runtime defense · kernel-enforced · linux

When an AI agent goes rogue, it can't route around the kernel.

The oknek lens — the kernel aperture watching every AI agent on the host.

the aperture between the agent and the kernel

Oknek hooks every AI agent — Claude Code, Cursor, Cline, any MCP server — below its own reach. Credential reads, exfiltration, C2 beaconing: blocked or flagged in the kernel, where a proxy can't be talked around.

Request a pilot → See the proof ↓

Nov 2025 — Anthropic disclosed the first AI-orchestrated cyber-espionage campaign: a state-sponsored group drove Claude Code to autonomously run 80–90% of operations against ~30 targets. When the agent itself is the weapon, the defense has to live below it.

the difference · below the agent, not above it

Everyone else governs the agent from a chokepoint it can route around.

Proxies, gateways, and SDK wrappers all sit above the agent — at a chokepoint a misbehaving or compromised agent simply steps around: a raw HTTPS call that never hits the proxy, a spawned subprocess, a caught-and-retried error. They return an error. Oknek returns a kernel -EPERM the process physically cannot escape.

above the agent

The proxy / gateway

Binds traffic through its own chokepoint — base URL, SDK monkeypatch, framework callback. Returns a 429 the agent catches and retries around. A static binary or a raw socket never goes through it.

routes around · can't terminate

below the agent

The oknek kernel hook

BPF-LSM + interposer enforcement on the watched agent's whole process tree. A spawned static binary can't escape — an ancestor PID is in the watch set, so the kernel denies the syscall before the connection opens.

can't route around · kernel -EPERM

No funded player ships this. Proxies (Pay-i, the free gateways) return errors; observers (Revenium) only watch; the network layer (the SSE/SASE incumbents) partners endpoint runtime out entirely. The one unowned sliver — tamper-resistant, route-around-proof enforcement inside the host but below the agent's reach — is the lane oknek sits in.

real output · on-box end-to-end · oknek-prod-1

A static binary the shim can't see. The kernel blocks it anyway.

A watched agent spawns a statically-linked child — the kind that bypasses every userspace interposer — and reaches for an off-gateway host. The LD_PRELOAD layer is blind to it. The BPF-LSM hook walks the process tree, finds a watched ancestor, and returns -EPERM before connect() opens. This is real output from the on-box test.

oknek · oknek-prod-1 · egress-jail e2e kernel 6.8 · bpf-lsm · live 
18:24:59 run   watched agent → /tmp/conn_static (statically linked · no libc · shim-unhookable)
18:24:59 conn  static child → connect() 5.78.216.193:5000  (off-gateway)
18:24:59 BLOCK rule=R11 egress-jail · ancestry-walk matched watched tree · errno=1 EPERM
                       └ the kernel denied the connect — the LD_PRELOAD shim never even saw this process
18:25:01 WARN  rule=R12 exfil · BEACON  agent=claude-code → 185.10.20.30:443  every ~30s (jitter 4%)  [curl]
18:25:01 WARN  rule=R12 exfil · VELOCITY agent=claude-code · 57 off-gateway connects / 30s window  [python]
18:25:02 BLOCK rule=R3 cred-read · ~/.aws/credentials · errno=1 EPERM  (kernel, watched agent)
$

Three rules, one box: kernel credential-block (R3), route-around-proof egress jail (R11), exfil/C2 watch (R12). — captured from the on-box e2e on oknek-prod-1, kernel 6.8, BPF-LSM active.

where oknek sits · the empty lane

Code scanners check what you wrote. Network tools check what leaves. Nobody watched what the agent does in between.

  1. model integritymodel-scanning vendors
  2. prompt gatewayAI network gateways
  3. network egressSSE / SASE incumbents
  4. cloud postureCSPM platforms
  5. code at dev-timeSAST / SCA scanners
  6. agent runtimeoknek — what the agent does, right now, at the syscall

the protection surface · R1–R12

What oknek catches.

Every rule maps to a public, citable threat. The kernel-enforced trio — R3, R11, R12 — is deployed and proven; the rest ship in the open-core detector. New rules within 24h of any disclosure.

  1. R11

    kernel egress jail · route-around-proof the moat

    A watched agent's whole process tree may reach only the sanctioned gateway (+DNS, loopback). Every other outbound connect is denied in the kernel — a BPF-LSM socket_connect hook with a bounded ancestry walk, so even a spawned static binary is caught.

    evidence: dest IP · port · process · agent identifier · verdict (block / observe)

  2. R12

    exfil & C2 watch · beaconing + velocity

    Turns R11's connect stream into named alerts: beaconing (regular-interval phone-home — the C2 fingerprint) and velocity (off-gateway connect bursts). Destination-agnostic, so it catches exfil even when an adversary proxies through friendly cloud.

    evidence: pattern · agent · dest · interval + jitter · connects/window · process

  3. R3

    plaintext credential read · kernel-blocked

    Agent opens ~/.aws/credentials, ~/.ssh/id_*, ~/.claude.json, .env, or any path on the credential list. Hooked at the open() syscall via BPF-LSM — default block, before the read returns.

    evidence: file path · matched category · agent process · pid

  4. R1

    subcommand-chain bypass

    An untrusted repo chains dozens of bash subcommands inside one tool call to slip past deny rules. Chain depth is counted at the syscall layer and blocked past a configurable threshold.

  5. R6

    instruction-file indirect prompt injection

    Hidden instructions in CLAUDE.md, AGENT.md, .cursor/rules, .clinerules — white-on-white text, zero-width unicode, comment fences. Pre-scanned across every major agent. Warn or block.

  6. R10

    route-around detector

    Flags LLM-API calls that bypass the cost / policy gateway, attributes the real process, and surfaces them in oknek routes. The open-core companion to the R11 jail.

+ R2 settings-file permission flip · R4 MCP URL drift · R5 egress allowlist · R7 behavioral drift score · R9 billed-while-broken governor — full rule pack →

open core · the control plane is the product

Free to detect. Paid to enforce.

The detector is open and auditable — a security team can read the code that has root over its own process tree. You pay for the control plane: tamper-resistant kernel enforcement, RBAC/SSO, audit, and SLAs. Flat fee per host. Never a cut of your spend.

open core

Freeforever · self-host

  • oknekd daemon + oknek CLI
  • detection rules + routes/egress/exfil readouts
  • observe / alert mode
  • auditable source
get it →

control plane

$299per host · per month

  • everything in open core
  • kernel enforcement — route-around-proof
  • fleet roll-up + RBAC
  • 24h rule SLA on disclosures
  • Slack / SIEM alerting
start a pilot →

enterprise

Customannual · regulated

  • everything in control plane
  • SSO · SCIM · SOC 2 evidence
  • air-gapped deploy
  • forensic replay + threat intel
  • 24/7 incident response
talk to us →

request a pilot

Watch one host.
In observe mode.
Then turn on the kernel.

Oknek lands read-only — it watches and reports, blocks nothing — until you trust it. Tell us your stack and we'll scope a pilot on a single host. No card, no list, no spam.

read-only land tier · we reach out within a day · no tracking.