What can an attacker
reach from this machine?

An MCP server your AI uses to investigate. Real credentials. Read-only by design. No signup.

Install in 60 seconds View on GitHub

MIT licensed·Rust agent + Go MCP server + YAML skills·macOS, Linux, Windows·No kernel driver

Like osquery — but driven by your AI, and validates what those credentials actually reach.

Day one

Most people find something on the first sweep.

Install Puck on a laptop, point your AI at the MCP, ask it to look around. You usually come back with something — a plaintext AWS access key in a shell init file, an OAuth token cached in a .config directory, a long-forgotten id_rsa with no passphrase, a docker daemon listening on every interface. Not because the host is special. Because nobody's looked closely.

Things people actually find
# Top hits from first-run sweeps
 AWS access keys in ~/.aws/credentials, shell history, and dotfiles
 GitHub PATs with org-admin scope in ~/.config/gh/hosts.yml
 Cached OAuth tokens for Google, Slack, Notion, Linear
 SSH keys without passphrases — and what they reach
 Long-lived service-account JSON files, sometimes in ~/Downloads/
 Docker daemons bound to 0.0.0.0
 Plaintext credentials in build scripts and CI cache directories

No agent has to be told what to look for. Your AI walks the host with Puck as its read-only hands.

Install

Build, bootstrap, install. One host or many.

Two binaries built from source: puck-mcp (Go) and puck-agent (Rust). No daemon, no agent-side state, no kernel driver. Docker quickstart is on the roadmap — until then, build takes about two minutes. For fleet-scale, continuous coverage, and Calibrated Detection that compounds, see Enterprise.

AI-assisted Using Claude Code, Cursor, or Codex? Hand it off. 
# Clone, then let your coding agent read README + docs/getting-started.md.
$ git clone https://github.com/puck-security/puck-oss.git && cd puck-oss
$ claude "build puck-mcp + puck-agent, bootstrap the MCP server, enroll this host as an agent, wire the server into my MCP client, run a smoke query"

Your agent reads README.md + docs/getting-started.md, builds both binaries, runs setup-mcp.sh, generates a bootstrap token, runs install-agent.sh, and wires the MCP server into your client config. Drops you back at a prompt with a working install. Step-by-step below if you'd rather drive it yourself.

Or, step-by-step

01Build
# MCP server (Go) + endpoint agent (Rust)
$ git clone https://github.com/puck-security/puck-oss.git && cd puck-oss
$ (cd mcp && go build -o puck-mcp ./cmd/puck-mcp && sudo install -m 0755 puck-mcp /usr/local/bin/)
$ (cd agent && cargo build --release && sudo install -m 0755 target/release/puck-agent /usr/local/bin/)
02Bootstrap the MCP server
# Generates the embedded CA, server cert, and mcp_token
$ ./scripts/setup-mcp.sh --hostname puck-mcp.internal

# Per endpoint: issue a single-use, host-bound bootstrap token
$ puck-mcp generate-bootstrap-token --hostname eng-laptop-47 --ttl 1h
03Install an agent
# On the endpoint — mTLS pinned to your MCP server
$ echo "puck-bt-…" > /tmp/bt && \
  ./scripts/install-agent.sh --server https://puck-mcp.internal:50281 \
                             --hostname eng-laptop-47 \
                             --token-file /tmp/bt && rm /tmp/bt
04Point your AI at it
# Claude Code / Cursor: add the server to your MCP config, then ask away.
$ claude "What does eng-laptop-47 actually reach? Look at credentials on disk first."

Architecture

MCP server in the middle. Read-only agents on the edge.

Three components. Your AI lives in any MCP client (Claude Code, Cursor, etc.). The MCP server orchestrates and gates. Endpoint agents validate and execute. The typed allowlist is compiled into both server and agent.

Operator side
MCP Client
Claude Code · Cursor · any MCP-spec client. Your AI surface; calls Puck tools, reasons over results, decides what to check next.
MCP Server Go
Loads skills (YAML). Validates every command against the typed allowlist. Fans out to agents over mTLS. Writes JSONL audit log before each command. Enforces per-investigation cost caps.
↓  commands (mTLS) structured results  ↑
Endpoint side · Rust agents (read-only, policy-gated)
Puck-0142
macOS
Puck-0417
Linux
Puck-0890
macOS
Puck-1203
Linux
Puck-2044
macOS
Puck-2847
Linux
Puck-3612
macOS
Puck-4208
Linux

Server-side multi-turn reasoning, cross-fleet hivemind propagation, Ed25519-signed plan distribution, blast-radius graph, and a web console live in Enterprise. OSS is one AI client, one MCP server, read-only across your hosts.

How it works

Discover. Pathfinder. Fleet. Iterate. Analyze.

Five investigation stages, all driven by your AI through MCP tools. No web console, no daemon — your client picks the skill, calls the tools, and reads the structured results back.

