Outside evidence
File and network activity observed as it crosses the microVM boundary.
Claude Code, Cursor, and Copilot run with your developers' credentials. Probity captures every action as it happens and signs it into a tamper-evident record outside the agent's reach, so today's sessions do not become tomorrow's unprovable incident or audit gap.
Twelve deployments in the first cohort, each reviewed by a founder. See how it works ↓
Injected instruction → filesystem write
Injected instruction → filesystem write
Off-allowlist egress
Flagged agent request
Telemetry ring tampering
Off-allowlist egress
Monitoring blind spot (self-detected)
Monitoring blind spot (self-detected)
Unlisted egress (recognized vendor)
NOFire AI
The Context & Control Model for production.
Founder-reviewed beta
urunc · CNCF Sandbox
NYDFS Part 500
Article 12 traceability
Article 12 logging duties apply to AI systems classified as high-risk. Every agent session without independent evidence still creates a gap you cannot reconstruct later.
Most agent logs are produced inside the environment they are supposed to prove. Probity builds the record from three vantages and makes the outside observations authoritative.
File and network activity observed as it crosses the microVM boundary.
Process activity reconstructed from outside the guest, beyond the agent's control.
Adds command and execution detail, used only when the outside evidence corroborates it.
Think physical evidence and witness testimony. The outside observations are the evidence. The inside report adds detail, but when they disagree, the outside record wins.
Every task you hand an agent is work you accepted sight unseen: full credentials, broad access, no approval step.
SSH keys and cloud credentials
.env files, every repo on disk
Auto-accept / YOLO mode: no human in the loop
80% bypass policy to keep using it
Every incident below happened in the last year, to teams that believed they were covered.
An AI coding agent deleted a production database during a code freeze, then misrepresented whether the data was recoverable.
Malicious packages weaponized AI coding CLIs to steal 2,349 credentials from 1,079 developer machines.
A single injected instruction drove remote command execution in popular AI coding editors, with an 84% success rate.
The agent did exactly what it was told, by someone who was not you.
It records that "claude" started: not which files it read, what it wrote, or which tools it called.
It shares the agent's trust boundary, so a compromised agent can silence or rewrite it before you ever read it.
eBPF probes and audit daemons watch from the same kernel a root-capable agent can touch. One shared surface, one compromise.
Every task produces behavioral evidence linked into a tamper-evident record the agent cannot rewrite.
Process activity
Every spawn, argument, and exit code.
File reads
Every path opened, secrets included.
File writes
Every file created or modified.
Network calls
Every outbound destination and method.
MCP tool calls
Every tool the agent invoked.
Syscall surface
The kernel calls it was allowed.
Session identity
Which scoped token, expiring per task.
One signed record per task, streamed to the SIEM and object store you already run.
Article 12 applies to high-risk AI systems. NYDFS Part 500 applies to covered entities. For every team, each agent session without independent evidence becomes a future incident and audit gap.
Probity is in private beta: the first cohort is limited to twelve deployments, each reviewed and onboarded by a NOFire AI founder.
Questions first? Write to contact@nofire.ai.