Product

What happens when an agent calls a tool.

From interception to audit trail. Every step, every verdict, every rule.

Step 1

Every tool call. Intercepted before execution.

AI agents don't just use MCP. They execute shell commands, read files, search code, call APIs. Oktsec monitors both channels simultaneously.

MCP Gateway

fetch_readablefetch_jsonfetch_htmlread_filewrite_filesearch_filesfetch_markdownfetch_txt+ any custom tool

CLI Hooks

ReadWriteBashEditGlobGrepWebFetchWebSearchAgent

Nobody else monitors both channels.

Works withClaude Code Cursor VS Code Gemini CLI OpenClaw NanoClaw Windsurf Ollama+ more

Once intercepted, every call hits the detection engine.

Step 2

217 rules. 16 categories. Zero LLM guessing.

Every rule is a deterministic YAML pattern or a specialized analyzer. No probabilistic classification, no model drift, no prompt sensitivity. The pipeline runs in microseconds.

Prompt injectionData exfiltrationCredential leakSupply chainCommand executionMCP attacksSSRF/CloudUnicode/HomoglyphTool call securityMCP tool-call inspectionExternal downloadsConfig securityThird-party contentInter-agent protocolNLP semantic analysis

10-stage pipeline runs before every tool call. 4 verdicts: clean, flag, quarantine, block.

The pipeline returns one of four verdicts.

Step 3

Clean. Flag. Quarantine. Block.

Every tool call gets exactly one verdict. The verdict determines what happens next.

Clean

Deliver normally

No rules triggered. The call proceeds to the backend.

Flag

Deliver + warn

Low-severity match. The call proceeds but appears in the dashboard with a warning.

Quarantine

Hold for review

High-severity match. The call is held until a human approves or rejects it. HTTP 202.

Block

Reject immediately

Critical threat detected. The call never reaches the backend. The agent receives an error.

Verdict escalation is automatic. 3+ blocks from the same agent in 1 hour escalates the next flag to quarantine. No ML required — just pattern counting.

Every verdict is logged. Permanently.

Step 4

Full audit trail. Signed and hashed.

Every tool call produces an immutable audit entry with SHA-256 hash chain and Ed25519 proxy signatures. Export to CSV, JSON, or SARIF.

audit.log

{
  "timestamp":       "2026-03-13T14:37:51Z",
  "from_agent":      "agent-05",
  "tool":            "Write",
  "arguments":       "config.yaml (AWS_SECRET)",
  "content_hash":    "sha256:a3f8c1...",
  "verdict":         "block",
  "rules_triggered": ["credential-leak-aws-key"],
  "scan_latency":    "0.6ms",
  "session_id":      "ses_8f2a1b3c"
}

Session traces

Reconstruct the full timeline of any session at /dashboard/sessions/{id}. Vertical timeline with every tool call, verdict, gap duration, and decision. Export per session to CSV, JSON, or SARIF 2.1.0.

Reasoning capture

Model chain-of-thought linked to each tool call via reasoning_log table. SHA-256 hashed. Query by session or event. See exactly what the agent was thinking when it acted.

Integrity

SHA-256 hash chain means any tampering breaks the chain. Ed25519 signatures prove provenance. Delegation chain hash persisted in every entry.

Compliance

EU AI Act enforcement begins August 2026. NIST AI RMF requires audit trails for AI systems. Session traces with reasoning capture provide the forensic depth both frameworks demand. SARIF export integrates with existing GRC tooling.

When the rule engine flags something suspicious, the optional LLM layer goes deeper.

Step 5

Rules are stateless. The LLM sees the sequence.

The 217-rule core evaluates each event in isolation. An async LLM layer correlates events over time, escalating agent risk when cumulative behavior crosses a threshold.

Event stream

→

217 Rules (stateless)

→

LLM correlates

→

Risk accumulates

→

Threshold breached

→

Verdict escalation

When cumulative risk exceeds the threshold, future verdicts escalate: clean → flag → quarantine → block. Per-agent, reversible automatically via TTL.

Temporal correlation

An agent does an innocent Read, a normal WebSearch, then a Bash combining both. No single rule catches it. The LLM sees the sequence and escalates.

Rule generation

The LLM can also auto-generate new detection rules from suspicious patterns. Generated rules go to a review queue. Nothing deploys without human approval.

■ The 217-rule deterministic core runs regardless, at microsecond latency, with zero cloud dependency
■ RiskTracker manages escalated agents with Prometheus metrics (escalation_bumped_verdicts, threshold_breaches)
■ Background eviction of expired escalations. Risk threshold and TTL are configurable.
■ Per-hour and per-day LLM spend caps. Works with any OpenAI-compatible provider.

Rules decide what happens. Access control decides who can try.

Step 6

Zero-trust agent identity.

