rAIzr — Endpoint observability for AI agents

[product · 001]rAIzr

Raise the bar, cut the risk.

Runtime-aware AI Zero-trust Response

Little Snitch — for the agents inside your machine.

Endpoint protection for the agent era. rAIzr watches every file read, every network call, every LLM payload, every MCP exchange, and every credential touched by locally-running AI agents — with kernel-level per-process attribution that filesystem watchers simply can't deliver.

● ALPHA · macOS first · Windows next

Watch what they read, see what they send, gate what shouldn't leave.

The agent profiles ship with the app: Claude Desktop, ChatGPT, GitHub Copilot, Cursor — plus integration profiles for Burp+MCP, IDE plugins, browser-agents, and pentest-copilots. rAIzr knows their data paths, their endpoints, their MCP-handoffs, and what "normal" looks like for each. When an agent steps off the path, rAIzr classifies it: info, warn, critical.

Every event is attributed to the originating process. FSEvents alone can't do that — it tells you what changed, not who changed it. ESF plugs into the kernel and gives you per-process file, network, and process-execution events, in real time. Outbound LLM calls and MCP traffic are parsed at endpoint, classified, and — when policy requires — redacted or blocked before the bytes leave the box.

Per-process attribution via Endpoint Security Framework
LLM-egress monitoring — every agent call to api.anthropic.com, api.openai.com et al. parsed and classified at endpoint
MCP-traffic capture — JSON-RPC over stdio/sse/websocket, per-process attribution, manifest scanning
Browser-agent observation — Claude in Chrome, agent-extensions, MCP-bridges into browsing sessions
Credential-store identification — Keychain access, ~/.ssh, ~/.aws, ~/.config, cookies-jars, .env / .npmrc / .netrc
File / network / process telemetry — local SQLite, encrypted at rest
Live menubar status: clear / scanning / warn / critical
Workflow-tool profiles — Burp+MCP, IDE-plugins, pentest-copilots, browser-agents
MCP server scanner — detects unauthenticated exposures + manifest prompt-injection
TCC permission auditor — knows which agents talked their way past you
Zero cloud. Telemetry never leaves the device.

// Posture — rAIzr daemon

Codename: Sentinel
Platform: macOS first · Windows next
Attribution: Per-process, kernel-level
Storage: Local · encrypted at rest
Network: None outbound. Loopback only.
Egress to LLM: Forbidden by design
Audit: Every classified event logged + signed

event {
  ts:        "2026-04-29T14:22:11Z",
  agent:     "claude-desktop",
  action:    "file_read",
  target:    "~/.ssh/id_ed25519",
  severity:  "critical",
  classified: true,
  rule:      "sensitive_path_read"
}

[02]Egress, not just observation

Watching is not enough. The next thing rAIzr does is gate.

Per-process visibility tells you what's happening. It doesn't stop what shouldn't. rAIzr's classification gateway sits inline on the agent → LLM payload, on MCP-handoffs, and on outbound HTTP — and decides what crosses the boundary.

Two-pace classification. Local LLM in the slow path.

Fast path — rule-based pre-filter for known-bad patterns: sk-… API-keys, JWT-shapes, PII templates (e-mail, SSN, credit cards, IP-blocks). Latency budget: <5ms per call. Has to handle 95%+ of traffic without escalating.

Slow path — local LLM classifier (~0.6–1B params class) for ambiguous payloads. Runs in Mimir's Well or co-located. Latency budget: <200ms per call. Cloud-LLM is a hard "no" — the whole point is that nothing classifiable leaves the box.

Action model — every classified payload gets one of four verdicts:

ALLOW — payload is clean against policy. Forwarded unmodified.
REDACT — match found. Sensitive bits masked, rest forwarded.
ESCALATE — uncertain. Operator decides in real time.
BLOCK — match found. Call is denied, agent gets a "rejected" response, audit log records the block.

Rules are policy-as-code: YAML/JSON, CISO-signed, version-controlled. The same audit trail that classifies is also the compliance artefact you hand to your regulator.

// Egress posture

Targets: LLM API · MCP traffic · outbound HTTP
Fast path: Regex / structured rules · <5ms
Slow path: Local classifier · <200ms
Cloud-LLM: Forbidden in classifier path
Actions: ALLOW · REDACT · ESCALATE · BLOCK
Policy: YAML / JSON · signed · versioned
Audit: Every verdict logged + signed

egress {
  ts:       "2026-05-03T09:14:22Z",
  agent:    "cursor",
  target:   "api.anthropic.com:443",
  payload:  "<redacted: sk-ant-***>",
  match:    "api_key.anthropic",
  verdict:  "REDACT",
  latency:  3.2ms
}

[03]Roadmap of detection

PHASE 1 · MVP

See everything

Process detection — identify running AI agents
File system monitoring — what files agents read/write/delete
Network endpoint logging — what URLs agents connect to
Real-time dashboard

PHASE 2 · CLASSIFY

Know what matters

Alert rules — sensitive file access, unknown endpoints
MCP server scanning and risk assessment
Agent behavior profiling and anomaly detection
TCC permission auditing

PHASE 3 · ENFORCE

Decide what runs

Windows support (ETW + WFP)
Policy enforcement — block/allow rules
Team / enterprise dashboard
Compliance reporting (EU AI Act)