Documentation Index
Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Status: mixed. Layer 1 (intrinsic) + Layer 3 (policy) are shipped. Layer 2 (GNN) and Layer 4 (temporal anomaly) are roadmap. See ML Roadmap for advancement triggers. Risk Scoring Algorithm
Every agent event is scored through a 4-layer composite pipeline that combines deterministic graph metrics with learned GNN attention, customer policy evaluation, and temporal anomaly detection.
raw_score = (w1 × L1 + w2 × L2 + w3 × L3) × L4
final_score = clamp(round(raw_score), 1, 100)
Default Weights
| Layer | Weight | Purpose |
|---|
| L1: Intrinsic Action Risk | 0.15 | Floor signal — prevents zero scores on dangerous actions |
| L2: Structural GNN | 0.45 | Primary intelligence — captures relational patterns |
| L3: Policy Violation | 0.40 | Customer-specific enforcement |
| L4: Temporal Modifier | multiplier | Context adjustment (×0.5 to ×2.0) |
w3=0.55, w2=0.30. A customer wanting anomaly detection might use w2=0.60, w3=0.20.
Layer 1: Intrinsic Action Risk (Deterministic, 0-100)
Every action carries a base risk score derived from its verb, data sensitivity, target scope, and MCP server trust. Computed instantly — no model inference.
L1 = min(100, verb_base × data_sensitivity × target_scope × mcp_trust)
Verb Base Scores
| Verb | Score | Rationale |
|---|
read, list, search, connect, start, stop | 5 | Passive/low-risk |
invoke, authenticate, notify, receive | 10 | Medium baseline |
write, create, import | 15 | Data modification |
modify, update | 20 | Configuration change |
send | 25 | Outbound data transfer |
forward, post | 30 | Exfiltration/publication vector |
delete, export, revoke | 35 | Data destruction/extraction |
execute, authorize, install | 40 | Code execution/permission change |
Data Sensitivity Multiplier
| Classification | Multiplier | Examples |
|---|
public | 1.0× | Documentation, marketing |
internal | 1.3× | Revenue, roadmap, org chart |
confidential | 1.8× | Customer lists, contracts |
restricted / pii_sensitive | 2.5× | SSN, credit cards, medical records |
top_secret / auth | 3.5× | API keys, secrets, credentials |
Target Scope Multiplier
| Target | Multiplier |
|---|
| Same agent, local processing | 1.0× |
| Internal service, same customer | 1.1× |
| Internal service, different department | 1.3× |
| External endpoint, whitelisted | 1.5× |
| External endpoint, unknown | 2.5× |
| External endpoint, flagged/suspicious | 3.5× |
MCP Server Trust Multiplier
| Server Trust | Multiplier |
|---|
| Verified, official integration | 1.0× |
| Known community server, audited | 1.2× |
| Unverified community server | 1.8× |
| Unknown/first-seen server | 2.5× |
| Server with recent description changes | 3.0× |
Layer 2: Structural GNN Score (Learned, 0-100)
The GNN scores the structural context around the focal action — not just what happened, but the shape of the subgraph it sits within.
What the GNN Captures
- Path-based risk: A
query.execute preceded by permission.grant and followed by data.send forms an escalation-then-exfiltration chain
- Neighborhood anomaly: A
support_bot accessing sensitivity_level=4 resources triggers attention on that edge
- Cross-server correlation: Two MCP servers exposing tools with identical names (shadowing detection)
- Temporal chains: Sequences matching trained attack patterns even with benign actions interspersed
Layer 3: Policy Violation Score (Deterministic, 0-100)
Customer-specific layer. Evaluates the action against customer policies using the forward-chaining engine.
| Match Result | Score Contribution |
|---|
| Action explicitly permitted | -20 (reduces score) |
| No matching policy | +0 |
Action matches flag policy | +severity (typically 20-50) |
Action matches block policy | +severity (typically 50-90) |
Action matches escalate policy | +severity (typically 40-70) |
block policy matches, the score floors at 70.
Layer 4: Temporal Anomaly Modifier (×0.5 to ×2.0)
Modifies the composite of Layers 1-3 based on behavioral context.