Every agent gets an Ed25519 keypair. Delegation chains trace authorization from human to any sub-agent. Ephemeral keys limit blast radius per task. No shared secrets, no bearer tokens, no trust-by-default.

Delegation chains

Ed25519-signed tokens create a verifiable path from human to sub-agent. Each hop narrows scope. ChainDepth tracks authorization lineage. oktsec delegate CLI and X-Oktsec-Delegation header.

Ephemeral keys

Task-scoped Ed25519 keypairs that auto-expire. In-memory only, never persisted to disk. MaxPerTask and MaxTTL caps. 30s eviction loop. Compromised key = limited blast radius.

Ed25519 keypairs

Per-agent cryptographic identity. Every request is signed and verified.

Per-agent ACL

Define which tools each agent can access. Deny by default, allow explicitly.

Tool allowlists

Restrict agents to specific MCP tools. Block filesystem, network, or shell access per agent.

Spending limits

Per-agent and global budget caps for LLM threat intel. Prevents runaway API costs.

Rate limits

Per-agent request throttling. Prevents denial of service from compromised agents.

Approval thresholds

High-severity actions require human approval. Configurable per verdict level.

Agent suspension is instant. One command revokes an agent's keypair and blocks all further tool calls. Delegation chains are invalidated transitively: revoking a parent invalidates all downstream tokens.

How do you know your deployment is secure?

Step 7

One command. Full deployment audit.

The oktsec audit command evaluates your agent infrastructure against 41 deployment checks and returns a letter grade with actionable findings.

$ oktsec audit

Security Posture: B (78/100)

CRITICAL  MCP server "filesystem" has no ACL restrictions
HIGH      Audit log rotation not configured
HIGH      No webhook alerts configured for block verdicts
PASS      Ed25519 keypair configured for all agents
PASS      Hash chain integrity verified (1,247 entries)
PASS      Detection rules up to date (217/217)
PASS      Gateway TLS enabled
PASS      Rate limits configured
... 33 more checks passed

Run 'oktsec audit --fix' to auto-remediate 2 findings.

Detection tuning

Right rules for the right tools.

Not every tool call needs every rule. Scan profiles eliminate false positives by matching rule sensitivity to tool type. Monitor everything from the terminal or the browser.

Strict profile

All 217 rules applied. For high-risk tools like Bash and shell execution. Maximum coverage, zero compromise.

Content-aware profile

Only critical rules for content tools (Read, Write, Edit). An Edit writing HTML won't trigger shell injection rules. Default for auto-registered agents.

Minimal profile

Bare minimum rule set. For trusted internal tools where noise reduction matters more than coverage.

Tool-scoped overrides

Per-rule apply_to_tools and exempt_tools fields. TC-005 (shell injection) scoped to Bash by default. Full control per rule per tool.

Terminal UI

Monitor without leaving the terminal.

A Bubbletea-powered TUI gives you real-time monitoring where you already work. Live event feed, agent filtering, threat counters. No browser required.

Live feed

Real-time event stream from the audit hub. Scroll, pause, resume, expand event details. Alt-screen mode keeps your terminal clean.

Agent filtering

Filter the live feed by agent. Focus on one agent's activity without the noise from the rest of the fleet.

Status bar

Always-visible counters: events scanned, threats detected, events blocked, active agents. GitHub Dark color palette.

Infrastructure

Built for production.

Performance benchmarks and deployment options for teams running agents at scale.

5,500 msg/sec

Throughput

Messages processed per second through the full 10-stage pipeline

90,000/sec

Batch writes

Audit log batch write throughput to SQLite

~50µs

Signature sign

Ed25519 signature generation per audit entry

~120µs

Signature verify

Ed25519 signature verification per entry

<6ms

Query latency

Dashboard queries at 1M+ rows in the audit database

Single binary

Deployment

Zero CGO, zero runtime dependencies, cross-platform Go binary

Deployment modes

Oktsec adapts to your infrastructure. Run it as a turnkey solution, a gateway, a proxy, or integrate it into your existing MCP setup.

Mode	Command	Description
Turnkey	oktsec run	Auto-discovers MCP servers, generates config, starts gateway + dashboard + hooks. Zero to full visibility in 30 seconds.
Gateway	oktsec gateway	Standalone MCP security proxy. Sits in front of any MCP server and intercepts all tool calls.
Proxy	oktsec serve	HTTP reverse proxy mode. Forward traffic through Oktsec for inspection and logging.
Stdio	oktsec proxy	Stdio transport proxy for MCP servers that use stdin/stdout communication.
MCP Server	oktsec mcp	Run Oktsec itself as an MCP server. Query the audit trail, check security posture, manage rules from any MCP client.
Audit	oktsec audit	Offline security posture assessment. 41 checks, letter grade, auto-remediation suggestions.

See everything your agents execute.

One command. 30 seconds to full visibility.

Install Now