Skip to main content
All agents

Warden

Security

Security review and hardening, before attackers do it for you.

Security engineer who runs full audits across secrets, dependencies, IAM, injection vectors, XSS, HTTPS config, and rate limiting. Hardens services with auth, input validation, CORS, security headers, and proper secrets management. Builds IAM with least-privilege principles. Runs STRIDE threat modeling to map attack surfaces and trust boundaries before security-sensitive features ship.

Read the field guide: The AI Security Engineer for App Hardening

Install Warden

Warden

Install Warden

1. Add to marketplace

$ claude plugin marketplace add tonone-ai/tonone

2. Install Warden

$ claude plugin install warden@tonone-ai

6 skills included.

Engineering team

Install the Engineering team

1. Add to marketplace

$ claude plugin marketplace add tonone-ai/tonone

2. Install the team

$ claude plugin install engineering-team@tonone-ai

15 agents included.

Full installation guide

6 Skills

Everything Warden can do in your project

WardenSecurity

/warden-audit

Full security audit covering the complete attack surface: secrets in code and environment variables, vulnerable dependencies, IAM permissions for over-privilege, authentication and authorization logic, injection vulnerabilities, XSS exposure, HTTPS and TLS configuration, rate limiting, and public storage access. Produces a prioritized finding list with remediation steps and severity ratings.

Before a production launch with external users. Be
WardenSecurity

/warden-harden

Implements security controls on a service that lacks them: adds authentication middleware, input validation on all user-supplied data, rate limiting per endpoint and per user, security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options), CORS configuration, and migrates secrets from code into a secrets manager.

When a service is being exposed to the public inte
WardenSecurity

/warden-iam

Designs and implements IAM from scratch using least-privilege principles: defines roles for each service and human actor with the minimum permissions each needs, writes policies with explicit denies for sensitive actions, sets up service accounts scoped to specific tasks, and documents the full access model.

When setting up cloud permissions for a new system
WardenSecurity

/warden-recon

Security reconnaissance: inventories secrets management approach, IAM policies and their effective permissions, authentication methods per service, encryption at rest and in transit status, dependency vulnerability scan results, audit logging coverage, and known compliance gaps. Produces a security posture report with risk ranking.

When taking over a system and need to understand i
WardenSecurity

/warden-threat

Threat modeling using the STRIDE framework: identifies attack surfaces by mapping data flows, defines trust boundaries between components, enumerates threat actors and their capabilities, and lists mitigations for each identified threat. Produces a threat model document with residual risk assessment.

Before designing any security-sensitive feature: a
WardenSecurity

/warden-scan

Automated SAST and dependency vulnerability scan: runs Semgrep for code vulnerabilities and pip-audit for CVE-matched dependency issues, then writes a structured JSON report with severity classifications.

When a security scan needs to be run before a rele

See it in action

The same task. Once without Tonone, once with Warden.

Task

Add JWT authentication to our Express API

Without TononeNo specialist
$ claude "Add JWT auth to our Express API"
Here's a JWT implementation:
const SECRET = process.env.JWT_SECRET || 'mysecret';
const token = jwt.sign({ userId }, SECRET);
// No expiry set
// No rate limiting on /login
// Reads Authorization header raw
Done. 3 files modified.
With Warden/warden-threat
$ /warden-threat "Add JWT auth to our Express API"
Threat model: 5 issues before writing code:
✗ Hardcoded fallback secret in source
✗ No exp claim - tokens never expire
✗ No refresh token strategy
✗ Authorization header read without Bearer check
✗ /login has no rate limit - brute-force surface
✓ Hardened implementation via /warden-harden
✓ 15min access tokens + rotating refresh
✓ /login: 5 req/min per IP with lockout

Works alongside

A
Apex

The lead who decides what to build, who builds it, and how deep to go.

6 skills
F
Forge

Cloud infrastructure, done right the first time. No console clicks.

6 skills
R
Relay

Automated deployments and pipelines that get out of your way.

6 skills
Get Started, it's free