Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Agent Bill of Materials

Every AI agent session in your organization leaves behind an audit-ready record. Quint captures the full runtime composition — model, framework, tools, data, risk — and exports it as a standards-compliant Agent Bill of Materials. This is what EU AI Act compliance looks like operationally.

Why Agent BoM, not Model BoM

Existing AIBOM products (HiddenLayer AISec 2.0, Manifest AI Risk, Cycode, Wiz) inventory models: architecture, training data, weights provenance, known CVEs. That is one layer of the stack. An AI agent is a composite system:
LayerModel BoM coversAgent BoM covers
ModelArchitecture, version, parameter count, training dataSame, per-session invocation
FrameworkClaude Code, Cursor, Copilot, LangChain, CrewAI
Tools / MCPEvery MCP server connected, every tool called, arguments
Data accessTraining datasetsRuntime files read/written, APIs hit, data classifications
Cloud servicesBedrock, OpenAI, Vertex endpoints touched
OrchestrationSub-agent spawns, delegation chains, parent-child graph
RiskStatic vulnerability scanPer-session behavioral risk score
A Model BoM is a build-time artifact. An Agent BoM is a runtime artifact generated every session. The attack surface that matters — tool poisoning, data exfiltration, prompt injection chains — lives in the agent layer, not the model layer.

Standards Landscape

CycloneDX ML-BOM (OWASP / Ecma TC54)

CycloneDX v1.7 (ECMA-424, published 2025-12-10) supports component type machine-learning-model with a modelCard object containing modelParameters (task, architectureFamily, approach, datasets) and quantitativeAnalysis (performance metrics). It also supports services for external API endpoints and data components for datasets. The spec is extensible via properties using reserved namespaces like cdx:ai-ml:*. Quint fit: CycloneDX’s services object maps cleanly to MCP servers. components maps to models and tools. dependencies captures the agent’s composition graph. We render per-session output as CycloneDX JSON.

SPDX 3.0 AI + Dataset Profiles (Linux Foundation)

SPDX 3.0 added AI and Dataset profiles as first-class supply chain elements. The AI profile tracks software frameworks, libraries, versions, licenses, and security references for AI/ML systems. The G7 Cybersecurity Working Group published “A Shared G7 Vision on SBOM for AI” (June 2025) endorsing SPDX-based AIBOMs. Quint fit: SPDX is stronger on licensing and provenance. We support SPDX export for customers in regulated industries where SPDX is mandated.

Industry adoption

CycloneDX has broader tooling adoption for security use cases (OWASP ecosystem). SPDX has stronger government and open-source backing. Both are machine-readable JSON. Quint exports both; CycloneDX is the default because its services and modelCard objects map more naturally to agent runtime data.

Compliance Framework Mapping

EU AI Act — Article 11 / Annex IV

Annex IV requires technical documentation covering 9 categories for high-risk AI systems. Quint’s per-session AIBOM directly addresses:
Annex IV RequirementQuint AIBOM Field
1(a) Intended purpose, provider, versionmodel.id, model.version, framework
1(b) Interaction with other AI systemsmcp_servers[], services_touched[]
4. Development process, design specsframework, model.provider
5. System architecture, computational resourcescomponents[], cloud_services[]
6. Data requirements, provenancedata_fields_accessed[] with classifications
7. Validation & testing metricsrisk_score, per-tool risk breakdown
9. Post-market monitoringContinuous per-session generation = live monitoring
An AIBOM alone does not satisfy Annex IV (it requires human oversight plans, cybersecurity measures, conformity declarations). But it is the machine-readable evidence layer that makes the rest auditable.

NIST AI RMF 1.0 — Govern / Map / Measure / Manage

FunctionSubcategoryAIBOM Role
Govern1.1 Legal/regulatory requirements documentedAIBOM generation policy = documented AI governance
Map1.1 Intended purpose contextualizedPer-session framework + model + tools = full context
Measure2.6 AI system performance assessedrisk_score + tool-level metrics per session
Manage2.2 Mechanisms to track AI risksContinuous AIBOM stream = live risk telemetry
Manage4.1 Post-deployment monitoringSession-level granularity exceeds typical monitoring

ISO/IEC 42001 — AI Management System (AIMS)

ISO 42001 requires documented procedures across the AI lifecycle (Clause 8), system-level documentation for each AI system in scope, and a Register of AI Resources (Controls A.4.2-A.4.6). Quint’s AIBOM auto-generates the per-system documentation that auditors expect: what model, what data, what tools, what risk — per session, continuously.

