Cloudflare-native · Live

AI security knowledge,
structured and queryable.

protectwith.ai is a typed knowledge graph and MCP server for AI security — covering both AI for security and security for AI, across personal, SMB, and enterprise contexts. Built entirely on Cloudflare: D1, Vectorize, Workers AI, Durable Objects, and Access.

How it works View MCP tools
44 Knowledge entities
768 Embedding dimensions
8 MCP read-only tools
47 Automated tests

Endpoints

Site protectwith.ai public
MCP mcp.protectwith.ai/mcp Access-protected
Source github.com/burademirung/protectwithai private · request access

How it works

Three coordinated layers — a typed knowledge graph, an MCP server, and a coordinated agent fleet — built entirely on Cloudflare primitives.

Layer 1

Knowledge layer

A typed knowledge graph authored in Markdown with YAML frontmatter. A compiler parses, validates, graphs, chunks, and embeds everything before it enters storage.

44 entities across 8 types: framework, threat, control, cloudflare, practice, segment, vendor, pattern
Typed relationships: mitigates, implemented_by, maps_to, defends_against, defined_in
Every entity carries provenance (sources) and a verification status: verified / unverified / time-sensitive
Compiler synthesizes inverse edges automatically, ensuring graph consistency
bge-base via Workers AI → 768-dimensional semantic vectors stored in Vectorize
Layer 2

MCP server layer

Knowledge served to AI agents over the Model Context Protocol. A Cloudflare-native McpAgent (Durable Object) backed by D1 and Vectorize, protected by Cloudflare Access.

Local stdio server for development; remote Durable Object for production
D1 stores structured entities and graph edges; Vectorize handles semantic search
All tools are READ-ONLY by default — mitigating MCP tool-poisoning attacks
Public/internal scope isolation enforced three independent ways (see Security)
Identity asserted by signed JWT from Cloudflare Access — no user-supplied field trusted
Layer 3 Roadmap

Agent fleet layer

A coordinated set of security agents built on the MCP server, with human-on-the-loop oversight and least-privilege tool governance.

Supervisor / worker orchestration pattern
Human-on-the-loop: humans notified for high-stakes decisions
Least-privilege MCP tool governance — agents access only the tools they need
Scope isolation verified adversarially before agents are connected
MCP Tools

Eight read-only tools for AI agents

Every tool is read-only by default. AI agents connect to mcp.protectwith.ai/mcp via the Model Context Protocol; Cloudflare Access verifies identity before any tool call reaches the server.

kb_search

Semantic question-answering over the knowledge base. Embeds the query with Workers AI (bge-base), searches Vectorize by cosine similarity, returns the most relevant entity chunks with provenance.

semantic vectorize bge-base
kb_get

Fetch a single entity by its unique ID. Returns the full structured record from D1 — type, content, relationships, provenance, and verification status.

D1 structured provenance
kb_related

Traverse typed relationships in the knowledge graph. Given an entity ID and an optional relationship type (e.g. mitigates, implemented_by), returns all connected entities.

graph traversal typed edges
kb_map

Cross-framework mapping: translate a concept or identifier from one standard to its equivalents in another, then follow the graph to concrete controls and the Cloudflare primitives that implement them.

cross-framework MITRE ATLAS OWASP
kb_list

Enumerate entities in the knowledge base, optionally filtered by type or segment. Returns IDs, names, and types — useful for agent discovery before a deeper kb_get or kb_related.

enumeration discovery
kb_classify

Advisory, KB-grounded classification: match an input (e.g. a prompt) against known threat patterns and return likely threats plus recommended controls. Advisory only — not a real-time detector.

advisory threat patterns read-only
kb_checklist

Generate the applicable security control checklist for a described component (e.g. "a Worker calling an LLM"), with the Cloudflare primitives that implement each control.

controls Cloudflare primitives read-only
kb_compliance_map

Map controls to the compliance requirements they satisfy across NIST AI RMF, the EU AI Act, and ISO/IEC 42001.

NIST AI RMF EU AI Act ISO/IEC 42001

kb_map example — MITRE ATLAS → OWASP → Controls → Cloudflare

// Query: map MITRE ATLAS AML.T0051 through the full control chain

tool: kb_map

input: "AML.T0051" // LLM Prompt Injection


→ Step 1 resolve

MITRE ATLAS AML.T0051 "LLM Prompt Injection"


→ Step 2 maps_to

OWASP LLM LLM01:2025 "Prompt Injection"


→ Step 3 mitigates (controls)

CTL-001 Input validation & sanitization verified

CTL-007 Prompt boundary enforcement verified

CTL-012 Output filtering before execution verified


→ Step 4 implemented_by (Cloudflare primitives)

Cloudflare AI Gateway rate-limit, log, redact PII

Workers AI sandboxed inference

Cloudflare WAF block known injection patterns


// All results carry source URLs and verification status

Security model

Security is a feature, not an afterthought

Every layer of protectwith.ai was designed to resist the attack patterns it documents. Defense-in-depth applies to the system itself.

Verified identity via Cloudflare Access

All requests to the MCP server go through Cloudflare Access. Identity is asserted via a signed JWT — the server never trusts a user-supplied field or header.

JWT-verified · zero trust identity

Read-only tools by default

All eight MCP tools are read-only. This directly mitigates MCP "tool poisoning" — an attacker who gains access to the server cannot write, modify, or delete knowledge.

