Runtime detection & evidence for AI agents

Your agent said it read the README. The kernel says /etc/passwd.

Your logs show what agents report. RAXE records what they actually do – and seals it as evidence you can verify. The flight recorder for your AI agents.

Today it lets you see it. Next, it lets you stop it.

Recorded on a live deployment Self-hosted – VPC or on-prem MITRE ATLAS + OWASP ASI Early access – design partners
$ pip install raxe
Prompts stay in your boundary · Telemetry details →
Recorded, Not Mocked

This is the actual product. Watch it catch one.

No staged dashboards. The four-minute walkthrough below was recorded on a live RAXE deployment – real detections, sealed evidence, and an audit chain verified Intact. The AWS view uses clearly-labelled sample data.

RAXE Lineage Lens · the RAXE console – recorded on a live deployment

Bring your own agents – we’ll show you what they’re actually doing, live on your stack, in a 30-minute walkthrough.

Agent behaviour graph in the RAXE console: a sealed /etc/passwd access revealed under audit, with the reveal recorded as its own audit row
The moment that matters. An agent read /etc/passwd in-process – invisible to proxies and log files. The kernel-level sensor caught it and pinned it to the exact agent session. The evidence stayed sealed until an analyst supplied a purpose and clicked Reveal – and the reveal wrote its own audit row.
Govern view in the RAXE console: hash-chained audit ledger verified Intact
The paper trail. Every reveal and every denial is hash-linked into a tamper-evident ledger. Verify the whole chain on demand – Intact.
Gateway Claim · Kernel Reality · Verify: Intact

See it. Catch it. Prove it.

Agents report what they chose to write down. RAXE records what happened – then seals it so it holds up when someone asks hard questions.

01 · SEEGateway Claim

Every agent surface. One console.

RAXE Lineage Lens – the RAXE console – puts coding agents, your in-app SDK, gateway LLM traffic and AWS cloud activity on one screen, with one triage queue. Cross-source lineage ties it together: what the agent claimed at RAXE Gateway, what your application saw through RAXE Sensor [sdk], and what the host sensor observed at the kernel – one continuous timeline per agent.

02 · CATCHKernel Reality

The kernel doesn’t take the agent’s word for it.

A kernel-level eBPF host sensor catches in-process file and secret access – an agent reading /etc/passwd – invisible to proxies and log files, pinned to the exact agent session. The record is what the kernel observed, not what the agent chose to report.

03 · PROVEVerify: Intact

Evidence that survives questioning.

Evidence is sealed by default: sensitive fields stay hidden until an analyst supplies a purpose and clicks Reveal – and the reveal writes its own audit row: actor, field, outcome. Every row joins a tamper-evident, hash-chained ledger you can verify on demand: Intact.

Every Surface – Laptop to Cloud Account

Your agents don’t just run on laptops. They run in your cloud.

Four surfaces, one queue – coding agents, in-app SDK, gateway LLM traffic and AWS cloud activity land in the same console, laptop to cloud account.

The coding agents your engineers already run

Claude Code and OpenCode are watched live, with explicit session attribution – provably this session. Codex sessions arrive via ingest and are labelled the way the evidence deserves: inferred. Attribution grades are part of the record, not a footnote.

Claude Code · live OpenCode · live Codex · ingest, inferred
AWS CloudTrail + AgentCore

Agents on AWS

Which agent role read that secret? CloudTrail knows. Now you do.

Your agents don’t stop at the model call – they assume IAM roles, read secrets and call AWS services under identities your SOC rarely watches. RAXE reads your live CloudTrail and raises detections as agent activity lands: an agent role reading a secret becomes a data-exfiltration alert in the console, on the same timeline as gateway claims and kernel-observed file access. Bedrock AgentCore telemetry joins that timeline too.

CloudTrail · live detection AgentCore telemetry Correlation, not exact attribution

Self-hosted in your environment, watching your own AWS accounts – no vendor cloud receives your CloudTrail Correlation, not exact attribution Demo views use clearly-labelled sample data Early access – design partner programme

Why RAXE

Built for the say/do gap

Most tools see what agents report. The gap between what an agent said and what it did is where incidents live – and where RAXE looks.

Capability Gateway-Only SDK Scanners Cloud Posture RAXE
Sees gateway LLM traffic Yes No Partial Yes
Kernel-observed file & secret access No No No Yes
Watches your cloud accounts from inside your environment (live CloudTrail agent-activity detection) No No Posture, not runtime Yes – early access
One lineage across gateway, app and kernel No No No Yes
Sealed evidence with audited reveal No No No Yes
Tamper-evident, hash-chained audit ledger Varies No Varies Yes
Runs self-hosted in your environment No Yes No Yes
Original threat research programme Varies Varies No Yes
See the full comparison – including what we don’t do yet →
Detection Stack

Five signals. One explainable verdict.

No single detector is trusted alone. Five named signals score every event, and every verdict opens into the evidence behind it – threat probability, per-family scores, out-of-distribution signal, nearest known attack patterns.

  1. S1
    ATLAS + ASI-mapped rules

    Open, auditable detection signatures, every one mapped to MITRE ATLAS and OWASP ASI. Fast rules answer in single-digit milliseconds.

  2. S2
    ML text scorer

    A local ML scorer grades prompts and responses: threat probability, per-family scores, and an out-of-distribution signal for inputs that match nothing known.

  3. S3
    Structured tool-call risk analysis

    Inspects tool-call arguments, detecting SQL injection, shell injection, path traversal and credential leakage inside the calls your agents make.

  4. S4
    Agent behaviour graph

    Reconstructs what the agent process actually did – process lineage, file access, connections – as a graph pinned to the session.

  5. S5
    Advisory LLM judge optional, opt-in

    A heavier second opinion on borderline calls, running in your environment. Evidence, never authority – it never changes the decision.

single-digit ms
fast rules answer
~150 ms
full multi-signal verdict – all local
13 · 41 · 10
threat families · techniques · harm types

Rollout posture: observe-and-log. Every would-block decision is logged with evidence, so you know exactly what it caught and why. Today it lets you see it. Next, it lets you stop it.

RAXE Labs

Research-fed detection

Original threat research feeds directly into the detection stack. Every advisory, every technique mapping, every new signature makes the platform sharper.

RAXE-2026-061
NVIDIA BioNeMo Framework Deserialization of Untrusted Data Enables Remote Code Execution (CVE-2026-24164)
CRITICAL CVSS 9.8
Research Radar

Issue #5 – 4 Papers

Your LLM API router may be stealing your credentials and rewriting your tool calls.

2 Act Now 2 Watch
Threat Intelligence

Monthly Threat Landscape Report

Data-driven analysis of AI threat patterns, attack techniques, and emerging vectors across the AI-agent threat landscape.

S1 Adversarial ML S2 Agent Security
Exposure & Urgency

The clock is running on AI governance.

$4.44M[1] average cost of a data breach (2025)
+$670K[2] added when shadow AI is involved
97%[1] of AI-incident organisations lacked AI access controls
63%[1] of organisations have no AI governance policy

When the questions come, evidence beats assurances. Our compliance posture and framework mapping live on our trust centre →

Early Access – Design Partner Programme

See what your agents are actually doing

Bring your own agents – we’ll show you what they’re actually doing, live on your stack, in a 30-minute walkthrough.

Book a 30-min walkthrough → Talk to an Engineer
See how it deploys →