Documentation Index Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Status: shipped. The taxonomy is the load-bearing contract between proxy, pipeline, and scoring — every event in production is classified this way.
Action Taxonomy All agent events are normalized to a canonical domain:scope:verb format before processing. This taxonomy is used across the entire stack: API ingestion, graph builder, GNN scorer, RAG pipeline, and customer dashboard.
domain — System category: mcp, tool, data, auth, net, sys, agentscope — Specific service or context within that domainverb — Atomic operation performed
mcp:github:repo.read tool:database:query.execute data:field:pii.access auth:oauth:token.request
Validation regex: ^[a-z][a-z0-9_]*:[a-z][a-z0-9_]*:[a-z][a-z0-9_.]*$Domains
Model Context Protocol — Actions through MCP server connections. Highest-growth category.MCP Lifecycle Action Description mcp:server:connectAgent connects to MCP server mcp:server:disconnectAgent disconnects mcp:server:authenticateAgent authenticates with server mcp:server:list_toolsAgent discovers available tools mcp:server:list_resourcesAgent discovers resources mcp:server:updateServer version change detected
Productivity & Collaboration Action Description mcp:slack:message.sendSend Slack message mcp:slack:file.uploadUpload file to Slack mcp:notion:page.readRead Notion page mcp:notion:page.writeCreate/update Notion page mcp:gmail:email.sendSend email via Gmail mcp:gmail:email.forwardForward email mcp:linear:issue.createCreate Linear issue mcp:jira:issue.createCreate Jira issue
Development & DevOps Action Description mcp:github:repo.readRead repository content mcp:github:pr.createCreate pull request mcp:github:pr.mergeMerge pull request mcp:github:secret.readRead repository secrets mcp:docker:container.createCreate Docker container mcp:k8s:secret.readRead Kubernetes secrets mcp:terraform:apply.executeApply Terraform changes
Data & Analytics Action Description mcp:postgres:query.executeExecute PostgreSQL query mcp:snowflake:data.exportExport from Snowflake mcp:s3:object.readRead S3 object mcp:s3:object.writeWrite S3 object mcp:redis:key.readRead Redis key
Cloud & Infrastructure Action Description mcp:aws:iam.role.modifyModify IAM role mcp:aws:secrets.readRead AWS Secrets Manager mcp:gcp:iam.modifyModify GCP IAM mcp:cloudflare:dns.modifyModify DNS
CRM & Business Action Description mcp:salesforce:record.readRead Salesforce record mcp:stripe:payment.createCreate payment mcp:hubspot:contact.writeCreate/update contact
Direct Agent Tool Calls — Framework-native tools (LangChain, CrewAI, AutoGen).Action Description tool:database:query.executeExecute database query tool:database:record.exportExport records tool:file:readRead file contents tool:file:writeWrite file contents tool:file:searchSearch files tool:api:request.sendSend HTTP API request tool:code:executeExecute code in sandbox tool:email:sendSend email tool:rag:searchSearch RAG knowledge base tool:web:searchPerform web search
Data Field Access Events — Generated when parsing tool/MCP results.Action Description data:field:pii.accessPII accessed (name, email, phone) data:field:pii_sensitive.accessSensitive PII (SSN, passport) data:field:financial.accessFinancial data (credit card, bank) data:field:health.accessHealth/medical data data:field:auth.accessAuth data (passwords, tokens) data:field:legal.accessLegal data (contracts, NDA)
Authentication & Authorization Events Action Description auth:oauth:token.requestRequest OAuth token auth:oauth:scope.expandToken scope expanded auth:session:elevatePrivileges elevated auth:permission:grantPermission granted auth:permission:revokePermission revoked auth:mfa:challengeMFA challenge triggered
Network (net) Action Description net:http:request.sendOutbound HTTP request net:external:data.sendData sent externally net:dns:lookup.executeDNS lookup
System (sys) Action Description sys:env:var.readEnvironment variable read sys:process:command.executeSystem command executed sys:package:installPackage installed
Agent (agent) Action Description agent:session:startSession initiated agent:reasoning:tool.selectAgent selects tool agent:delegation:task.assignTask delegated agent:guardrail:triggeredGuardrail activated agent:guardrail:bypassedGuardrail bypassed
Compound Threat Sequences The GNN detects multi-step attack patterns across PRECEDED_BY edges:
Policy Matching Customer policies reference actions using glob patterns:
# Block all external email sends - rule : block match : "mcp:gmail:email.send" # Flag any PII access followed by external send - rule : flag match_sequence : - "data:field:pii*.access" - "net:external:data.send OR mcp:*:*.send" within : 300 # seconds # Block unverified MCP server connections - rule : flag match : "mcp:server:connect" condition : "mcp_context.is_verified == false"
GNN Feature Encoding When building the graph, the action string is decomposed into features:
Feature Encoding Dimension domainOne-hot: mcp, tool, data, auth, net, sys, agent 7 scopeLearned embedding (hash of scope string) 32 verbOne-hot from standard verbs table 20 action_fullLearned embedding (hash of full action string) 64
The GNN uses both decomposed features (for pattern generalization) and full action embedding (for specific action recognition). 
