the protection surface · seven rules · public citations

What oknek catches.

Every rule we ship in v1 maps to a public CVE or disclosed attack pattern from 2025–2026. Each one references the named vulnerability, the disclosing researcher, the MITRE ATLAS technique, and the OWASP Agentic risk it covers. CISOs can read our coverage before they buy. Legacy endpoint defense ships black-box detections; ours are versioned YAML with receipts.

macro hook In November 2025, Anthropic publicly disclosed the first AI-orchestrated cyber-espionage campaign — a Chinese state-sponsored group used Claude Code to autonomously execute 80–90% of operations against ~30 global targets. The runtime defense layer is no longer hypothetical. Anthropic's disclosure →

at a glance · seven rules · seven receipts

Every rule. Every CVE.

Rule	What it catches	Validating disclosure
R1	subcommand-chain bypass	Adversa Research — CC-643 deny-rule bypass · April 2026
R2	settings.json permission flip	CVE-2025-53773 — GitHub Copilot RCE via prompt-injection settings flip · August 2025
R3	plaintext credential read	Sysdig — "AI coding agents are running on your machines; do you know what they're doing?" · March 2026
R4	MCP URL drift	CVE-2025-54136 "MCPoison" — silent post-approval command swap · August 2025
R5	egress to non-allowlisted domain	CVE-2025-55284 — Claude Code DNS exfil via pre-approved commands · May 2025 (disclosed)
R6	instruction-file indirect prompt injection	arXiv 2509.22040 — "Your AI, My Shell" indirect-injection benchmark · September 2025
R7	behavioral drift score	OWASP Agentic Top 10 — ASI09 Human-Agent Trust Exploitation · December 2025

subcommand-chain bypass

what it is

An attacker (or a poisoned repo) gets the agent to chain a long string of bash subcommands inside one tool call to escape the agent's deny-rule enforcement. Oknek counts the chain depth at the syscall layer and blocks past a configurable threshold (default 8).

the evidence — public disclosures

Adversa Research — CC-643 deny-rule bypass · April 2026
Claude Code deny rules silently disable when a bash command exceeds 50 subcommands.
The Register coverage · April 2026

framework alignment

MITRE ATLAS · AML.T0051 (LLM Prompt Injection) OWASP · ASI05 — Tool Misuse

what we capture

full bash command · subcommand depth · agent identifier · timestamp

settings.json permission flip

what it is

A poisoned repo silently rewrites .claude/settings.json (or .vscode settings, or .cursor/mcp.json) to grant elevated permissions or enable YOLO/auto-approve. Oknek watches the inode, diffs against the last-trusted hash, freezes the agent until the user verifies.

the evidence — public disclosures

CVE-2025-53773 — GitHub Copilot RCE via prompt-injection settings flip · August 2025
Prompt injection writes Copilot settings to enable YOLO mode, achieves RCE.
CVE-2025-54136 "MCPoison" — Cursor persistence after approval · August 2025
Once an MCP server is approved, attacker swaps the command silently — persistent RCE.

framework alignment

MITRE ATLAS · AML.T0018 (Backdoor ML Model) · AML.T0051 OWASP · ASI05 — Tool Misuse · ASI06 — Memory & Context Poisoning

what we capture

old hash · new hash · diff · source process · timestamp

plaintext credential read

what it is

The agent opens ~/.claude.json, ~/.aws/credentials, ~/.ssh/id_rsa, ~/.gemini/, ~/.codex/, or any path matching the credential allowlist. Hooked at the open() syscall via eBPF (Linux ≥5.8) or LD_PRELOAD shim. Default block, configurable allow-and-log.

the evidence — public disclosures

Sysdig — "AI coding agents are running on your machines; do you know what they're doing?" · March 2026
Sysdig confirms the agent config directories (~/.claude/, ~/.gemini/, ~/.codex/) are the new credential targets.

framework alignment

MITRE ATLAS · AML.T0036 (Data from Local System) · AML.T0024 (Exfiltration via Web Service) OWASP · ASI05 — Tool Misuse

what we capture

file path · agent process · read offset and length · timestamp

MCP URL drift

what it is

A poisoned MCP config redirects an agent's tool calls to an attacker-controlled endpoint, or an approved MCP server's command is swapped silently. Oknek baselines the agent's MCP server allowlist at install; any new or changed endpoint is flagged or blocked.