Least-privilege · no write surface

Triple-layer scope isolation

Public/internal scope separation is enforced three independent ways: a Vectorize metadata filter, a D1 query filter, and a per-entity get() re-check after retrieval.

3× independent isolation

Schema-validated CI gate

A CI validation step rejects any pull request that introduces dangling relationships, illegal edge types, or a "verified" claim without accompanying source references.

No unverified knowledge enters

Provenance on every claim

Every entity carries explicit source URLs and a verification status field (verified, unverified, or time-sensitive). Agents can expose this to end users.

verified | unverified | time-sensitive

Adversarial test suite

47 automated tests including adversarial scope-isolation scenarios — tests that actively attempt to leak internal entities through crafted queries to verify isolation holds.

47 tests · adversarial coverage

No secrets committed

API keys, access credentials, and private strategy documents are never committed to the repository. Secrets are injected via environment variables at deploy time.

Secrets in env vars only

Adversarial research verification

Security research is verified adversarially before it enters the knowledge base — claims are checked against primary sources; contested or evolving material is marked time-sensitive.

Verified before ingestion

47-test automated suite

Including adversarial scope-isolation tests that attempt to extract internal entities through carefully crafted semantic and graph queries — verifying that isolation holds end-to-end.

47
tests incl. adversarial
Standards

Standards followed

protectwith.ai maps its knowledge graph to the leading AI security and governance frameworks — so agent outputs can cite the exact standard and control they reference.

OWASP LLM Top 10

OWASP Top 10 for LLM Applications

The ten most critical security risks in systems that use large language models — from prompt injection to model theft.

Used: Each OWASP LLM risk is a first-class entity in the knowledge graph, linked to mitigating controls and Cloudflare primitives that implement them. Cross-mapped to MITRE ATLAS via kb_map.

OWASP Agentic AI

OWASP Agentic AI Threats & Mitigations (T1–T15)

Fifteen specific threat patterns that arise when AI systems operate as autonomous agents — including orchestration hijacking, excessive agency, and resource misuse.

Used: T1–T15 are mapped as threat entities; the agent fleet design (read-only tools, human-on-the-loop, least-privilege governance) directly addresses T2, T5, T9, and T11.

OWASP Agentic 2026

OWASP Top 10 for Agentic Applications (2026)

An emerging standard for the most critical risks specific to agentic AI deployments, covering multi-agent orchestration and tool-use vulnerabilities.

Used: Applied to the roadmap agent fleet design — each top-10 risk is tracked as a knowledge entity with controls and implementation status.

NIST AI RMF

NIST AI Risk Management Framework + CSA Agentic Profile

A structured approach to identifying, assessing, and managing risks across the full AI lifecycle (Govern, Map, Measure, Manage).

Used: Governance practices (provenance tracking, adversarial verification, reproducible compiler) map to GOVERN and MEASURE functions. The CSA Agentic NIST AI RMF Profile guides agent fleet design.

MITRE ATLAS

MITRE ATLAS

Adversarial Threat Landscape for AI Systems — a knowledge base of adversarial ML tactics and techniques, structured similarly to MITRE ATT&CK.

Used: ATLAS tactics and techniques are entities in the graph. kb_map can translate an ATLAS ID (e.g. AML.T0051) to the corresponding OWASP risk, mitigating controls, and Cloudflare implementation.

ISO/IEC 42001

ISO/IEC 42001 — AI Management Systems

An international standard for establishing, implementing, and continually improving an AI management system within an organization.

Used: The knowledge compiler's idempotency, CI validation, and provenance requirements reflect 42001's emphasis on documented, repeatable AI processes and risk controls.

EU AI Act

EU AI Act

The European Union's landmark regulation classifying AI systems by risk level and requiring transparency, human oversight, and conformity assessments for high-risk deployments.

Used: Transparency requirements informed the verification_status field and provenance sources on every entity. Human-on-the-loop in the agent fleet addresses the Act's human oversight requirements.

Best practices

Engineering best practices

The practices protectwith.ai documents are also the practices it follows — the system is built to embody the guidance it gives.

Defense-in-depth

Security controls at every layer: identity gate, read-only tools, scope isolation, schema validation, and adversarial testing — no single control is relied upon exclusively.

Least privilege & read-only-by-default tools

AI agents are granted only the access they need. All MCP tools are read-only; write capabilities require explicit, separately governed tooling.

Verified identity — no header trust

Identity is always verified via Cloudflare Access signed JWTs. No user-supplied header, field, or parameter is trusted for authorization decisions.

Provenance & verification status on every claim

Each entity in the knowledge graph carries source URLs and one of three statuses: verified, unverified, or time-sensitive. Agents surface this to users.

Adversarial research verification

Security research is checked against primary sources before entering the knowledge base. Claims that can't be independently verified are marked unverified or excluded.

Scope isolation tested adversarially

The boundary between public and internal knowledge is not just enforced — it's actively tested with adversarial queries designed to probe for leakage.

Reproducible & idempotent compiler

The knowledge compiler produces identical output from identical input. Any entity can be re-compiled at any time with the same result — no hidden state.

Secrets never committed

API keys, access credentials, and private configuration are injected at deploy time via environment variables — never stored in the repository or in compiled artifacts.

Private strategy never published

Internal roadmaps, threat models, and strategic planning documents are kept out of the public repository — only the platform itself and its documented behaviors are public.