Kavach is an open-source Tauri app (Rust + React) that monitors file system changes and creates backups. It's marketed as a 'military-grade firewall' for AI agents, but it's actually a file watcher with a nice UI.

Can Kavach actually intercept rm -rf?

No. Kavach uses the notify crate, which watches file events AFTER they happen. It cannot prevent destructive operations — only detect them and (maybe) restore from backup afterward.

Is Kavach kernel-level?

No. It's a userspace Tauri application. True kernel-level interception requires kernel modules (Windows) or Endpoint Security extensions (macOS). Kavach has neither.

What does Kavach actually do well?

File change monitoring, automatic backups under 50MB, risk classification, and a polished cyberpunk UI. It's useful for seeing what an agent touched and rolling back changes.

What should I use for real AI agent isolation?

Docker Sandboxes, E2B, Firecracker MicroVMs, or NanoClaw with container isolation. These provide actual process/kernel isolation, not just monitoring.

Is Kavach dangerous to use?

Not directly dangerous, but the marketing creates false confidence. If you trust Kavach to 'stop' destructive operations, you're unprotected. Use it as a monitoring/backup tool, not a security boundary.

Kavach Review: What This AI Agent 'Firewall' Actually Does (And Doesn't)

By Prahlad Menon Published 2026-03-17 5 min read

TL;DR: Kavach is marketed as a “military-grade, kernel-level firewall” that intercepts AI agent operations. We read the source code. It’s actually a file system watcher that creates backups AFTER changes happen. Useful for monitoring and rollback — but it cannot prevent destructive operations.

A new tool called Kavach is making the rounds with claims like “intercepts destructive file operations,” “kernel-level filtering,” and “simulated shell that returns fake success codes to agents.”

These claims would be impressive if they were true. We read the source code. They’re not.

What Kavach Claims vs What the Code Shows

Marketing Claim	What the Code Actually Does
”Intercepts destructive file operations”	Uses `notify` crate — watches events AFTER they happen
”Silently redirects to hidden directory”	Copies files to backup AFTER modification
”Simulated Shell intercepts rm -rf”	Not implemented in the codebase
”Network Ghost Mode”	Not implemented in the codebase
”Kernel-level filtering”	Userspace Rust application
”Military-grade”	Marketing term with no technical meaning

How Kavach Actually Works

Looking at lib.rs, here’s the real architecture:

// The core: a file system watcher
let mut watcher = RecommendedWatcher::new(tx, Config::default())
    .map_err(|e| e.to_string())?;
watcher.watch(Path::new(&path), RecursiveMode::Recursive)
    .map_err(|e| e.to_string())?;

Kavach uses the notify crate — a cross-platform file system notification library. This is event-based monitoring, not interception. The watcher receives events AFTER the operating system has already processed them.

When a file is modified:

fn sync_to_quarantine(monitored_base: &str, target_path: &str) {
    if let Some(q_path) = get_quarantined_path(monitored_base, target_path) {
        let target = Path::new(target_path);
        if target.is_file() {
            // ... copies file to quarantine
            let _ = fs::copy(target, &q_path);
        }
    }
}

This copies files to a backup directory. After the change. Not before. Not instead of.

Why This Matters for Security

The difference between monitoring and interception is critical:

Monitoring (what Kavach does):

Agent runs: rm -rf /important/data
OS executes: Files deleted ✓
Kavach sees: "FileDelete" event
Kavach does: Tries to copy (too late, files gone)
Result: Data lost, but you have a log

Interception (what Kavach claims):

Agent runs: rm -rf /important/data
Security layer: Intercepts syscall, blocks execution
Result: Files preserved, agent gets fake "success"

True interception requires kernel-level access:

Windows: File system filter drivers (like those used by antivirus)
macOS: Endpoint Security framework or kernel extensions
Linux: eBPF, LSM hooks, or FUSE

Kavach is a Tauri app. It has none of these.

What Kavach Does Well

To be fair, the tool does have legitimate uses:

✅ File change monitoring — See what an agent touched in real-time

✅ Automatic backups — Files under 50MB are cached before modification

✅ Risk classification — Events tagged as High/Medium/Low risk

✅ Temporal rollback — Restore files from backup cache

✅ Velocity detection — Spots rapid-fire modifications (potential loops)

✅ UI/UX — The cyberpunk “FUI” dashboard is genuinely well-designed

If you understand these limitations, Kavach is a reasonable monitoring tool with a nice interface.

The Problem: False Confidence

The danger isn’t the tool itself — it’s the marketing.

If a developer reads “Kavach intercepts destructive file operations” and deploys AutoGPT thinking they have a safety net, they’re unprotected. When the agent hallucinates rm -rf, Kavach will log it, maybe grab a backup, but the damage is done.

Security tools that overstate capabilities are worse than no tool at all, because they create false confidence.

What Actually Provides Agent Isolation?

If you need real protection from AI agent mishaps:

Tool	Isolation Type	How It Works
Docker Sandboxes	Container + MicroVM	Agent runs in disposable VM, host untouched
E2B	Cloud sandbox	Isolated cloud environment per session
Firecracker	MicroVM	Kernel-level VM isolation in ~125ms
NanoClaw	Docker-based	15-file agent framework + MicroVM isolation
macOS Sandbox	OS-level	`sandbox-exec` with deny-by-default

These provide actual isolation boundaries. An agent inside a Firecracker MicroVM literally cannot touch your host filesystem — it’s a different kernel.

The Verdict

Kavach is: A file monitoring and backup tool with a slick UI.

Kavach is not: A firewall, an interceptor, or kernel-level security.

Use it for: Watching what agents do, rolling back changes, getting alerts.

Don’t use it for: Trusting that destructive operations will be blocked.

The developer clearly put effort into the UI and the monitoring logic. The problem is purely the marketing overclaiming what the tool can do. A file watcher that makes backups is useful. A file watcher marketed as “military-grade kernel-level interception” is misleading.

If the README said “Kavach monitors AI agent file operations and maintains automatic backups for rollback,” that would be accurate and still valuable. The gap between that description and “tactical zero-trust firewall that intercepts syscalls” is the entire problem.

Frequently Asked Questions

Does Kavach actually work?

Yes, as a monitoring tool. It watches file changes, creates backups, and provides a nice dashboard. It does not intercept or prevent operations.

Can any userspace app intercept file operations?

On standard Windows/macOS, no. True interception requires kernel access. Some sandboxing approaches (FUSE, virtualization) can create isolated filesystems, but that’s different from intercepting operations on the real filesystem.

Is the “Simulated Shell” feature real?

We couldn’t find it in the source code. The README claims it “intercepts commands like rm -rf and returns fake success codes,” but the codebase shows a file watcher, not a shell interceptor.

Should I use Kavach?

If you want a monitoring dashboard for AI agent activity with automatic backups — sure, it’s well-built. Just understand it’s detection and recovery, not prevention.

What’s the best way to safely run AI agents?

Container isolation (Docker Sandboxes), MicroVMs (Firecracker, E2B), or dedicated VMs. Keep agents in environments where “rm -rf /” deletes the sandbox, not your system.

Links:

Kavach GitHub
notify crate (what Kavach uses)
NanoClaw + Docker Sandboxes — actual isolation
E2B Sandboxes — cloud agent isolation