the evidence — public disclosures

CVE-2025-54136 "MCPoison" — silent post-approval command swap · August 2025
CVE-2025-6514 — mcp-remote arbitrary OS command execution (CVSS 9.6) · July 2025
mcp-remote npm package versions 0.0.5–0.1.15 allow arbitrary code exec on connect to a malicious server.

framework alignment

MITRE ATLAS · AML.T0070 (RAG Poisoning) · AML.T0051 OWASP · ASI07 — Insecure Inter-Agent Communication

what we capture

original endpoint list · new endpoint · transport (stdio/http/sse) · agent identifier

egress to non-allowlisted domain

what it is

The agent makes an outbound socket to a destination not in your allowlist — exfiltration, C2 callback, anything you didn't sanction. Default deny with a sensible starter list (Anthropic, OpenAI, GitHub, npm, PyPI).

the evidence — public disclosures

CVE-2025-55284 — Claude Code DNS exfil via pre-approved commands · May 2025 (disclosed)
Indirect prompt injection chains into allowlisted ping/nslookup/dig/host to leak .env contents into hostnames.
CVE-2025-59145 "CamoLeak" — Copilot Chat private-source exfil (CVSS 9.6) · October 2025
Hidden PR comment + GitHub Camo bypass exfiltrates secrets and private source from chat context.

framework alignment

MITRE ATLAS · AML.T0024 (Exfiltration via Web Service) · AML.T0025 (Exfiltration via Cyber Means) OWASP · ASI05 — Tool Misuse

what we capture

destination IP · port · hostname · agent process · timestamp

instruction-file indirect prompt injection

what it is

A repo's CLAUDE.md, AGENT.md, .clinerules, or .cursor/rules hides instructions in white-on-white text, base64 blobs, comment fences, or invisible Unicode. Oknek pre-scans instruction files for known indirect-injection patterns before the agent ingests them. Warn or block.

the evidence — public disclosures

arXiv 2509.22040 — "Your AI, My Shell" indirect-injection benchmark · September 2025
Measured 41–84% attack success rate against Cursor and GitHub Copilot on Claude-4 and Gemini-2.5-pro.
Invariant Labs — Tool Poisoning on MCP · April 2025
MCP tool descriptions are ingested as trusted context; attacker embeds instructions in the description.

framework alignment

MITRE ATLAS · AML.T0051 (LLM Prompt Injection) · AML.T0070 (RAG Poisoning) OWASP · ASI06 — Memory & Context Poisoning

what we capture

file path · matched pattern · line numbers · raw fragment

behavioral drift score

what it is

A 14-day rolling baseline of (tool calls × frequency × scope) per agent. New behavior gets scored against the baseline; anything above threshold alerts. The catch-all that fires when none of R1–R6 do — when an agent's own history is the best signal of when it's gone off the rails.

the evidence — public disclosures

OWASP Agentic Top 10 — ASI09 Human-Agent Trust Exploitation · December 2025
LayerX — ChatGPT Atlas "Tainted Memories" · October 2025
Persistent cross-device memory poisoning via CSRF — the kind of drift only baseline scoring catches.

framework alignment

MITRE ATLAS · AML.T0070 (RAG Poisoning) · AML.T0046 (Spamming AI System with Chaff Data) OWASP · ASI06 — Memory & Context Poisoning · ASI09 — Human-Agent Trust Exploitation

what we capture

baseline summary · drift event details · score · top-N contributing features

a competitor publishes the gap

In their own words.

Falco rules for AI coding agents detect install signatures, unauthorized config-dir access, safety-bypass CLI flags, and out-of-scope sensitive reads. They do not detect prompt injection inside inference, no behavioral profiling, no MCP URL drift, no settings.json semantic analysis, no subcommand-chain analysis.

— Sysdig blog, March 2026 (source) — paraphrased

The closest open-source runtime-security competitor published the gap we sit in. Behavioral profiling, MCP URL drift, settings.json semantic analysis, and subcommand-chain analysis are exactly Oknek's R2, R4, R7 and R1. The lane is real and we are in it.

Ready to see oknek catch one of these on your box?

Request access for a scoped pilot. Full product, every rule, on your own servers, with white-glove onboarding. We will catch whatever your agents try to do that's out of bounds — and you walk away with an audit log of what we saw.

request access → see pricing → read the rule reference →