Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

​

How Quint Works

Quint sits between AI agents and the services they touch. It captures every action, enriches it with process-level ground truth, scores it against behavioral and graph models, and either allows, flags, or blocks it in real time.

​

The three tiers

Edge (intent + truth): Two interception paths capture what the agent is trying to do. The Forward Proxy MITMs HTTPS traffic to get LLM conversations and tool calls. The Endpoint Security extension watches the kernel for process spawns and file operations. Both feed the Edge Daemon, which unifies them into a single session model via unisession.Tracker. Cloud (scoring + fleet): The daemon streams structured events to the cloud. Ingestion fans them out to processing services. Scoring runs the 4-gate risk pipeline plus graph-based anomaly detection. Results are surfaced in the Dashboard. Intelligence (closing the loop): When the GNN detects a novel attack pattern, a ThreatSignature is distilled and pushed to every proxy in the fleet. One machine’s detection becomes the whole fleet’s prevention in ~30 seconds.

​

A single tool call, end to end

Follow one Bash tool call from a Claude Code session:

1. User types a prompt. Claude Code sends a streaming POST to bedrock-runtime.us-east-1.amazonaws.com.
2. Interception. On macOS, the NE extension recognizes the Bedrock hostname and relays the flow to the daemon on port 9091. On other OSes, HTTPS_PROXY routes it through the forward proxy.
3. MITM TLS. The daemon presents a leaf cert signed by the local Quint CA. The client thinks it’s talking to Bedrock.
4. Request parsing. llmparse detects Bedrock eventstream format, extracts the model (claude-opus-4-7), tools, and messages.
5. Session stamping. The daemon looks up the source PID in unisession.Tracker. Every audit row for this flow gets session_id = "{rootPID}-{startUnixMs}".
6. Forward to upstream. Request is re-signed and sent to real Bedrock. Response streams back as chunked SSE.
7. Tool call extraction. When the response produces a tool_use block (e.g. Bash({"command":"ls"})), the parser extracts it and fires OnToolCall.
8. Local audit. The tool call, request, and response are persisted to the signed audit log (quint.db). Each row is Ed25519-signed and chained via prev_hash.
9. Cloud forward. A structured QuintEvent is enqueued in the cloud forwarder (batched 100 events / 2s, retries 5x with backoff, overflows to disk).
10. Cloud ingest. api.quintai.dev/v1/ingest stamps org_id from the deploy token, publishes to SNS, fans out to SQS.
11. Scoring. The scoring service runs 4 gates (deny list, capability policy, rate limit, behavioral Bloom) then hands to the graph intelligence engine for structural anomaly detection.
12. Dashboard + enforcement. The score lands in Postgres, SSE pushes it to the Sessions view. If a rule triggered block, the next identical action is rejected at the edge.

​

Design principles

Intent vs. truth. The proxy sees what the agent claims to do. The ES extension sees what the OS actually does. Divergence is the key signal — an agent that says “read config.json” but actually opens ~/.ssh/id_rsa trips a high-confidence alert. Local-first capture, cloud-first scoring. Raw bodies and credentials never leave the machine. Structured metadata (tool name, capability, risk decomposition) goes to the cloud. This lets enterprises keep sensitive content on-device while still getting fleet-wide visibility. Lossy at the edge, durable in the cloud. Under backpressure, the NE extension drops events rather than block the user’s network. The cloud forwarder retries and overflows to disk. Trade off individual events for availability. Zero client changes where possible. Forward proxy + NE extension means agents don’t need SDK integration, env var reconfiguration, or new endpoints. The interception is invisible.

​

Where to go next