Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Status: shipped — this is the current production mode for Stage 1. See ML Roadmap for the advancement triggers that exit shadow.

Shadow Mode

Shadow mode runs the behavioral engine alongside the existing risk engine without enforcing behavioral decisions. Both scorers produce results; the risk engine’s decision is authoritative. Behavioral decisions are logged for comparison and calibration.

Configuration

Shadow mode is controlled via the policy configuration: 
behavioral:
  enabled: true
  shadow_mode: true  # observe only, do not enforce
When shadow_mode is true (the default), ANOMALOUS decisions are logged as warnings but do not block requests. When shadow_mode is false, ANOMALOUS decisions trigger enforcement per the security profile mode.

Dual Scoring

Every action is scored by both systems:
SystemWhat It ProducesAuthoritative?
Risk EngineScore 0-100, level (low/medium/high/critical)Yes (during shadow)
Behavioral EngineConfidenceBand (KNOWN_SAFE/UNCERTAIN/ANOMALOUS)Logged only

Gap Detection

The most valuable output of shadow mode is gap detection — cases where the two systems disagree:
Risk EngineBehavioral EngineGap TypeAction
AllowKNOWN_SAFEAgreementNone
AllowANOMALOUSFalse negativeIncrease behavioral sensitivity
DenyKNOWN_SAFEFalse positiveDecrease risk engine sensitivity
DenyANOMALOUSAgreementNone

Audit Trail

During shadow mode, behavioral data flows to the audit trail via existing fields:
  • behavioral_flags — signal names from Gates 1-3 (e.g., bloom:novel_tool, jsd:capability_shift)
  • confidence_bandKNOWN_SAFE, UNCERTAIN, or ANOMALOUS
  • score_decomposition — includes deviation_score, gate_reached, behavioral_latency_us
This data is available in the dashboard for analysis and calibration.

Calibration Period

Shadow mode should run for at least 2 weeks before enabling enforcement:
  1. Week 1: Build fingerprint baselines. Most agents will have established envelopes after ~100 actions each.
  2. Week 2: Analyze Band distribution. Verify noise budget targets (95% Band 1, 3-4.5% Band 2, <0.5% Band 3). Adjust thresholds if needed.
After calibration, set shadow_mode: false to enable enforcement.