ai-agent-discovery

AI Agent Discovery

An open-source enterprise tool by OpenGuardrails for discovering AI agents running within your organization.

As AI agent adoption explodes across enterprises, security teams face a critical visibility gap. AI Agent Discovery integrates with your existing EDR infrastructure to identify and inventory all AI agents—from autonomous coding assistants to workflow automation platforms.

Why AI Agent Discovery?

• Shadow AI Visibility: Discover AI tools employees are using without IT knowledge
• Security Posture: Understand your AI attack surface
• Compliance: Track AI usage for regulatory requirements
• Cost Control: Identify redundant AI tool subscriptions

Features

Feature	Description
Agent Taxonomy	3-level classification: Kingdom → Family → Species
Multi-EDR Support	CrowdStrike Falcon, Microsoft Defender, or file import
Pattern Detection	Community-maintained YAML signatures
Web Dashboard	Real-time visualization and reporting
Easy Deployment	Single command to get started

Quick Start

# Run directly with npx
npx ai-agent-discovery

# Or install globally
npm install -g ai-agent-discovery

# Initialize configuration
aad init

# Run a scan
aad scan

# Start the dashboard
aad dashboard

Supported AI Agents

Autonomous Agents

Agent	Variants
OpenClaw	openclaw, nanoclaw, moltbot, clawdbot
AutoGPT	autogpt, agentgpt, babyagi
Devin	devin, opendevin, swe-agent

Assistant Agents

Agent	Variants
Claude	claude-desktop, claude-code, cline
ChatGPT	chatgpt-desktop, chatgpt-app
Cursor	cursor
Copilot	copilot, copilot-chat

Workflow Agents

Agent	Variants
Dify	dify, dify-sandbox
N8N	n8n
Flowise	flowise, langflow

CLI Commands

# Core commands
aad init                    # Initialize configuration
aad scan                    # Run detection scan
aad dashboard               # Start web dashboard

# Scan options
aad scan --connector file   # Use file connector
aad scan --lookback 30      # Look back 30 days
aad scan --output csv       # Output as CSV

# Taxonomy browsing
aad taxonomy list           # List all known agents
aad taxonomy list --kingdom autonomous
aad taxonomy show claude    # Show agent details
aad taxonomy tree           # Show full taxonomy tree

# Configuration
aad config get connector.type
aad config set connector.type crowdstrike

# Validation
aad validate                # Validate all registry files
aad test-signature ./my-sig.yaml  # Test a signature

Configuration

Create config/config.yaml:

# EDR Connector
connector:
  type: crowdstrike  # Options: crowdstrike, defender, file

  crowdstrike:
    client_id: ${CROWDSTRIKE_CLIENT_ID}
    client_secret: ${CROWDSTRIKE_CLIENT_SECRET}

  defender:
    tenant_id: ${AZURE_TENANT_ID}
    client_id: ${AZURE_CLIENT_ID}
    client_secret: ${AZURE_CLIENT_SECRET}

  file:
    path: ./data/events.json
    format: json  # csv, json, ndjson

# Scan settings
scan:
  lookback_days: 14
  max_events: 10000

# Dashboard
dashboard:
  port: 3000
  host: 0.0.0.0

How It Works

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   EDR Platform  │────▶│   Detection     │────▶│   Dashboard     │
│  (CrowdStrike,  │     │   Engine        │     │   & Reports     │
│   Defender)     │     │                 │     │                 │
└─────────────────┘     └────────┬────────┘     └─────────────────┘
                                 │
                        ┌────────▼────────┐
                        │   Community     │
                        │   Signatures    │
                        │   (YAML)        │
                        └─────────────────┘

• Connect to your EDR platform with API credentials
• Query process execution events using detection patterns
• Match events against community-maintained signatures
• Aggregate results by endpoint, user, and agent type
• Visualize in the dashboard or export reports

Contributing

We welcome contributions! The easiest way to contribute is by adding detection signatures for new AI agents.

Adding a New Agent

• Fork & clone the repository
• Create signature file: registry/signatures/my-agent.yaml
• Add to taxonomy: registry/taxonomy/<kingdom>/my-agent.yaml
• Validate: aad validate
• Test: aad test-signature registry/signatures/my-agent.yaml
• Submit a pull request

See CONTRIBUTING.md for detailed instructions.

Signature Format

id: my-agent
name: My Agent Signatures
version: "1.0.0"
author: your-github-username
description: Detection patterns for My Agent

patterns:
  process:
    - pattern: "myagent"
      type: substring
      case_sensitive: false
      fields: [file_path, image_name, command_line]

  file_path:
    - pattern: ".myagent"
      type: substring

exclusions:
  processes: [chrome, firefox]
  paths: [/tmp/]

Project Structure

ai-agent-discovery/
├── bin/aad.js              # CLI entry point
├── src/
│   ├── cli.ts              # CLI commands (Commander.js)
│   ├── taxonomy/           # Agent classification system
│   ├── detectors/          # Pattern matching engine
│   ├── connectors/         # EDR connectors
│   ├── dashboard/          # Express.js web UI
│   ├── config/             # Configuration (Zod)
│   └── utils/              # Logging, filters
├── registry/               # Community-contributed
│   ├── taxonomy/           # Agent taxonomy (YAML)
│   ├── signatures/         # Detection patterns (YAML)
│   └── connectors/         # EDR configs (YAML)
├── docs/                   # Documentation
└── tests/                  # Test fixtures

Roadmap

• SentinelOne connector
• Carbon Black connector
• Elastic Security connector
• Risk scoring and alerting
• SIEM integration (Splunk, Sentinel)
• Agent behavior analysis
• Policy enforcement

Community

• GitHub Issues: Report bugs or request features
• Discussions: Join the conversation
• Discord: OpenGuardrails Community
• Twitter/X: @OpenGuardrails

License

Apache 2.0 - See LICENSE for details.

Built with ❤️ by OpenGuardrails
Open-source security tools for the AI era