit type: string required: true validation: pattern: "^[a-zA-Z0-9@._-]{1,128}$" execution: command: binary: /usr/bin/systemctl argv: ["status", "{{ args.unit }}"]
Policy & approval
Set allow, ask-for-approval, or deny for each risk tier, then override specific actions. Risky calls wait for a human. Or hand out a limited, revocable pass so routine ones don't ask every time.
Audit + runner journal
Every input, output, exit code, and redaction is recorded. On the host it's a
hash-chained log — change one line and
emisar audit verify
catches it. It's mirrored to the searchable audit in the portal, and it can stream to
your SIEM.
Watch it work
A real incident, start to finish.
A CSI driver reformatted a live LUN and wiped 33 hours of metrics. Watch the agent investigate through declared actions, stop the writes behind one approval, and hand back the durable fix as a Terraform PR — over MCP, no SSH, every step on the record.
Real catalog actions. Reads run on policy; risky steps always stop for approval.
- Any MCP client
- OAuth for cloud clients, stdio bridge for local tools — access scoped to selected runners or groups.
- Pack trust
- New or changed packs stop running until an admin trusts the contents.
- Approvals & grants
- Approve one call, or hand out a revocable pass — limited by time, arguments, runner, and number of uses.
- Searchable audit
- See who ran what, and on whose behalf, in the portal — or stream it to your SIEM.
Read the full post-mortem — the multipath race, the dmesg window, and the Terraform fix
Why not just…
The alternatives, honestly.
| emisar | Raw SSH key | Custom MCP server | |
|---|---|---|---|
| Typed action contract | Yes | No | Partial |
| Pack drift blocks dispatch | Yes | No | No |
| Risk-tier policy + overrides | Yes | No | Partial |
| Approvals + standing grants | Yes | No | No |
| Per-user runner scopes | Yes | No | Partial |
| Streaming stdout/stderr | Yes | Yes | Partial |
| Audit + SIEM export | Yes | No | Partial |
| Setup time | 5 min | instant + nightmares | 1-2 weeks |
Case studies
Two incidents, in full.
The storage wipe from the demo, written up end to end — and a completely different failure on the network. Both real, both logged with the command output to prove it.
A CSI driver wiped 33 hours of metrics
The incident from the demo, in full — including the twist. The obvious one-line fix was a no-op, so the durable fix the agent shipped is a guard that refuses to trust the driver.
Read the post-mortemA fleet-wide 502 no backend was causing
Every app behind one edge threw intermittent 502s — yet every backend was green. The agent traced it across five layers to an OOM loop and a wedged node still advertising a dead ingress, then stopped the bleed behind gated approvals.
Read the post-mortemZero Trust for AI Agents
The framework a frontier lab published — enforced by emisar.
Anthropic's Zero Trust for AI Agents guide says an agent with access to real systems needs four things: least agency, deny-by-default tools, human approval for high-risk actions, and an audit trail no one can edit. emisar enforces exactly that. And the controls the framework reserves for its top tiers ship on emisar's Free plan.
Least agency
The agent only sees the actions you declared
Human in the loop
High-risk actions stop for a one-click approval
Full audit trail
Searchable portal audit, a tamper-evident hash-chained host journal, and SIEM export
Assume breach
Even a jailbroken agent can't get past the catalog
Not affiliated with or endorsed by Anthropic. We cite the framework because emisar is built to the control set it describes.
Pricing
Pay per runner. Not per seat.
Free for 3 runners and 1 user. Team is $20/runner/month with unlimited users.
Free
For homelab and tinkering.
- 3 runners
- 1 user
- 7-day audit retention
- Community support
Team
For teams running real production.
- Up to 100 runners
- Unlimited users
- 90-day audit retention
- Automated invoices, email support
Enterprise
For regulated environments & fleets.
- Unlimited runners & users
- 365-day audit retention
- Security and procurement review
- Design-partner deployment planning
FAQ
The skeptical questions, answered.
Can the LLM run anything it wants?
No. The runner only exposes actions declared in a content-addressed pack. Anything else is rejected at the runner before it touches your shell. The model literally cannot see undeclared commands.
What can it actually do?
Read and tail logs, query metrics, inspect processes, memory, disk, and containers, check your databases, and trace DNS, TLS, and connectivity — across your whole fleet. And, behind approval, act: restart a unit, stop a runaway job, fail over, scale. It's a finite catalog of declared actions, never a raw shell.
Where do approvals happen?
In the web UI today. The approver sees the actor, the arguments, the target host, and the policy rule that triggered the gate. One click to allow, one to deny.
Do I have to approve every action?
No — you decide per action. Reads run automatically; you reserve approvals for the risky, mutating ones. Policy sets allow / require-approval / deny by risk tier, with per-action overrides, and the destructive verbs are deny-by-default.
What if my runner dies mid-run?
Child processes are reaped with PR_SET_PDEATHSIG on Linux — no zombies, no orphans. If the runner stays offline, the cloud's dispatch-timeout sweep marks its in-flight runs as errored with the reason within minutes, so nothing reads as running forever.
Is this MCP-compatible?
Yes. Claude.ai and ChatGPT connect to emisar's remote JSON-RPC MCP server through OAuth. Claude Code, Claude Desktop, Cursor, Gemini CLI, and Codex CLI can use the emisar-mcp stdio bridge.
Can I self-host the control plane?
The current product uses the hosted emisar control plane. The repository includes deployable control-plane code for evaluation, but supported self-hosted and air-gapped deployments are not generally available today. Contact us if that boundary is a requirement.
What about secrets?
The runner runs a redaction pipeline on every stdout/stderr stream before forwarding. Patterns are declared per-action; sane defaults catch AWS keys, JWTs, and bearer tokens. The cloud receives only the redacted output stream — never the raw bytes.
Give your AI production access. You keep the last word.
Three runners. Seven-day audit. No credit card. Read the quickstart and run your first gated action.
Prefer a walkthrough first? Book a 30-minute demo.
No credit card. Cancel anytime. Your audit log is yours to export.