Oktsec¶
Security layer for AI agent communication¶
Identity verification, content scanning, and audit trail for multi-agent systems.
No LLM. Single binary. Deterministic.
175 detection rules · Ed25519 identity · Real-time dashboard · Single binary
The problem¶
AI agents talk to each other — they call MCP tools, relay instructions, and share data across trust boundaries. Without guardrails:
- Agent A tells Agent B to ignore its system prompt and exfiltrate data
- A compromised MCP server injects tool descriptions that hijack agent behavior
- Credentials leak in agent-to-agent messages without anyone noticing
- There's no audit trail of what agents said to each other
Oktsec sits between agents and catches these threats deterministically — no LLM, no guessing, no hallucinations.
How it works¶
Every message passes through 9 security checks, cheapest to most expensive. If any check fails, the message is rejected immediately.
flowchart LR
A[Agent A] -->|message| P[Oktsec Proxy]
P --> R1[Rate Limiter]
R1 --> R2[Ed25519<br>Identity]
R2 --> R3[ACL Policy]
R3 --> R4[Aguara Engine<br>175 rules]
R4 --> V{Verdict}
V -->|clean| B[Agent B]
V -->|block| X[Rejected]
V -->|quarantine| Q[Human Review]
P -->|log| L[(Audit Log)]| Step | Check | Latency | What it does |
|---|---|---|---|
| 1 | Rate limit | ~1ns | Sliding window per agent |
| 2 | Identity | ~120us | Ed25519 signature verification |
| 3 | Suspension | — | Is the agent suspended? |
| 4 | ACL | — | Can sender message recipient? |
| 5 | Content scan | ~8ms | 175 rules via Aguara engine |
| 6 | Blocked content | — | Per-agent category enforcement |
| 7 | Split injection | — | Multi-message concatenated scan |
| 8 | History escalation | — | 3+ blocks in 1h → auto-escalate |
| 9 | Audit log | — | Full context logged to SQLite |
What you get¶
Content Scanning¶
175 detection rules catch prompt injection, credential leaks, PII exposure, data exfiltration, MCP attacks, and supply chain risks.
Agent Identity¶
Ed25519 signatures verify every message sender. Each agent gets a cryptographic keypair. No valid signature, no delivery.
MCP Gateway¶
Front multiple MCP servers through a single secure endpoint. Auto-discovers tools, namespaces conflicts, scans every tool call.
Real-time Dashboard¶
Live event streaming, agent topology graph, threat scoring, quarantine queue, inline rule testing, and full config management.
Egress Control¶
Per-agent outbound traffic policies — domain allowlists, DLP category blocking, rate limiting. Know what your agents send out.
Full API¶
Agent CRUD, message pipeline, quarantine management, Prometheus metrics, MCP tool server. Everything programmable.
Four ways to deploy¶
The main mode. Agents send messages via REST API. Full security pipeline with dashboard.
Wraps individual MCP servers. Intercepts JSON-RPC 2.0 on stdin/stdout.
Blocked tool calls return JSON-RPC errors:
Fronts multiple backend MCP servers through a single Streamable HTTP endpoint.
Supported platforms¶
| Platform | Discover | Wrap | Scan |
|---|---|---|---|
| Claude Desktop | |||
| Cursor | |||
| VS Code | |||
| Cline | |||
| Windsurf | |||
| Amp | |||
| Gemini CLI | |||
| JetBrains | |||
| OpenClaw | via gateway | ||
| NanoClaw | via gateway |
Quick start¶
# Install
curl -fsSL https://raw.githubusercontent.com/oktsec/oktsec/main/install.sh | bash
# Discover, configure, and start — all in one command
oktsec run
Open http://127.0.0.1:8080/dashboard with the access code printed in your terminal. State lives in ~/.oktsec/.