Skip to main content

Agent Monitor rules

Create rules to detect and block dangerous agent actions. Access rules at Agent Monitor Rules.

Organization rules page

Built-in detection

CategoryWhat it detects
SecretsAPI keys, access tokens, credentials being sent to models
Prompt injectionPotential injection attempts in prompts
Tool permissioningUnauthorized tool access attempts

For PII and DLP detection, use gateway middleware: block and mask starter templates connect AWS Bedrock Guardrails, Google Cloud Model Armor, OpenAI moderation, Teleskope, or any DLP service with an API.

Custom rules

Create organization-specific rules under the Organization Rules section.

Tool arguments rules

Match tool calls with specific argument patterns:

  1. Click + New tool arguments rule
  2. Set the tool pattern (e.g., Bash, Read|read)
  3. Define argument conditions (e.g., command: kubectl.*secret)
  4. Choose an action

Pattern rules

Match message content using regex:

  1. Click + New regex rule
  2. Define the pattern to match
  3. Choose an action

Actions

ActionEffect
None (flag only)Logs the action without blocking. Review at Live Activity.
BlockStops the prompt or tool call from running and surfaces an error to the agent.
Ask userPauses the tool call and asks the user to approve it. Agents that can't prompt from a hook block the call instead.
MaskRedacts matching content and lets the agent continue with the redacted version.
Slack notificationSends an alert to a Slack channel.

Support matrix for block and mask

Block and mask don't work in every phase on every agent. Some combinations silently fall back to blocking, and others have no effect at all, so picking the right phase matters when you want masking to actually mask.

Claude Code

Claude Code uses a single hook system (PreToolUse / PostToolUse).

PhaseBlockMask
Prompt✅ Supported❌ Blocks instead
Pre-tool (PreToolUse)✅ Supported✅ Supported
Post-tool (PostToolUse)N/A✅ Supported

Codex

Codex registers the same hook events as Claude Code (PreToolUse / PostToolUse / UserPromptSubmit), but its command hooks can't rewrite tool output after it runs, so post-tool masking blocks the result instead. Codex hooks also can't prompt for confirmation, so a rule with the Ask user action denies the tool call and tells the agent why.

PhaseBlockMask
Prompt✅ Supported❌ Blocks instead
Pre-tool (PreToolUse)✅ Supported✅ Supported
Post-tool (PostToolUse)N/A❌ Blocks instead

Cursor

Cursor ships two hook systems with different names. The newer preToolUse / postToolUse hooks line up with Claude Code's hook names and support masking; the older beforeMCPExecution / afterMCPExecution hooks fire only for MCP tool calls and can't mask. Pick the tab that matches the hooks registered in your ~/.cursor/hooks.json.

PhaseBlockMask
Prompt✅ Supported❌ Blocks instead
Pre-tool (preToolUse)✅ Supported✅ Supported
Post-tool (postToolUse)N/A✅ Supported

Block and mask behavior

  • Mask in the prompt phase falls back to block. No agent supports rewriting a user prompt mid-flight, so a mask rule on a prompt stops the request entirely instead of redacting it. Scope the rule to a tool phase if you only want to redact.
  • Post-tool block is N/A. Once a tool has run, blocking it isn't possible, so write a pre-tool rule if you need to stop execution.
  • Post-tool mask on Codex fails closed. Codex command hooks can't rewrite tool output, so rather than letting unmasked content through, a post-tool mask rule blocks the result.
  • Use Cursor's new hooks if you need masking. Only preToolUse and postToolUse can redact content; the older MCPExecution hooks always fall back to block.

Manage rules

Edit or delete rules using the settings icon next to each rule.