Oktsec is runtime security monitoring for AI agents. It monitors both MCP tool calls and CLI operations in real-time, scanning every interaction against 268 detection rules across 19 categories. Powered by Aguara v0.14.4 with context-aware scanning and Aho-Corasick pattern matching (confidence penalties for documentation and installation blocks). Features include delegation chains, key rotation, scan profiles, session traces with AI analysis, per-tool egress policies, and an OpenClaw native plugin. Every tool call is logged to a tamper-evident audit trail with SHA-256 hash chain and Ed25519 signatures. Deterministic core with optional LLM verdict escalation. Open source, self-hosted.

How does Oktsec monitor both MCP and CLI?

Oktsec monitors MCP tool calls through its Gateway (a security proxy that sits in front of any MCP server) and CLI operations through hooks (intercepting Read, Write, Bash, Edit, Grep, Glob, Agent, WebFetch, WebSearch, and more). Both channels are monitored simultaneously, with every tool call intercepted before execution (can block) and after (audits the result).

How do I get started with Oktsec?

Run 'oktsec run'. One command auto-discovers your MCP servers across 17 clients, generates secure config, connects Claude Code via hooks and gateway, and starts the monitoring dashboard. From zero to full visibility in 30 seconds.

Does Oktsec use AI or LLMs?

The core pipeline is deterministic with zero LLM - 268 YAML detection rules running at microsecond latency. Powered by Aguara v0.14.4 with context-aware scanning: the scanner accepts tool name context and applies confidence penalties to findings inside documentation and installation blocks, suppressing the most common false positives. Aho-Corasick pattern matching scans all rules in one pass. WASM build available. An optional async LLM layer provides two capabilities: verdict escalation (correlating events over time to escalate agent risk from clean to block, with auto-reversing TTL) and rule generation (auto-generating new detection rules requiring human approval). Budget controls and compatibility with any OpenAI-compatible provider.

What is the audit trail?

Every tool call produces an immutable audit entry: SHA-256 hash chain, Ed25519 proxy signatures, full forensic capability. Each entry captures timestamp, agent identity, tool called, arguments, content hash, pipeline verdict, rules triggered, scan latency, session ID, and delegation chain hash. Session traces reconstruct the full timeline of agent actions with reasoning capture (model chain-of-thought linked to each event). Export sessions to CSV, JSON, or SARIF 2.1.0. Verify chain integrity from the dashboard.

What threats does Oktsec detect?

268 detection rules across 19 categories: prompt injection, data exfiltration, credential leaks, memory poisoning, container escape, supply chain attacks, command execution, MCP attacks, MCP config tampering, SSRF/cloud attacks, unicode/homoglyph attacks, tool call security, inter-agent protocol violations, indirect injection, third-party content, external download, overeager agents, and more. Covers 7 of 10 OWASP Top 10 for Agentic Applications (2026).

Is Oktsec open source?

Yes. Oktsec is open source and self-hosted. Go SDK and Python SDK available. Single binary, zero CGO, cross-platform.

See everything your
AI agents execute.

Name: Oktsec
Brand: Oktsec
Availability: InStock

Real-time monitoring for every tool call. One command to start.

Install Now Star on GitHub

Open source. Self-hosted. No cloud required.

Events (24h)

2,847

Agents

Rules active

268

Pipeline

Healthy

Recent eventsLive

14:23:07agent-07Bash: git statusCLEAN0.8ms

14:23:05agent-03fetch_markdown: internal-api.com/docsCLEAN1.2ms

14:22:58agent-01Read: /etc/passwdFLAG0.4ms

14:22:51agent-05Write: config.yaml (AWS_SECRET)BLOCK0.6ms

14:22:44agent-02search_files: *.envFLAG0.9ms

Works with

Claude Code OpenClaw native NanoClaw Gemini CLI Cursor VS Code Windsurf Ollama Cline Amp Zed 17 clients supported →

The product

What you see in 30 seconds.

Every tool call logged. Every agent mapped. Every threat detected. The dashboard is the product.

Events

Every tool call, logged

Every Read, Write, Bash, API call, and MCP tool execution - captured before and after. Filter by agent, tool, verdict, or time range. 4 verdicts: clean, flag, quarantine, block.

Graph

Agent topology, mapped

See which agents communicate, what tools they use, and where the traffic flows. Identify hubs, producers, and consumers. Real-time threat scoring per agent.

Detection

Threats detected, resolved

268 detection rules across 19 categories: prompt injection, data exfiltration, credential leaks, memory poisoning, container escape, supply chain, MCP attacks, and more. Powered by Aguara v0.14.4 with Aho-Corasick prefilter for single-pass matching. Context-aware scanning penalizes findings in documentation blocks. Zero LLM in the core.

Sessions

Session inventory and AI analysis

Full session inventory with search and threat filtering. Click any session for AI-powered analysis: risk level, what happened, what to do, and human vs. agent interaction flow. Analysis persisted as audit evidence.

Egress

Per-tool egress policies

Restrict which endpoints each tool can reach. WebFetch gets Slack and GitHub, Bash gets zero egress. 16 built-in integration presets: Slack, GitHub, Telegram, Discord, Jira, Linear, Notion, Stripe, OpenAI, Anthropic, and more. Configure from the dashboard.

11 dashboard pages. Real-time via SSE. Overview, Events, Agents, Rules, Audit, Sessions, Graph, Gateway, Discovery, Alerts, Settings.

