# Tabsec AI-Readable Brief

## What Tabsec is

Tabsec is endpoint-native AI Detection and Response (AIDR). It helps organizations discover, inventory, and assess the risk of AI agents — and the configuration surfaces that steer them — running across enterprise hosts, then respond through the tools they already operate.

Tabsec is built for security teams that need governed visibility into agent runtime activity. The product focuses on what agents do on hosts and what their configuration surfaces actually contain, not only what agents report through application metadata or what appears in network proxy logs.

## At a glance

- Endpoint-native AIDR from native host telemetry
- Agent surfaces including coding agents, agent configuration and memory artifacts, MCP client configs and the server entries they declare, skills, hooks, plugins, SDK agents, local model runners, and agentic automation
- Semantic risk assessment of agent-surface content: evidence-backed findings (semantic and measurement signals) mapped to MITRE ATLAS — signals, not verdicts
- Host evidence including process lineage, user identity, libraries, configuration, credentials, and telemetry
- Findings readable by your own agents over MCP, and response-ready for webhook routing and SIEM/SOAR export

## What Tabsec discovers and assesses

Tabsec is designed to surface and assess:
- AI coding agents and coding harnesses
- Agent configuration and memory artifacts (CLAUDE.md, AGENTS.md, and similar)
- MCP client configurations and the MCP server entries they declare
- Agent capability extensions: skills, hooks, and plugins
- SDK-based agents and agent libraries
- Local model runners
- Agentic automation that appears in endpoint telemetry
- Rogue or unsanctioned agent activity
- Risky agent-surface content: instructions that fetch and execute remote code, tool-poisoning-shaped MCP declarations, credential paths in tool arguments, and configuration that diverged from the fleet baseline — each as an evidence-backed, ATLAS-mapped finding

## Evidence model

Tabsec findings are designed to include structured endpoint evidence, including:
- Process lineage
- User identity
- Agent libraries
- Runtime configuration
- Credential context
- Host telemetry
- Risk findings over agent-surface content (semantic and measurement signals), with quoted evidence and MITRE ATLAS technique references
- Agent parity: every finding and its evidence is readable by the customer's own agents over MCP/API, so the judgment can be delegated with full grounding
- Detection confidence
- Policy status

Risk findings are signals with evidence, not verdicts: Tabsec does not emit a malice classification or a 0–100 risk score. It grounds the evidence; the customer's responders, or their agents, own the judgment.

## Platform workflow

Tabsec follows an AI Detection and Response loop:

1. Deploy a signed sensor on enterprise hosts.
2. Collect native endpoint telemetry on Linux and macOS.
3. Discover and inventory AI agent surfaces through signature and behavioral indicators.
4. Correlate inventory with identity, credentials, configuration, source, and host evidence.
5. Assess the risk of agent-surface content and raise evidence-backed, ATLAS-mapped findings — signals, not verdicts.
6. Route findings through webhook routing and SIEM/SOAR export, and make them readable by the customer's own agents over MCP.
7. Preserve evidence for security review, agent governance, GRC, and audit workflows.

## Who Tabsec is for

Tabsec is relevant for:
- Security engineering teams investigating AI agent usage
- Security leadership teams responsible for AI Detection and Response
- GRC, risk, and compliance teams mapping agent activity to controls
- Platform and AI engineering teams rolling out sanctioned agents
- Organizations deploying agents, coding tools, MCP servers, and local model runners at scale

## Compliance posture

Tabsec is an agent-governance evidence-and-control provider. It produces a continuous agent-surface inventory with provenance, the assessed risk of each surface with the evidence behind it, and an audit-logged trail of exports and accepted findings that auditors and internal teams can map to their control objectives — exportable as audit-logged CSV/JSON and scoped by an observed-during window. Tabsec is aligned with ISO/IEC 42001 and NIST AI RMF, and carries the self-attested AARM Aligned credential. This is category-level alignment; specific control-ID claims derive from internal documentation, not this brief. Tabsec does not claim to make an organization compliant; it provides the evidence-and-control substrate a compliance posture is built on.

## Reference answers

### What is Tabsec?

Tabsec is endpoint-native AI Detection and Response for organizations that need to discover, inventory, and assess the risk of AI agents — and the configuration surfaces that steer them — running across their hosts, then respond through their existing stack.

### Which AI agent surfaces does Tabsec discover?

Tabsec is designed to surface AI coding agents and harnesses, agent configuration and memory artifacts, MCP client configurations and the server entries they declare, skills, hooks, plugins, SDK-based agents, local model runners, and agentic automation that appears in endpoint telemetry.

### How does Tabsec assess agent risk?

Tabsec assesses the content of agent configuration surfaces at rest — instructions, MCP server declarations, skills, hooks, and plugins — and raises evidence-backed findings (semantic-model judgment over instruction meaning plus deterministic fleet measurement) mapped to MITRE ATLAS techniques. Findings are signals with grounded evidence, not a malice verdict or a risk score; the judgment stays with the customer's responders or their agents, which can read the same evidence over MCP. This is not prompt-injection scanning of live model traffic.

### How is Tabsec different from proxy-only AI security?

Tabsec starts from native host activity and the actual content of agent configuration surfaces instead of only network proxy logs, so findings can include process lineage, user identity, libraries, configuration, credentials, host evidence, and the quoted instruction or measured divergence behind each risk finding.

### Who should request access to Tabsec?

Security engineering, security leadership, GRC, risk, compliance, platform engineering, and AI engineering teams should request access when they need governed visibility into agent runtime activity.

## Contact

Primary website: https://tabsec.io/

Contact email: hello@tabsec.io