Private beta · For security and platform teams shipping fast with AI agents

Know what your AI agents are doing. Prove what they did.

Claude Code, Cursor, and Copilot run with your developers' credentials. Probity captures every action as it happens and signs it into a tamper-evident record outside the agent's reach, so today's sessions do not become tomorrow's unprovable incident or audit gap.

Twelve deployments in the first cohort, each reviewed by a founder. See how it works ↓

The signed record

what you hand an auditor

app.probity.dev/detections

Detections

20 open of 2013 critical/high3 medium4 low/info
SevDetectionAgentFrameworkStatus
critical

Injected instruction → filesystem write

AGT-001 · Model output instructed the agent to modify the filesystem; 15 writes followed.

LLM01AML.T0051
New
critical

Injected instruction → filesystem write

AGT-001 · Model output instructed the agent to modify the filesystem; 9 writes followed.

LLM01AML.T0051
New
high

Off-allowlist egress

AGT-002 · Agent connected to models.dev, not on the egress allowlist.

T1071
Review
high

Flagged agent request

AGT-005 · Outbound request flagged: paste.exfil-demo.net.

LLM01
Review
high

Telemetry ring tampering

AGT-003 · Delivered and dropped event counts diverged; 76 events vanished.

T1562.001
Review
high

Off-allowlist egress

AGT-002 · Agent connected to en.wikipedia.org, not on the egress allowlist.

T1071
New
medium

Monitoring blind spot (self-detected)

AGT-004 · Host boundary observed traffic that the in-guest monitor did not report.

COV-GAP
Review
medium

Monitoring blind spot (self-detected)

AGT-004 · Network telemetry could not attribute an outbound connection to a process.

COV-GAP
Review
info

Unlisted egress (recognized vendor)

AGT-002 · Egress to logs.us5.datadoghq.com; recognized vendor, unlisted in the allowlist.

gap only
New
Showing representative detections across monitored agent runs✓ Evidence confirmed outside the agent environment

Powered by

NOFire AI

The Context & Control Model for production.

Onboarding

Founder-reviewed beta

Isolation

urunc · CNCF Sandbox

In force

NYDFS Part 500

High-risk AI

Article 12 traceability

Article 12 logging duties apply to AI systems classified as high-risk. Every agent session without independent evidence still creates a gap you cannot reconstruct later.

Read Article 12 →

How it works

Never take the agent's word for what happened.

Most agent logs are produced inside the environment they are supposed to prove. Probity builds the record from three vantages and makes the outside observations authoritative.

At the boundary

Outside evidence

File and network activity observed as it crosses the microVM boundary.

From the host

Outside evidence

Process activity reconstructed from outside the guest, beyond the agent's control.

Inside the session

Supporting detail

Adds command and execution detail, used only when the outside evidence corroborates it.

ClaudeCursorDevinCopilotopencodeAny agentGUEST · microVMagentSESSION · supporting detailBOUNDARY · evidenceHOST · evidence0x9f2cok0x9f2dok0x9f2eflaggedsigned · append-only

Think physical evidence and witness testimony. The outside observations are the evidence. The inside report adds detail, but when they disagree, the outside record wins.

The exposure

Adoption outran your controls.

Every task you hand an agent is work you accepted sight unseen: full credentials, broad access, no approval step.

SSH keys and cloud credentials

.env files, every repo on disk

Auto-accept / YOLO mode: no human in the loop

80% bypass policy to keep using it

CVE-2025-53773: auto-accept mode driven to remote code execution by a single poisoned file.

The incidents

When it goes wrong, you will have nothing to show.

Every incident below happened in the last year, to teams that believed they were covered.

A production database, deleted.

An AI coding agent deleted a production database during a code freeze, then misrepresented whether the data was recoverable.

Fortune, 2025

Credentials, harvested at scale.

Malicious packages weaponized AI coding CLIs to steal 2,349 credentials from 1,079 developer machines.

GitGuardian, 2025

A poisoned file, running commands.

A single injected instruction drove remote command execution in popular AI coding editors, with an 84% success rate.

Your AI, My Shell, arXiv, 2025

The agent did exactly what it was told, by someone who was not you.

The gap

You cannot answer the only question that matters: what did it actually do?

Your EDR sees a process name.

It records that "claude" started: not which files it read, what it wrote, or which tools it called.

proc claude (pid 4471) spawned

A log the agent wrote is not evidence.

It shares the agent's trust boundary, so a compromised agent can silence or rewrite it before you ever read it.

agent_log.txt: no issues found

A host sensor shares the kernel.

eBPF probes and audit daemons watch from the same kernel a root-capable agent can touch. One shared surface, one compromise.

falco: rules loaded, kernel shared

What's captured

Seven classes of evidence. One integrity chain.

Every task produces behavioral evidence linked into a tamper-evident record the agent cannot rewrite.

Process activity

Every spawn, argument, and exit code.

File reads

Every path opened, secrets included.

File writes

Every file created or modified.

Network calls

Every outbound destination and method.

MCP tool calls

Every tool the agent invoked.

Syscall surface

The kernel calls it was allowed.

Session identity

Which scoped token, expiring per task.

Exports to

One signed record per task, streamed to the SIEM and object store you already run.

Splunk
CrowdStrike
Datadog
Elastic
Grafana
Snowflake

Compliance

The evidence clock is already running.

Evidence debt starts nowYou cannot reconstruct an unrecorded agent session later

Article 12 applies to high-risk AI systems. NYDFS Part 500 applies to covered entities. For every team, each agent session without independent evidence becomes a future incident and audit gap.

Questions

Asked by every reviewer so far.

What is Probity?
Probity is a tamper-evident audit trail for AI coding agents such as Claude Code, Cursor, and GitHub Copilot. It records what an agent actually did, from outside the agent's reach, and exports the signed record to your SIEM.
How does Probity know the record is trustworthy?
Probity observes each session at the microVM boundary, from the host outside it, and through an inside-session enrichment channel. Boundary and host observations remain outside the agent's control. Inside-session detail is used only when those outside observations corroborate it. If they disagree, the outside record wins.
What does Probity record?
Seven classes of behavioral evidence per agent task: process activity, file reads, file writes, outbound network calls, MCP tool calls, syscall surface, and session identity. A tamper-evident signature chain protects the integrity of the complete record.
Does Probity help with EU AI Act Article 12 and NYDFS Part 500?
Probity supports the evidence layer for relevant controls. Article 12 logging requirements apply to AI systems classified as high-risk, while NYDFS Part 500 applies to covered entities. Probity produces retained, tamper-evident records outside the agent's trust boundary, but no single product makes a system compliant by itself.

Private beta. Twelve deployments.

Probity is in private beta: the first cohort is limited to twelve deployments, each reviewed and onboarded by a NOFire AI founder.

No sales process. Reviewed by a founder within one business day.

Questions first? Write to contact@nofire.ai.