SOC 2

SOC 2 does not explicitly require AIBOM-like documentation. However, the Common Criteria for Security (CC6) and Availability (A1) require evidence that system components are inventoried and monitored. For organizations using AI agents in production, auditors increasingly ask “what AI is running and what can it access?” The AIBOM is the answer.

Quint AIBOM Schema

Every session produces a signed JSON record. The schema: 
{
  "$schema": "https://quintai.dev/schemas/aibom/v1.json",
  "bomFormat": "Quint-AIBOM",
  "specVersion": "1.0",
  "serialNumber": "urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "timestamp": "2026-05-03T14:32:01Z",
  "session": {
    "id": "urn:uuid:session-uuid-here",
    "org_id": "org_abc123",
    "machine_id": "machine_def456",
    "duration_seconds": 847,
    "user_hash": "sha256:abcdef..."
  },
  "model": {
    "id": "claude-sonnet-4-20250514",
    "provider": "anthropic",
    "version": "claude-sonnet-4-20250514",
    "endpoint": "us-east-1.bedrock.amazonaws.com",
    "parameters": {
      "max_tokens": 8192,
      "temperature": 0.7
    }
  },
  "framework": {
    "name": "claude-code",
    "version": "1.0.21",
    "runtime": "node/22.4.0"
  },
  "mcp_servers": [
    {
      "name": "github",
      "version": "0.9.2",
      "transport": "stdio",
      "tools_exposed": 14,
      "tools_called": ["create_pull_request", "search_code"]
    }
  ],
  "tools_called": [
    {
      "name": "Bash",
      "invocations": 23,
      "risk_contributions": 0.12
    },
    {
      "name": "Edit",
      "invocations": 7,
      "risk_contributions": 0.03
    }
  ],
  "cloud_services_touched": [
    {
      "service": "bedrock.amazonaws.com",
      "region": "us-east-1",
      "protocol": "https",
      "request_count": 45
    }
  ],
  "data_fields_accessed": [
    {
      "path": "/Users/dev/project/src/auth.ts",
      "operation": "FILE_READ",
      "classification": "source_code",
      "sensitivity": "internal"
    },
    {
      "path": "api.stripe.com/v1/customers",
      "operation": "HTTPS_REQUEST",
      "classification": "pii",
      "sensitivity": "confidential"
    }
  ],
  "sub_agents": [
    {
      "id": "session-uuid:sub:1",
      "model": "claude-sonnet-4-20250514",
      "prompt_hash": "fnv1a:0xabc123",
      "tools_inherited": ["Bash", "Read"]
    }
  ],
  "risk": {
    "session_score": 0.34,
    "max_event_score": 0.72,
    "scoring_version": "v2.1",
    "flags": ["external_api_access", "file_write_outside_project"]
  },
  "signature": {
    "algorithm": "Ed25519",
    "public_key": "base64:...",
    "value": "base64:..."
  }
}

Field reference

FieldTypeDescription
session.idUUIDCloud session identifier (SHA1-UUID5 of local pid+timestamp)
model.idstringExact model identifier as observed on the wire
model.endpointstringAPI endpoint the model was called through
framework.nameenumclaude-code, cursor, copilot, continue, aider, custom
mcp_servers[].tools_calledstring[]Subset of exposed tools actually invoked this session
data_fields_accessed[].classificationenumpublic, internal, confidential, restricted, pii, phi, source_code
risk.session_scorefloat0.0-1.0 composite risk score for the entire session
signatureobjectEd25519 signature over the canonical JSON, proving provenance

CycloneDX Export Mapping

Quint’s per-session JSON renders to CycloneDX 1.7 as follows:
Quint FieldCycloneDX ObjectCycloneDX Field
model.*components[type=machine-learning-model]name, version, purl, modelCard.modelParameters
framework.*metadata.tools[]name, version
mcp_servers[]services[]name, version, endpoints[]
tools_called[]services[].data.flowDirection + classification
data_fields_accessed[]services[].data[]classification, flow
cloud_services_touched[]services[]endpoints[], authenticated, trustZone
sub_agents[]components[type=machine-learning-model]Nested with dependencies[]
risk.*vulnerabilities[] or properties[]cdx:quint:risk:session_score
signaturemetadata.component.hashes[]Integrity verification
The dependencies array captures the composition: session depends on model, model depends on MCP servers, MCP servers depend on tools. This is the agent graph that Model BoMs cannot express.