Quick start

Install

brew install oktsec/tap/oktsec
# or
go install github.com/oktsec/oktsec/cmd/oktsec@latest

Run

oktsec run
# Dashboard opens at
http://localhost:8080/dashboard

OpenClaw native plugin

openclaw plugins install @oktsec/openclawRuns inside OpenClaw natively

How it works

Every tool call. Intercepted before execution.

AI agents don't just use MCP. They execute shell commands, read files, and browse the web. Oktsec monitors both channels simultaneously. Every tool call is intercepted before execution and after.

MCP Gateway

fetch_readablefetch_jsonfetch_htmlfetch_markdownread_filewrite_filesearch_files+ any custom tool

CLI Hooks

HTTP endpoint (POST /hooks/event) intercepts tool calls before execution. Captures agent identity, delegation chains, and model reasoning.

ReadWriteBashEditGlobGrepWebFetchWebSearchAgent

Nobody else monitors both channels.

oktsec

$ oktsec run

oktsec v0.15.2

See everything your AI agents execute

Modeobserve

Agents6

Dashboardhttp://127.0.0.1:8080/dashboard

Access code48291057

Scanned 14 Threats 1 Blocked 1

LIVE FEED Filter: All agents

14:22:07 claude-code clean Bash 13ms

14:22:15 claude-code clean Read 11ms

14:23:02 claude-code clean Write 14ms

14:23:44 cursor flag Read 0.8ms

14:23:51 cursor BLOCK WebFetch 0.4ms

└─ CRED-003 credential exfiltration

Auto-discovers your MCP servers across 17 clients (Claude Desktop, Cursor, VS Code, Windsurf, and more).

Connects Claude Code via hooks and gateway. Wraps other clients via stdio. One process.

Dashboard in 30 seconds. Starts in observe mode. Ed25519 keys generated. Hot-reload via SIGHUP.

Trust

Every action logged. Nothing deleted.

SHA-256 hash chain. Ed25519 signatures. Full forensic capability. Export to CSV, JSON, or SARIF. EU AI Act high-risk AI system requirements take effect August 2, 2026.

268detection rules, zero LLM guessing

10stage pipeline, microsecond latency

7/10OWASP Agentic Top 10 coverage

41posture checks, A-F scoring

Every tool call produces an immutable audit entry. Delegation chains trace authorization from human to sub-agent. Ephemeral keys expire automatically per task. Session traces reconstruct the full timeline with reasoning capture. When your auditor asks "what did this agent do on Tuesday at 3pm?" you have the answer and the full chain of who authorized it.

SHA-256 hash chain with Ed25519 signatures on every audit entry. Tampering breaks the chain. Verify integrity from the dashboard or CLI.
Tamper-evident audit trailinternal/audit/chain.go · verifiable on GitHub

Delegation chains trace authorization from human approval to sub-agent execution. When your auditor asks who authorized a tool call, you have the cryptographic proof.
Cryptographic delegationinternal/identity/ · Ed25519 signed tokens

SARIF 2.1.0 export feeds findings into GitHub Advanced Security, Semgrep, and Snyk. Drop into the security workflows your team already runs.
Works with your stackinternal/auditcheck/sarif.go

Pricing

Open source core.
Enterprise when you scale.

Everything you need to monitor your agents is free. Pay when you need fleet management, RBAC, and compliance packages.

Community

Free forever

Everything you need to monitor your agents.

Full 10-stage security pipeline

268 detection rules

MCP gateway + CLI hooks

11-page real-time dashboard

Immutable audit log + archive/prune

LLM verdict escalation + threat intel (BYOK)

Delegation chains (Ed25519 signed)

Ephemeral task-scoped keys + key rotation

Per-agent gateway caps (concurrency + delegation depth)

Session management + AI analysis

Quarantine AI risk assessment

Per-tool egress policies (16 presets)

OpenClaw native plugin

Scan profiles (tool-scoped sensitivity)

Tool classification (UK AISI taxonomy)

Distributed rate limiting (Redis)

OpenTelemetry tracing (W3C traceparent)

Bubbletea terminal UI

Agent topology graph

Security posture scoring

SARIF export (feeds GitHub Advanced Security, Semgrep, Snyk)

Go SDK + Python SDK (pip install oktsec)

Community support (GitHub)

Install Now

Team

Popular

For production teamsEarly access · Q3 2026

Fleet-wide visibility with roles and escalation.

Everything in Community, plus:

Fleet management (multi-instance dashboard)

Team RBAC (roles + permissions)

Cross-agent analytics

Alert escalation (webhook + email)

Priority support (24h SLA)

Request Early Access

Enterprise

Built for your orgLet's talk

Regulated industries and large-scale deployments.

Everything in Team, plus:

SSO / SAML integration

Custom detection rules

Dedicated onboarding

SLA guarantees

Compliance exports (SOC 2, ISO 27001)

Cross-platform. Open source today, enterprise-ready tomorrow.

57K+skills scanned Aguara Watch

268detection rules Aguara Engine

7registries monitored Aguara Watch

<1msverdict latency Deterministic core

Ship AI agents with confidence.

Open source and ready to install. One command. 30 seconds to first scan.

Install Now Book a Demo

Open source. Self-hosted. One command to start.

See everything yourAI agents execute.