Visibility + control for the agents in your environment
QControl is endpoint software that treats the AI agent as its unit of analysis. Every tool call, every exec, every MCP route, every outbound connection, captured, classified, and fed into the security stack you already operate.
No layer of your stack was built for the agent
Your security stack was built for what came before agents: identity, device posture, network perimeters, and what crosses the wire. None of it sees the agent as a whole.
| Security Layer | Limitations |
|---|---|
 Identity Knows who authenticated. Which agent identity is acting? | What did the agent do after authentication? Which files did it read, which tools it called, which endpoints it hit? |
 Network Perimeter Sees encrypted flows, destination, 5-tuple metadata | Sees the destination, not the intent. Can't tell whether the agent is uploading source code or fetching a schema |
 EDR Knows process lineage, syscalls, filesystem events | Sees that node opened a file, but doesn't know it was an AI agent reading your SSH keys to compose a prompt |
 AI Gateway Knows request-layer policy; what was permitted to leave | Only sees what crosses the gateway. Agents that call local tools, read files, or spawn subprocesses never touch it. |
Qcontrol ties them together
%20rotate(90)'/%3e%3cpolygon%20class='cls-1'%20points='38.88%207.78%2038.88%200%2031.1%200%2031.1%207.78%2023.33%207.78%2023.33%2015.55%2031.1%2015.55%2038.88%2015.55%2046.66%2015.55%2046.66%207.78%2038.88%207.78'/%3e%3crect%20class='cls-1'%20x='38.88'%20width='7.78'%20height='7.78'/%3e%3crect%20class='cls-1'%20x='46.66'%20y='7.78'%20width='7.78'%20height='7.78'/%3e%3crect%20class='cls-3'%20x='15.55'%20y='69.98'%20width='7.78'%20height='7.78'/%3e%3crect%20class='cls-3'%20x='62.21'%20y='69.98'%20width='7.78'%20height='7.78'/%3e%3cpolygon%20class='cls-3'%20points='69.98%2023.33%2069.98%2031.1%2069.98%2040.69%2069.98%2046.66%2069.98%2054.43%2069.98%2062.21%2069.98%2069.98%2077.76%2069.98%2077.76%2062.21%2077.76%2054.43%2077.76%2046.66%2077.76%2038.88%2077.76%2031.1%2077.76%2023.33%2069.98%2023.33'/%3e%3crect%20class='cls-3'%20x='38.88'%20width='7.78'%20height='7.78'/%3e%3crect%20class='cls-3'%20x='46.66'%20y='7.78'%20width='7.78'%20height='7.78'/%3e%3cpolygon%20class='cls-2'%20points='7.78%2046.66%207.78%2038.88%207.78%2038.88%207.78%2031.1%2013.19%2031.1%2015.55%2031.1%2023.33%2031.1%2023.33%2038.88%2015.55%2038.88%2015.55%2046.66%207.78%2046.66'/%3e%3crect%20x='15.55'%20y='38.88'%20width='7.78'%20height='7.78'%20transform='translate(62.21%2023.33)%20rotate(90)'/%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Three verbs in one binary
$ qcontrol run_01 · Discover
Find every agent on the box
02 · Observe
See what they're doing
03 · Enforce
Decide what happens next
Maximum surface area
Every file an agent touches, every tool it invokes, every outbound connection it opens, every binary it spawns. Qcontrol hooks into every available surface and raises exhaustive signal events, making your existing SIEM, SOC, and compliance tooling agent-aware.
File Activity
What files agents touch, create, delete, or modify: every read, write, and permission change, catalogued by agent ID.
Network Behavior
Tracks outbound connections, catches DNS lookups, surfaces every HTTP request and its headers, body, and response from every agent.
Tool Calls
Every MCP tool call to or from any agent, including tool name, input parameters, and results. A full tool-use audit trail.
Process Execution
Shells, subprocesses, workers: every exec and spawn an agent triggers, with full command-line arguments and exit codes.
Every surface QControl sees, plugins can govern.
Plugins decide what crosses every surface QControl watches: file reads, outbound requests, tool calls. The same plugin shape can observe, block, annotate, or rewrite.
Tag every tool call for the audit trail
What the agent reads, writes, opens. Config files, session state, credentials, anything on disk it touches.
// In a plugin on_tool_call(call) { call.attributes["user.email"] = whoami(); call.attributes["session.id"] = current_session(); call.attributes["risk.tier"] = classify(call.tool); return call; }
Refuse the read for paths the agent shouldn't see
The agent calls open() on a sensitive path: an SSH private key, a dotenv file, a credentials store. The plugin matches the path and returns a block decision before open() returns. The agent receives ENOENT, and from its view the file does not exist.
// In a plugin on_file_open(path) { if (path.starts_with("~/.ssh") || path.contains("/.env") || path.ends_with("/credentials")) { return QCONTROL_FILE_BLOCK_WITH(ENOENT); } return QCONTROL_PASS; }
Strip a secret from the prompt before it leaves the box
The agent composes a request that happens to contain an API token. Before the HTTPS request leaves the endpoint, a plugin matches the pattern in the body and replaces it with a placeholder.
// In a plugin on_http_request(req) { if (req.host == "api.anthropic.com") { req.body = redact_secrets(req.body); } return req; }
Ready for whatever comes next
Any plugin using Qcontrol's SDK will apply cleanly to any underlying Agent or Harness (Claude, Codex, OpenCode, OpenClaw). Additionally, all agent events will be normalized into a single event stream for stable consumption.