PDF Report Layout

For compliance auditors who need paper.

Page 1: Executive Summary

+--------------------------------------------------+
| QUINT AGENT BILL OF MATERIALS                     |
| Session: a1b2c3d4    Date: 2026-05-03 14:32 UTC  |
| Org: Acme Corp       Machine: dev-laptop-042      |
+--------------------------------------------------+
| MODEL        claude-sonnet-4     via Bedrock us-east-1  |
| FRAMEWORK    claude-code 1.0.21                    |
| DURATION     14m 7s                                |
| RISK SCORE   0.34 / 1.0  [====------] LOW         |
+--------------------------------------------------+
| MCP SERVERS  github (2 tools), slack (1 tool)      |
| TOOLS CALLED Bash(23), Edit(7), Read(12)           |
| DATA ACCESS  4 files read, 1 external API          |
| FLAGS        external_api_access                   |
+--------------------------------------------------+
| SIGNATURE    Ed25519 VERIFIED                      |
| EXPORT       CycloneDX 1.7 JSON | SPDX 3.0 JSON  |
+--------------------------------------------------+

Pages 2+: Detailed Appendix

  • Full tool invocation log with timestamps
  • Data access table with classifications and sensitivity tiers
  • MCP server manifest with exposed vs. called tools
  • Sub-agent tree with prompt hashes
  • Risk score breakdown by event category
  • Raw CycloneDX JSON (machine-readable appendix)

Sales Positioning

The pitch: “Every AI agent session in your org already leaves a trace. Quint captures it, scores it, signs it, and exports it as a standards-compliant bill of materials. When your auditor asks what your AI agents accessed last Tuesday — you have the answer in CycloneDX JSON or a one-page PDF. That is what EU AI Act Article 11 compliance looks like in practice.” Differentiation from HiddenLayer / Manifest / Cycode:
CapabilityHiddenLayerManifestCycodeQuint
Model inventoryYesYesYesYes
Model vulnerability scanYesYesYes
Training data provenanceYesPartial
Per-session runtime captureYes
Agent tool/MCP trackingYes
Runtime data access logYes
Behavioral risk scoringYes
Ed25519 signed recordsYes
CycloneDX exportPartialYes
The others tell you what models you have. Quint tells you what those models did, in every session, with cryptographic proof. Target buyers: CISO, VP Engineering, GRC leads at companies deploying AI agents (coding assistants, customer-facing bots, internal automation). Regulatory trigger: EU AI Act enforcement begins August 2026 for high-risk systems.

Implementation Notes

Quint already captures the raw data for every field in this schema:
  • Model + endpoint: Observed on the wire by the forward proxy (MITM layer)
  • Framework detection: User-agent parsing + process tree analysis by ES extension
  • MCP servers + tools: MCP_TOOL_CALL events from the ES extension
  • Data access: FILE_READ, FILE_WRITE, HTTPS_REQUEST from ES + NE
  • Sub-agents: In-process subagent detector (FNV-1a prompt hash)
  • Risk score: Per-event scoring pipeline, aggregated per-session
What remains to build:
  1. AIBOM serializer — aggregate session events into the JSON schema above
  2. CycloneDX renderer — map Quint JSON to CycloneDX 1.7 JSON
  3. SPDX renderer — map to SPDX 3.0 AI profile (lower priority)
  4. PDF generator — executive summary + appendix from the JSON
  5. Ed25519 signing — sign canonical JSON at session close
  6. API endpointGET /v1/sessions/:id/aibom returning the signed record
  7. Dashboard export button — “Download AIBOM” on session detail view