Skip to content

chore: Update README.md #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shahar-davidson merged 1 commit into from
Mar 19, 2026
+17 −3
Merged

chore: Update README.md #14

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,24 @@
```
██╗ ██╗███╗ ██╗ ██████╗ ███████╗████████╗██╗ ██████╗
██║ ██╔╝████╗ ██║██╔═══██╗██╔════╝╚══██╔══╝██║██╔════╝
█████╔╝ ██╔██╗ ██║██║ ██║███████╗ ██║ ██║██║
██╔═██╗ ██║╚██╗██║██║ ██║╚════██║ ██║ ██║██║
██║ ██╗██║ ╚████║╚██████╔╝███████║ ██║ ██║╚██████╗
╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝
```

# AgentSonar
Detect shadow AI agents by monitoring network traffic for patterns that resemble LLM communication, and by classifying process-to-domain pairs for future detection. Contribute to the community by submitting your agent classifications.

**By [Knostic](https://knostic.ai/)**

Detect shadow AI agents by monitoring network traffic and classifying process-to-domain pairs.
Also check out:
- **OpenAnt:** https://github.com/knostic/OpenAnt/. [OpenAnt](https://knostic.ai/openant) is an open source LLM-based vulnerability discovery product that helps defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.
- **Like what we do?** Knostic helps you with visibility and control of your agents, coding assistants, and MCP/extensions/skills, from Cursor and Claude Code, to Copilot and Cowork.

## What it does and how it works
## What AgentSonar does and how it works

AgentSonar watches outbound traffic on your machine and answers: **which process is talking to which domain, and is that likely an AI tool?** It associates each connection with a process (via socket ownership), records which domain was contacted (TLS SNI or DNS), and assigns an **AI score** (0–1) to each process–domain pair.
AgentSonar watches outbound traffic on your machine and answers: **which process is talking to which domain, and is that likely an AI tool?** It associates each connection with a process (via socket ownership), records which domain was contacted (TLS SNI or DNS), and assigns an **AI score** (0–1) to each process–domain pair based on traffic analysis.

- **Known agents** — You define agents (e.g. “Claude” = process `claude*` → `*.anthropic.com`). Matches get score 1.0 and can be filtered or labeled in the UI.
- **Unknown traffic** — Everything else is scored by a built-in **heuristic classifier**: it uses traffic shape (byte/packet asymmetry, small packets, long-lived or streaming connections, programmatic TLS) to guess “looks like an LLM API.” No hardcoded list of AI domains; high score means likely shadow AI.
Expand Down
Loading