L4 = rate_factor × sequence_novelty × time_anomaly × session_drift
| Signal | Normal | Elevated |
|---|
| Rate anomaly | Current rate within 0.5-1.5× historical avg → 1.0× | Spike > 3× avg → 2.0× |
| Sequence novelty | Seen 10+ times → 0.8× | Never seen before → 1.3× |
| Time of day | Within normal hours → 1.0× | Weekend/holiday → 1.4× |
| Session drift | Cosine distance < 0.3 → 1.0× | Distance > 0.6 → 1.3× |
Confidence Score (0.0 - 1.0)
confidence = min(gnn_confidence, policy_clarity, data_completeness)
| Signal | High (>0.8) | Low (<0.5) |
|---|
| GNN softmax | One class dominates (>0.85 probability) | Probabilities spread across classes |
| Policy clarity | Exact policy match found | No matching or conflicting policies |
| Data completeness | All 8 fields present | Missing agent_type, resource_id, etc. |
Worked Examples
Event: mcp:notion:page.read
Agent: support_bot (verified, normal hours)
Resource: internal knowledge base (sensitivity: 1)
Policy: permitted for all agents
L1 = 5 (read) × 1.0 (public) × 1.0 (internal) × 1.0 (verified) = 5
L2 = 3 (GNN: routine subgraph)
L3 = 0 (explicitly permitted)
L4 = 1.0 (normal rate, known sequence)
raw = (0.15 × 5 + 0.45 × 3 + 0.40 × 0) × 1.0 = 2.1
final_score = 2, confidence = 0.95
→ Risk Level: None, Allow silently
Event: mcp:postgres:query.execute
Agent: sales_bot (verified, normal hours)
Data fields: email, phone, ssn (5000 rows)
Policy: block on sensitive PII
L1 = 10 × 2.5 × 1.0 × 1.0 = 25
L2 = 68 (GNN: anomalous SSN access + bulk volume)
L3 = 85 (block policy matched)
L4 = 1.4 (rate anomaly: 5000 records vs avg 10)
raw = (0.15 × 25 + 0.45 × 68 + 0.40 × 85) × 1.4 = 95.69
final_score = 96, confidence = 0.92
→ Risk Level: Critical, Block + Escalate
Event: mcp:slack:file.upload
Preceding: unverified server → hidden instructions → .env file search → upload
Policy: none specific
L1 = 25 × 3.5 × 1.5 × 2.5 = 328 → capped at 100
L2 = 88 (GNN: tool poisoning pattern detected)
L3 = 0 (no policy matched)
L4 = 1.3 (novel sequence)
raw = (0.15 × 100 + 0.45 × 88 + 0.40 × 0) × 1.3 = 70.98
final_score = 71, confidence = 0.78
→ Risk Level: High, Block + Alert
Event: mcp:github:pr.create
Agent: code_review_bot
Resource: internal repo (sensitivity: 2), modifies auth middleware
Policy: flag on auth changes
L1 = 15 × 1.3 × 1.0 × 1.0 = 19.5
L2 = 42 (GNN uncertain)
L3 = 35 (flag policy)
L4 = 1.0
raw = (0.15 × 19.5 + 0.45 × 42 + 0.40 × 35) × 1.0 = 35.8
confidence = 0.48 → triggers LLM fallback
LLM adjusts to: 44, Medium risk, Flag for review
Score Decomposition in API Response
{
"score_decomposition": {
"intrinsic_action_risk": {
"score": 100,
"weight": 0.15,
"components": {
"verb_base": 25,
"data_sensitivity": 3.5,
"target_scope": 1.5,
"mcp_trust": 2.5
}
},
"structural_gnn": {
"score": 88,
"weight": 0.45,
"confidence": 0.78,
"detected_patterns": ["tool_poisoning", "credential_access"]
},
"policy_violation": {
"score": 0,
"weight": 0.40,
"matched_policies": []
},
"temporal_modifier": {
"multiplier": 1.3,
"components": {
"rate_anomaly": 1.0,
"sequence_novelty": 1.3,
"time_anomaly": 1.0,
"session_drift": 1.0
}
}
}
}
| Metric | Target |
|---|
| Layer 1 (intrinsic) latency | < 1ms |
| Layer 2 (GNN) latency | < 25ms |
| Layer 3 (policy) latency | < 5ms |
| Layer 4 (temporal) latency | < 3ms |
| Total scoring (p95) | < 50ms without LLM |
| LLM fallback latency | < 3s |
| LLM fallback rate | < 25% of events |
