Your AI coding assistant is quietly shipping your company's secrets to the cloud

You opened a file to ask Copilot a quick question. It had an API key hardcoded near the top — you've been meaning to move it to an env var. You hit tab, got your answer, moved on.

That key just left the building.

Not in a scary "you got hacked" way. In the most ordinary way possible: it rode along in the request your editor sent to an AI provider, the same way the rest of your file did. Nobody broke in. The tool worked exactly as designed. The key just went where you didn't think about it going.

This happens constantly, and almost nobody notices, because the tools are so good that we've stopped thinking about them as network calls at all.

We forgot these tools talk to the internet

A few years ago, sending your source code to a third party would have triggered a meeting. Now it happens thousands of times a day, per developer, and it feels like nothing — because the round trip is invisible and the payoff is instant.

But every autocomplete, every "explain this function," every "refactor this for me" is your code (and whatever happens to be sitting in it) leaving your machine:

• The customer email in the test fixture you pasted in.
• The connection string in the config file you had open in the next tab.
• The private key someone checked in two years ago that's still sitting in the repo.
• The internal customer record you were debugging against.

None of that is meant to go anywhere. It just comes along for the ride, because the tool sends the context, and you can't easily see what "the context" contains in the moment.

"But they promise not to train on my data"

Maybe. A lot of providers offer that, and a lot of them mean it.

But "we won't train on it" is not the same as "it never left your control." Your data still travelled across the internet, sat in someone else's logs and systems for some retention window, and is now governed by their security instead of yours. If you work somewhere with real compliance obligations — handling health data, payment data, anything covered by GDPR — "a vendor said they'd be careful" is not an answer you can give an auditor.

And here's the part that actually keeps people up at night: you have no idea how often it's happening. Which developers, which tools, which data. There's no log. There's no number. There's just a quiet, constant trickle you can't see.

That's the real problem. Not that AI tools are dangerous — they're enormously useful, nobody's giving them up — but that we adopted them faster than we built any way to see what they're carrying out the door.

The fix shouldn't be "stop using the tools"

The instinct at a lot of companies is to ban them, or lock them behind so much process that people quietly go around the rules. That's the worst outcome: you lose the productivity and you lose visibility, because now it's happening on personal accounts where you definitely can't see it.

The better idea is boring and old: put something in the middle that checks what's leaving.

We've done this forever with other kinds of traffic. The thing that was missing was something built specifically for how AI coding tools work — fast enough to sit in the hot path of autocomplete, smart enough to catch a secret it's never seen before, and quiet enough that developers forget it's there.

That's what we've been building with Redactr.

What it actually does

The idea is simple to say: Redactr sits between your AI tools and the AI provider, and scrubs the sensitive stuff out of each request before it leaves.

When your editor or terminal sends a request off to Claude, Copilot, or ChatGPT, Redactr catches it on the way out, looks through it, and replaces the things that shouldn't be there — keys, tokens, emails, customer records — before forwarding it on. The AI still gets the code it needs to help you. It just doesn't get the email address that was sitting three lines away.

A few things we cared about while building it:

It catches more than a list of patterns. Some secrets look like secrets — an email, a credit card number, an SSN — and you can match those directly. But the dangerous ones often don't. A fresh API key is just a random-looking string the world has never seen before. So it layers detection: the free, open-source edition does pattern matching and entropy — flagging strings too random to be ordinary text. The paid tier adds a context-aware ML model that understands things like names and addresses by how they're used. The layers cover each other's blind spots.

It runs your AI tools in a sealed box. Catching the traffic only helps if the traffic actually goes through you. So Redactr can launch your AI agents inside a locked-down container that can only talk to the outside world through Redactr — nothing sneaks out a side door, and a sketchy dependency can't reach the rest of your machine.

It gives the security team a way to see, without spying on devs. For teams, there's a control plane that answers the questions nobody could answer before: how many machines are protected right now, what kinds of sensitive data are getting caught, is anyone running a tool outside the protection. Crucially, it does this on metadata only — the server sees "an AWS key was redacted on this machine," never your actual code, traffic, or the redacted values themselves. You get oversight without building a surveillance system your own developers will resent.

It stays out of the way. The whole thing is designed so that, day to day, a developer just sees a little green indicator and keeps working. redactr run claude and you're protected. The moment it gets annoying is the moment people turn it off, so it tries hard not to be.

An honest word on "how well does it catch things"

We've tested the paid detection against public datasets of fake-but-realistic sensitive data, and it catches the large majority of the common stuff — the patterns it's tuned for, it catches almost all of, and the messier real-world cases it catches most of.

But I want to be straight with you, because this is security and overselling it would be worse than useless: no tool catches everything. Detection always involves a trade-off — lean too aggressive and you'll redact things that didn't need it and annoy people; lean too cautious and something slips through. We tune toward catching the things that actually hurt — credentials, keys, customer data — and we keep the rules updatable so the protection improves over time.

Anyone who tells you their scanner is 100% is selling you something. Redactr is a very good seatbelt. It is not a force field. The point isn't perfection — it's turning an invisible, unmeasured trickle into something you can see, control, and steadily tighten.

Where this is going

We think every team using AI coding tools is going to need a layer like this, the same way every team eventually needed a firewall and a secrets manager. Right now most companies are in the "we know it's a problem but we're hoping it's fine" phase. It's a good time to stop hoping.

Redactr is in active development. The free, open-source edition is one command to install — and if your team needs the deeper detection, agent sandboxing and a fleet control plane, we'd love to show you what it looks like in practice.

If you've got opinions on where the detection should be more or less aggressive, I genuinely want to hear them — that tuning is the whole game.