Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Status: shipped — Stage 1 in shadow mode. The fingerprint builds and updates in production; decisions derived from it are logged, not enforced yet.

Agent Fingerprint

The fingerprint is to the full behavioral graph what a histogram is to raw data — you lose individual data points, but you keep the distribution. That’s what anomaly detection actually needs for the fast path. Instead of storing a per-agent graph (which grows unboundedly), we maintain a fixed-size statistical summary (~3.1KB) that answers the questions the scoring layers actually ask.

Structure (~3,100 bytes per agent)

AgentFingerprint
|-- identity
|   |-- agent_id              [16B]   UUID
|   |-- last_updated          [8B]    unix nanos
|   +-- total_actions         [8B]    running count
|
|-- capability_distribution            "what does this agent normally do?"
|   +-- caps[12]              [48B]   float32 per capability dimension
|
|-- tool_frequency (Count-Min Sketch)  "how often does it use each tool?"
|   +-- rows[4][256]          [2048B] uint16 counters
|
|-- hierarchical_novelty (Bloom Filters) "has it EVER used this before?"
|   |-- L0_domain             [64B]   domain-level novelty
|   |-- L1_server             [128B]  server-level novelty
|   +-- L2_tool               [128B]  tool-level novelty
|
|-- temporal_profile                   "when is this agent normally active?"
|   |-- hourly[24]            [96B]   float32 EWMA per hour-of-day
|   |-- ewma_interval         [8B]    smoothed inter-action gap
|   +-- ewma_variance         [8B]    gap variance
|
|-- risk_baseline (Welford's)          "what's normal risk for this agent?"
|   |-- mean, m2              [16B]   running mean + sum of squared deviations
|   +-- min, max              [8B]
|
|-- sequence_model (Markov)            "what action sequences are normal?"
|   +-- transitions[32]       [384B]  (from_hash, to_hash, count)
|
+-- cardinality (HyperLogLog)         "how diverse is this agent?"
    |-- unique_tools          [64B]   precision 14
    |-- unique_servers        [64B]
    +-- unique_ips            [64B]
Memory math: ~3,100 bytes per agent. 40K concurrent agents in 128MB on the proxy.

Update Protocol

Update() is O(1), ~186ns per action. Updates all components incrementally — never recomputes from history:
  1. Increment TotalActions, update LastUpdated
  2. Map action verb to capability index, update CapDist running average
  3. Add tool to Count-Min Sketch
  4. Add to 3 Bloom filters (domain, server, tool)
  5. Update hourly EWMA bucket
  6. Update interval EWMA + variance (Welford’s for gap statistics)
  7. Update risk baseline (Welford’s for score statistics)
  8. Record Markov transition (previous -> current action)
  9. Add to 3 HyperLogLog sketches (tools, servers, IPs)

Deviation Query Methods

Used by Gates 1-3 to check if an action is inside the agent’s envelope:
MethodReturnsWhat It Answers
IsNovelTool(tool)boolHas this agent ever used this tool?
IsNovelServer(server)boolHas this agent ever used this server?
IsNovelDomain(domain)boolHas this agent ever used this domain?
ToolCount(tool)uint16How many times has this tool been called?
CapabilityJSD(incoming)float64How different is this action from the agent’s normal mix?
TemporalZScore(gap)float64Is this timing unusual? (standard deviations from mean)
SequenceSurprise(action)float64How surprising is this action given the last one?
RiskZScore(score)float64Is this risk score unusual for this agent?
ToolCardinalityGrowth()float64Is the agent exploring many new tools suddenly?

Probabilistic Data Structures

A 2D array of counters (4 rows x 256 columns) with multiple hash functions. Records an event by hashing the key with each function and incrementing counters. Queries take the minimum across all hash rows.
  • Size: 2KB
  • Error: ~1% of total event count
  • False negatives: Zero. If count = 0, the tool was never seen.
  • Latency: 5ns Add, 4.5ns Count, 0 allocations
Bit array with multiple hash functions. Three hierarchy levels detect novelty at different granularities.
  • Size: 64B (domain) + 128B (server) + 128B (tool)
  • False negatives: Zero. If the filter says “not seen,” it’s genuinely novel.
  • False positives: ~1.5% at 100 items (acceptable — errs on the side of caution)
Estimates distinct element count using the position of the leftmost 1-bit in hashed values.
  • Size: 64 bytes per sketch (precision 14)
  • Accuracy: +/-0.8%
  • Use case: Detect reconnaissance (sudden growth in tool/server/IP diversity)
Exponentially Weighted Moving Average gives recent observations more weight, naturally decaying stale data.
  • Decay factor: alpha = 0.1 (half-life ~7 observations)
  • Use case: Smoothed inter-action interval for burst detection and temporal anomaly
Computes running mean and variance in a single pass, numerically stable for arbitrarily large N.
  • Use case: Z-score detection — “is this action’s risk score unusual for this agent?”
  • Verified stable at N=100,000 with no NaN or overflow
32-slot hash-based transition table tracking action sequence probabilities.
  • Slot collision: Frequency-biased eviction (lowest-count entry replaced)
  • Use case: “Is this action transition unusual given the agent’s history?”

BehaviorCache

Fingerprints are stored in a 256-shard concurrent LRU cache:
  • Shard selection: xxh3.HashString(agentID) & 0xFF
  • Budget: 128MB default (~40K agents)
  • GetOrCreate: 94ns, 0 allocations
  • Eviction: LRU per shard; evicted agents rehydrate from Redis on next action (P4)
  • Thread safety: Per-shard sync.RWMutex