·
Single binary. Single rule format. Auditable.
One static Go binary on every host. YAML rules with citations to the CVE they cover — auditable, not a black box. Legacy endpoint defense is opaque.
a daemon · runtime defense · linux
KNEK.
Every AI agent on your host is a student. Dean is the AI we built to watch them. A daemon that hooks Claude Code, Cursor, Cline, Continue, Aider, and any MCP server — baselines their behavior, intervenes the moment they drift.
v1 live · runtime defense for production AI
the runtime defense layer · not retrofitted EDR
Three things that make oknek different.
·
Built for AI agents from commit 1.
The threat model is AI-agent-native: prompt injection acting on the host, MCP URL drift, tool-use credential theft, settings.json permission flips, CLAUDE.md indirect injection. Not bolted onto a 2013 EDR stack.
·
Detection rules ship in 24 hours.
When Anthropic, Cursor, or any AI vendor discloses a new attack pattern, the oknek rule is in main within a day. Contractual SLA at Pro tier and above. The traditional EDR signature cycle is 30–90 days.
01 · agent action execve · open · socket · …
02 · kernel hook eBPF · LD_PRELOAD fallback
03 · rule engine R1–R7 · YAML · hot-reload
04 · evidence signed JSONL + SQLite
05 · verdict allow · warn · block
execve() returns.
the protection surface · 7 rules
What oknek catches.
Every rule maps to a public, citable threat — most of them documented by Anthropic itself. Each ships in v1, signed and versioned. New rules within 24h of any new disclosure.
- R1
subcommand-chain bypass
An untrusted repo triggers Claude Code to chain 50+ bash subcommands inside one tool call, slipping past deny-rule enforcement. We count chain depth at the syscall layer and block past a configurable threshold.
evidence: full bash command · subcommand depth · agent identifier · timestamp
- R2
settings.json permission flip
A repo silently rewrites
.claude/settings.jsonto grant elevated permissions. We watch the inode, diff against the last-trusted hash, freeze the agent until the user verifies.evidence: old hash · new hash · diff · source process
- R3
plaintext credential read
Agent opens
~/.claude.json,~/.aws/credentials,~/.ssh/id_rsa, or any path matching the credential allowlist. Hooked at theopen()syscall via eBPF or LD_PRELOAD shim. Default block, configurable allow-and-log.evidence: file path · agent process · read offset and length
- R4
MCP URL drift
A poisoned MCP config redirects an agent's tool calls to an attacker-controlled endpoint. We baseline the agent's MCP server allowlist at install; any new endpoint is flagged or blocked.
evidence: original endpoint list · new endpoint · transport · agent identifier
- R5
egress to non-allowlisted domain
Agent makes an outbound socket to a destination not in your allowlist — exfiltration, C2 callback, anything you didn't sanction. Default deny with a sensible starter list (Anthropic, OpenAI, GitHub, npm, PyPI).
evidence: destination IP · port · hostname · agent process
- R6
instruction-file indirect prompt injection
A repo's
CLAUDE.md,AGENT.md,.cursor/rules,.clinerules, or.aider.conf.ymlhides instructions in white-on-white text, base64 blobs, comment fences. We pre-scan instruction files for known indirect-injection patterns across every major AI coding agent. Warn or block.evidence: file path · matched pattern · line numbers
- R7
behavioral drift score
A 14-day rolling baseline of (tool calls × frequency × scope) per agent. New behavior gets scored against the baseline — anything above threshold alerts. The catch-all that fires when none of R1–R6 do.
evidence: baseline summary · drift event details · score
live event stream · sample
Watch a 50-subcommand bypass die in 3ms.
Real output from oknek logs --tail on a self-test box. The agent attempts a chained curl | base64 -d | sh escape; oknek snaps the chain at depth 12, suspends the process, and writes structured evidence to disk before the syscall returns.
oknek logs --tail · self-test.host
2026-05-10T17:42:11Z info agent.spawn pid=4421 binary=claude argv=["claude","--dangerously-skip-permissions"] 2026-05-10T17:42:11Z info baseline.match agent=claude-code-7f3a profile=interactive matched=12/14 features 2026-05-10T17:42:13Z info exec.observed pid=4421 cmd="git status" depth=1 verdict=allow 2026-05-10T17:42:18Z info exec.observed pid=4421 cmd="ls -la ~/" depth=1 verdict=allow 2026-05-10T17:43:01Z warn exec.suspicious pid=4421 chain.depth=11 (threshold=8) cmd-fragment="curl ... | base64 -d | sh" 2026-05-10T17:43:02Z BLOCK rule=R1 subcommand_chain depth=12 agent=claude-code-7f3a chain: env → curl → bash -c → eval → base64 -d → sh -c → ssh-add → cat → nc → jq → tee → ; process suspended · awaiting verdict · `oknek allow 4421` or `oknek deny 4421` evidence written /var/lib/oknek/events/2026-05-10/e_47fb91.json (1.2 KiB, sha256:c4f0…) 2026-05-10T17:43:04Z info oknek.notify slack#sec-alerts ✓ · email [email protected] ✓ $
The block decision was made before execve() returned. The agent never saw the credential file. There was no shell to exfiltrate from. — captured 2026-05-10 from a self-test on a fresh Ubuntu 24.04 VPS.
premium · proprietary · per server · per month
Premium runtime defense. Priced per server.
Built for production AI workloads. Paid tiers from $99/server/month unlock hourly rule updates, alerts, multi-server roll-up, forensic replay, and SLAs. Proprietary engine, auditable rule definitions — not a black box. Full feature matrix →
pilot
Requestscoped to your fleet
- white-glove onboarding
oknekddaemon +oknekCLI- complete rule pack (R1 – R7)
- hourly rule updates
- all alerts + dashboard
- volume + annual pricing on a call
pro
$99per server · per month
- complete rule pack (R1 – R7)
- hourly rule updates
- slack · discord · email alerts
- web dashboard · event timeline
- 24h SLA on disclosed CVEs
business
$349per server · per month
- everything in pro
- multi-server roll-up
- custom rule authoring
- forensic replay
- threat intel feed
- priority support
enterprise
$999per server · per month
- everything in business
- sso · scim provisioning
- soc 2 evidence room
- air-gapped deploy
- 24/7 incident response
- dedicated CSM
above enterprise · custom annual contracts · regulated workloads · co-engineered detection rules — write to [email protected].
three converging signals
Why this category, why now.
01
Anthropic itself shipped the threat model.
50-subcommand bypass. Plaintext OAuth tokens in ~/.claude.json. .claude/settings.json permission injection. CLAUDE.md indirect prompt. All publicly disclosed. All reproducible. None addressed by any existing security tool.
02
Code scanners check what you wrote. Network monitors check what leaves. Nobody is watching what the agent does between them.
Runtime endpoint defense for AI agents is a category that does not yet exist. Code scanners own dev-time. Network anomaly tools own the wire. Cloud-posture platforms own configuration. The agent's runtime — between the model and the kernel — is open lane.
03
The buyer is reachable.
Indie devs running Claude Code on a VPS are searching for "how do I secure my agent" right now. They have no good answer. Hacker News, r/ClaudeAI, r/LocalLLaMA, X reach them in one post. No enterprise sales motion required to get to the first 100 paying customers.
request access
Tell us your stack.
We'll scope a pilot.
Then oknek watches production.
oknek is a paid, proprietary product for teams running AI agents in production. Drop your email and we'll reach out to scope a pilot and price it to your fleet. We will not sell your email or sign you up for anything else.