Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

​

Intent vs Truth

Quint sits in two data paths at once. The forward proxy sees intent — every tool call the language model emits before the agent executes it. The macOS Endpoint Security framework sees truth — every process, file, and network action the OS actually performs. Correlating these two streams per session produces a detection signal that no single-stream product can replicate.

​

The two streams

​

Intent stream (proxy)

When an AI agent like Claude Code receives a response from its language model provider, the response contains structured tool_use blocks. Each block is a declaration: “I will now run this Bash command,” “I will now read this file,” “I will now make this HTTP request.” Quint’s forward proxy intercepts every LLM API response, parses the tool calls out of the body, and emits a structured intent event with the declared action, the target resource, the session identifier, and the timestamp. Supported LLM API protocols today:

• Anthropic Messages API
• OpenAI Chat Completions
• OpenAI Responses API
• Google Gemini
• AWS Bedrock Converse
• Azure OpenAI
• Generic fallback for novel formats

Every tool call from every supported agent becomes an intent event.

​

Truth stream (Endpoint Security + Network Extension)

When the agent executes the tool call, it makes system calls. A Bash(curl ...) triggers a process spawn, a network connection, and potentially writes to the filesystem. The macOS Endpoint Security framework reports these events with kernel-backed reliability. The Network Extension reports outbound network flows — which IPs, which ports, how much data. Both streams are filtered to the agent’s process tree and emitted as truth events with the observed action, the observed target, the process identifier chain, and the timestamp. Every process spawn, every file access, every network connection under the monitored agent’s process tree becomes a truth event.

​

The join

Intent and truth events share a session identifier derived from the agent’s root process. The unified session tracker in the daemon attributes both streams to the same session before they leave the machine. In the cloud, the divergence detector consumes both streams and joins them by (session_id, time_window ± 5s).

​

The six divergence types

Correlation produces one of seven outcomes: normal (streams agree) or one of six divergence types. Each has a distinct security meaning.

​

1. Intent without truth

The model declared an action. The OS never observed it. Example: The agent said it would read /app/config.yml, but the ES extension reported no file read. Typical cause: Telemetry gap. The ES extension was briefly down, or the file was served from the OS page cache without emitting an open event. Almost always benign. Product behavior: Log as coverage gap. If unmatched intent rate exceeds 20% per session, flag telemetry health to operations.

​

2. Truth without intent

The OS observed an action. The model never declared it. Example: ES reported a PROCESS_EXEC of /usr/bin/curl connecting to an external IP under the agent’s process tree, but the proxy captured no corresponding tool_use. Typical cause: Prompt injection. The agent’s input was poisoned and executed a tool call the developer never authorized, or a compromised process is operating under the agent’s identity. Product behavior: High-severity alert. Block if enforcement mode is active. This is the canonical prompt-injection signal.

​

3. Intent mismatches truth target

Both streams fired within the window, same action class, different targets. Example: The agent declared Edit(/app/config.yml) but the OS observed a write to /etc/passwd. Typical cause: Path traversal, symbolic link exploitation, or prompt injection where the agent’s declared target does not match the actual OS operation. Product behavior: Critical alert with claimed-vs-observed diff surfaced in the dashboard. Block in strict enforcement mode.

​

4. Intent mismatches truth scale

The model declared one action, the OS observed many. Example: The agent declared Read(/app/src/main.go) but the ES extension reported 847 FILE_READ events under /app/src/** within the 5-second window. Typical cause: Data exfiltration via recursive file access. A tool call that should have read one file instead enumerated a directory tree. Product behavior: High alert for network scale mismatches (potential exfiltration), medium for file read mismatches (potential reconnaissance).

​

5. Intent mismatches truth timing

Matched pair with an abnormally large timestamp gap. Example: Intent recorded at T=0, matching truth event at T=45s. Typical cause: Stored or replayed execution. Normal execution latency is under 5 seconds; gaps beyond 30s suggest scheduled or queued payloads. Product behavior: Low severity on first occurrence, escalating to medium on 3+ within the same session.

​

6. Truth precedes intent

The OS observed an action before the model declared anything matching it. Example: ES reported python3 /tmp/payload.py at T=0, then the proxy captured tool_use(Bash, "python3 /tmp/payload.py") at T=5s. Typical cause: Credential harvesting or process hijacking. Something is acting under the agent’s identity before the agent asks for it. Product behavior: Critical alert when the truth event is a network connection or process exec with a gap exceeding 10 seconds.

​

Why the two-stream architecture is defensible

The architectural property that makes Quint’s detection possible is that both streams are observed on the same machine, by the same daemon, within the same process namespace. This enables:

• Shared session attribution. The unified session tracker sees both streams and assigns them to the same session identifier without any cross-process coordination.
• Monotonic timestamps. Both streams use the same kernel monotonic clock. Clock skew between streams is measured in microseconds.
• No network round trip for correlation. Intent and truth are correlated in the cloud, not on the edge, because the edge only sees one machine and the divergence signal requires fleet-wide context. But the correlation is cheap — it is a time-windowed join on a shared key.

Products that observe only intent (browser extensions, LLM gateways) cannot detect truth-without-intent attacks. Products that observe only truth (traditional endpoint detection, runtime agents) cannot detect intent-target mismatches. The combination of both streams, correlated per session, produces detection capabilities that neither stream alone can replicate.