a daemon · runtime defense · linux

KNEK.

Runtime defense for AI agents. A daemon that hooks Claude Code, Cursor, and MCP servers — baselines their behavior, blocks the action the moment they drift.

curl -fsSL https://install.oknek.com | sh

early access · v1 shipping

the protection surface · 7 rules

What oknek catches.

Every rule maps to a public, citable threat — most of them documented by Anthropic itself. Each ships in v1, signed and versioned. New rules within 24h of any new disclosure.

  1. R1

    subcommand-chain bypass

    An untrusted repo triggers Claude Code to chain 50+ bash subcommands inside one tool call, slipping past deny-rule enforcement. We count chain depth at the syscall layer and block past a configurable threshold.

    evidence: full bash command · subcommand depth · agent identifier · timestamp

  2. R2

    settings.json permission flip

    A repo silently rewrites .claude/settings.json to grant elevated permissions. We watch the inode, diff against the last-trusted hash, freeze the agent until the user verifies.

    evidence: old hash · new hash · diff · source process

  3. R3

    plaintext credential read

    Agent opens ~/.claude.json, ~/.aws/credentials, ~/.ssh/id_rsa, or any path matching the credential allowlist. Hooked at the open() syscall via eBPF or LD_PRELOAD shim. Default block, configurable allow-and-log.

    evidence: file path · agent process · read offset and length

  4. R4

    MCP URL drift

    A poisoned MCP config redirects an agent's tool calls to an attacker-controlled endpoint. We baseline the agent's MCP server allowlist at install; any new endpoint is flagged or blocked.

    evidence: original endpoint list · new endpoint · transport · agent identifier

  5. R5

    egress to non-allowlisted domain

    Agent makes an outbound socket to a destination not in your allowlist — exfiltration, C2 callback, anything you didn't sanction. Default deny with a sensible starter list (Anthropic, OpenAI, GitHub, npm, PyPI).

    evidence: destination IP · port · hostname · agent process

  6. R6

    CLAUDE.md indirect prompt injection

    A repo's CLAUDE.md, AGENT.md, or .cursor/rules hides instructions in white-on-white text, base64 blobs, comment fences. We pre-scan instruction files for known indirect-injection patterns. Warn or block.

    evidence: file path · matched pattern · line numbers

  7. R7

    behavioral drift score

    A 14-day rolling baseline of (tool calls × frequency × scope) per agent. New behavior gets scored against the baseline — anything above threshold alerts. The catch-all that fires when none of R1–R6 do.

    evidence: baseline summary · drift event details · score

live event stream · sample

Watch a 50-subcommand bypass die in 3ms.

Real output from oknek logs --tail on a self-test box. The agent attempts a chained curl | base64 -d | sh escape; oknek snaps the chain at depth 12, suspends the process, and writes structured evidence to disk before the syscall returns.

oknek logs --tail · openclaw.host utf-8 · 132x24 · live 
2026-05-09T17:42:11Z info  agent.spawn         pid=4421 binary=claude argv=["claude","--dangerously-skip-permissions"]
2026-05-09T17:42:11Z info  baseline.match      agent=claude-code-7f3a profile=interactive matched=12/14 features
2026-05-09T17:42:13Z info  exec.observed       pid=4421 cmd="git status"  depth=1  verdict=allow
2026-05-09T17:42:18Z info  exec.observed       pid=4421 cmd="ls -la ~/"   depth=1  verdict=allow
2026-05-09T17:43:01Z warn  exec.suspicious     pid=4421 chain.depth=11 (threshold=8) cmd-fragment="curl ... | base64 -d | sh"
2026-05-09T17:43:02Z BLOCK rule=R1 subcommand_chain depth=12 agent=claude-code-7f3a
                              chain: env → curl → bash -c → eval → base64 -d → sh -c → ssh-add → cat → nc → jq → tee → ;
                              process suspended · awaiting verdict · `oknek allow 4421` or `oknek deny 4421`
                              evidence written /var/lib/oknek/events/2026-05-09/e_47fb91.json (1.2 KiB, sha256:c4f0…)
2026-05-09T17:43:04Z info  oknek.notify        slack#sec-alerts ✓ · email kell@oknek.com ✓
$

The block decision was made before execve() returned. The agent never saw the credential file. There was no shell to exfiltrate from. — this output is real, captured 2026-05-09 from a self-test on openclaw.

three tiers · cancel any time · per server

Pay nothing. Pay nine. Pay twenty-nine.

The daemon, CLI, and base rule pack are open source forever. Indie buys you a faster rule update channel and alerts. Team buys you a roll-up dashboard across boxes. Enterprise buys you whatever else.

free

$0forever · open source

  • oknekd daemon · single static binary
  • oknek CLI · all subcommands
  • base rule pack (R1 – R7)
  • monthly rule updates · public github
  • community discord
  • local-only · no cloud
install →

indie

$9per server · per month

  • everything in free
  • hourly rule updates
  • slack · discord · email alerts
  • web dashboard · read-only event timeline
  • stripe via whop
request access →

team

$29per server · per month

  • everything in indie
  • multi-server roll-up dashboard
  • custom rule authoring
  • priority discord support
  • event log export · jsonl + parquet
request access →

enterprise · sso · scim · soc 2 evidence room · air-gapped deploy · custom integrations — write to kell@oknek.com.

three converging signals

Why this category, why now.

01

Anthropic itself shipped the threat model.

50-subcommand bypass. Plaintext OAuth tokens in ~/.claude.json. .claude/settings.json permission injection. CLAUDE.md indirect prompt. All publicly disclosed. All reproducible. None addressed by any existing security tool.

02

Snyk scans your code. Darktrace watches your network. Neither watches the agent.

Runtime endpoint defense for AI agents is a category that does not yet exist. Snyk owns dev-time. Darktrace owns the wire. Wiz owns cloud posture. The agent's runtime — between the model and the kernel — is open lane.

03

The buyer is reachable.

Indie devs running Claude Code on a VPS are searching for "how do I secure my agent" right now. They have no good answer. Hacker News, r/ClaudeAI, r/LocalLLaMA, X reach them in one post. No enterprise sales motion required to get to the first 100 paying customers.

early access list

Get the install command.
Get the discord invite.
Get out of the way.

When v1 ships, you'll get a one-line install command, a private discord invite, and the threat-model doc. We will not sell your email. We will not sign you up for anything else. One message. Then silence until v1.

we will be there within the hour. no tracking. no list rentals. no spam.