Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Status: shipped — Stage 1 in shadow mode. The registry matches in production; outputs feed telemetry. Signature distillation from the GNN is roadmap.

Threat Signatures

Some structural flow patterns are dangerous regardless of the agent’s history. An exfiltration shape is dangerous whether it’s the agent’s first session or its thousandth. Threat signatures provide this shape-based detection without hardcoding specific tool combinations.

Signatures Are Shapes, Not Patterns

A signature is NOT “if read_file then curl = exfiltration.” A signature IS “the flow matrix has 80%+ of its mass in the read→outbound quadrant.” This catches read_file→curl, query→send_message, fetch→upload, and any other combination that produces the same structural shape.

How Matching Works

Matching uses the same JSD math as the rest of the system, but inverted:
ComparisonHIGH JSD meansLOW JSD means
Baseline (envelope)Anomalous — session deviates from learned patternNormal
Signature (threat)Normal — session doesn’t match threat shapeMatch — structurally similar to known threat
Session flow vs exfiltration signature:
  JSD = 0.12 → LOW → matches exfiltration shape
  Similarity = 1.0 - 0.12 = 0.88 → 88% structurally similar

Built-in Signatures

5 structural shapes shipped with the binary:
IDNameShapeMaxJSDSeverity
QT-SIG-001Exfiltrationread→send/upload concentrated0.30Critical
QT-SIG-002Credential Relayauth→send/upload concentrated0.25Critical
QT-SIG-003Staging + Executionwrite→execute concentrated0.30High
QT-SIG-004Reconnaissanceread fan-out to many capabilities0.35Medium
QT-SIG-005Cover Tracksread→delete concentrated0.25High

Scoped Matching

Signatures can be scoped by agent type and nesting depth: 
{
  "id": "QT-SIG-006",
  "name": "Sub-agent privilege escalation",
  "agent_types": ["claude-code", "cursor"],
  "min_depth": 2,
  "flow_shape": [[...]]
}
  • agent_types: empty = universal (all agents). Populated = only for those types.
  • min_depth: 0 = any depth. Populated = only match at that depth or deeper.
A staging signature with min_depth: 2 only fires for sub-agents, not root agents. This differentiates “code agent compiling” (depth 0-1, normal) from “sub-agent privilege escalation” (depth 3+, suspicious).

Signature Validation

All signatures (built-in, loaded from JSON, or pushed by BI Service) are validated:
  • MaxJSD must be in (0, 0.5] — prevents universal false positives
  • Weight must be in [0.1, 1.0] — prevents invisible signals
  • FlowShape must have at least one non-zero entry
  • ID and Name must not be empty

Signature Updates

5 built-in signatures in the binary. For air-gapped deployments, load from JSON file:
quint update-signatures --file /path/to/signatures.json

Known Limitation: Uniform Flow Evasion

An attacker who distributes actions uniformly across all capability pairs produces high JSD against every concentrated signature (evading all 5). This is by design — concentrated signatures detect concentrated attacks. Defense-in-depth: The baseline divergence check (flow:structural_divergence) fires when a session’s flow deviates from the agent’s normal pattern. An agent that normally does read→read would trigger this signal even with uniform flow. Signatures are the belt; the envelope is the suspenders.

Signature Levels (Future)

LevelScopeSource
UniversalAll agents, all orgsQuint Global + built-in
Agent-typePer platform (claude-code, cursor)BI Service group analysis
Per-agentIndividual baselineThe fingerprint’s FlowMatrix (existing envelope)
Currently only Level 1 (universal) is implemented. Agent-type signatures will be generated by the BI Service (QDEV-152). Cross-org federated signatures are planned for Tier 3 (QDEV-153).