Documentation Index
Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
The EDR for AI Agents
AI agents are shipping to production with zero security telemetry. They execute processes, read and write files, make network calls — and nobody is watching. Quint changes that. Quint is an endpoint agent that monitors AI coding assistants and autonomous agents on developer machines. It captures every process execution, file access, and tool invocation as structured events, tracks sessions across agent interactions, and surfaces risk through a centralized dashboard. Think of it as endpoint detection and response (EDR), purpose-built for AI agents instead of humans.How It Works
End-to-end flow in one page — follow a single tool call from agent → interception → cloud scoring → dashboard.
Architecture
Three-tier design: endpoint agent (truth) + cloud API (aggregation) + dashboard (visibility).
Explore the Platform
Endpoint Security (ES)
Kernel-level ground truth on macOS: process spawns, file I/O, code-signing verification.
Network Extension (NE)
Transparent interception of LLM API traffic on macOS — no env vars, no CA trust dance.
Event Ingestion
How the daemon delivers events to the cloud — batching, overflow, SNS/SQS fan-out.
Edge Daemon
Unifies proxy + ES into one session model, forwards to cloud, holds the signed audit log.
Cloud Scoring
4-gate scoring pipeline + graph-based anomaly detection. Fleet-wide threat signatures.
Dashboard
Session-centric visibility across every agent, machine, and alert in your org.
How It Works
Quint operates as a system daemon that monitors AI agent activity at the OS level: The daemon detects AI agents through code signing identification — no proxy configuration, no code changes, no agent cooperation required. When an agent like Claude Code spawns a process or accesses a file, Quint captures it as a structured event with full context.Three-Tier Architecture
Quint’s architecture separates concerns into three layers:- Endpoint Agent (Truth) — The daemon running on each machine. Captures ground-truth system events via Endpoint Security on macOS (Linux via eBPF is on the roadmap — see Platform Coverage). This is the source of truth for what actually happened.
-
Cloud API (Aggregation) — Go service at
api.quintai.dev. Receives events and session lifecycle data, stores in PostgreSQL with row-level security, and serves the REST API for querying. -
Dashboard (Visibility) — Next.js app at
app.quintai.dev. Session-centric UX with drill-down from fleet overview to individual events.
Production Deployment Flow
Event Model
Every captured action is stored as an event with structured fields:| Field | Description |
|---|---|
action_type | What happened: PROCESS_EXEC, FILE_READ, FILE_WRITE, FILE_DELETE, NETWORK_CONNECT, etc. |
tool_name | The binary or tool that was invoked (e.g., git, node, curl) |
arguments | Process arguments or file paths |
session_id | UUID v5 linking the event to a session |
agent_id | The detected AI agent that triggered the action |
risk_score | Assessed risk level (0-100) |
Tech Stack
| Component | Technology |
|---|---|
| Endpoint Agent | Go daemon + Swift Endpoint Security & Network Extension (macOS). Linux (eBPF) + Windows (WFP/ETW) on roadmap. |
| Ingest | HTTPS batch POST to /v1/ingest → SNS FIFO → SQS fan-out |
| Cloud API | Go (stdlib net/http, pgx/v5) |
| Database | PostgreSQL (RDS) with Row-Level Security |
| Auth | Supabase (JWT) + Deploy Tokens (SHA-256 hashed) |
| Dashboard | Next.js on Vercel (shadcn/ui) |
| Config | /etc/quint/config.yaml |
Risk Score Bands
| Score | Risk Level | Color |
|---|---|---|
| 0-10 | None | Green |
| 11-30 | Low | Blue |
| 31-55 | Medium | Yellow |
| 56-80 | High | Orange |
| 81-100 | Critical | Red |