01Discover
puck_list_skills returns the available playbooks (credential exposure, AWS blast radius, CVE exposure, IR triage, shadow AI, schema). Your AI picks one or composes its own approach.
02Pathfinder
puck_investigate starts on one host first to learn the environment. The skill defines the objective, the pathfinder strategy, and the iteration criteria — your AI calls puck_run_check for individual commands based on what it sees.
03Fleet
puck_query_fleet fans the same checks across matching hosts in parallel. Every command validated twice — server first, then agent — against the typed allowlist.
04Iterate
Your AI reads puck_get_skill_section for follow-up strategy, pivots to affected hosts, and runs targeted checks. puck_continue extends the command budget when a thread is worth pulling.
05Analyze
puck_save_analysis writes a markdown report — findings, evidence, containment recommendations — to investigations/. Optional outbound integrations post the case to TheHive or Tines.
+1Compound Enterprise
Every chain Puck confirms compiles into Calibrated Detection — a permanent, deterministic check tuned to your environment. Coverage grows while inference cost falls. Lives in Enterprise, not OSS.

Use it for

Questions your current tools can't answer.

Every query below is a real investigation Puck can run against your fleet today. Click through for the full write-up with methodology, what Puck checks, and what the results look like.

Blast radius

Incident triage

CrowdStrike flagged eng-laptop-47. What does it reach?

Surfaces credentials on disk, validates which still authenticate, and traces what each one reaches — AWS SSO sessions, Vault tokens, kubectl contexts, SSH keys to prod hosts. Read-only, audited per command. Often turns a one-host alert into a fleet question.

Read the write-up →

AWS admin compromise

If my AWS admin endpoints are compromised, what's the blast radius?

Puck identifies every endpoint with AWS admin credentials, maps what each can reach — S3 buckets, RDS instances, Lambda functions, IAM role chains — and ranks by blast radius. 12 endpoints with paths to production data.

Offboarding verification

We rotated Jordan's access last week. What did we miss?

14 credentials still present. 4 AWS keys never rotated. 1 GitHub PAT still grants admin:org. SSH key to prod-db still authenticates.

Insider threat & risk

Highest-risk users

Who are my highest-risk users? Rank by credential reach and access breadth.

Puck maps every user's endpoint credentials and traces what they reach. jsmith: 4 AWS accounts, kubectl admin on prod, SSH to 11 hosts, GitHub org admin. mchen: Stripe live keys + prod DB conn string on a laptop with no disk encryption.

Foreign AWS accounts (PRAC)

Do any endpoints have AWS credentials for accounts my org doesn't own?

7 endpoints with keys for 3 unknown AWS accounts. 2 are contractor personal accounts with S3 write access. 1 is a former employer's account still in ~/.aws/credentials. Potential data exfiltration paths.

Data staging detection

Find large archives created in the last 7 days in home directories or /tmp.

3 archives flagged. 2.4 GB pg_dump in ~/backup with rclone configured to personal Google Drive. 340 MB CSV export with PII columns. Finance laptop with M&A docs on USB.

Red team & exposure validation

Supply chain exposure

Trivy was breached (CVE-2026-33634). What's my exposure?

47 installs, 3 modified binaries beaconing. Chain: CI runner → artifact-writer role → prod deploy. 23 static-linked customs invisible to package scans.

Segmentation validation

What percent of my hosts can reach the OT network?

147 of 2,847 hosts returned HTTP 200 from ot-int.factory.timecard.co. 23 hosts can SSH into the PCI environment. 4 with working keys. Segmentation has holes.

Shadow AI audit

Map every AI tool, MCP server, and custom LLM integration on the fleet.

Local Ollama instances (which are network-exposed), MCP servers wired to databases, custom scripts calling LLM APIs, repos with committed API keys, LLM tools running on Finance laptops. Ships as a skill — see skills/shadow-ai.

Continuous validation

Credential sprawl

Where are production database credentials living on disk right now?

67 endpoints with AWS keys, 43 with DB conn strings, 12 with Stripe live keys, 234 SSH keys without passphrases. 44 of 67 AWS keys are still live.

Source code leak

Which endpoints have payments-api cloned? Anyone outside Engineering?

89 endpoints. 14 outside Engineering. One on a USB drive owned by a marketing contractor, with production Stripe keys in .env.production.

Persistence hunting

Find persistence mechanisms that make outbound network connections.

7 cron jobs, 3 launch agents, 2 systemd services with outbound connections. 1 matched a known C2 pattern. 4 others connecting to IPs not in any internal DNS.

vs the tools you know

Fleet-query tools — osquery, Velociraptor, GRR — give you the power to ask anything. They also assume you know the right question, the right query, and which result is worth chasing.

Puck moves the expert work to your AI: ask in plain language, watch it explore, follow the thread across hosts, and surface what each finding actually reaches. No packs. No detection engineering. No expert-on-call required.

And vs the other categories

  • Not BAS. We don't simulate attacks — we validate real access, read-only. No change windows, no prod-safe modes, no blast radius from the tool itself.
  • Not secrets detection. GitGuardian, TruffleHog find credentials in repos. We find them on endpoints and trace what they actually reach.
  • Not ITDR. Falcon Identity, Silverfort watch identity infrastructure during an attack. We map what credentials reach before one.
  • Not EDR — left of it. CrowdStrike, SentinelOne detect attacks in progress. Puck finds patterns likely to be exploited before they trigger a signature — credential sprawl, exposed services, reachable crown jewels. The EDR alert is often Puck's trigger.

MCP-native

Live endpoint grounding for your AI agents.

When Claude, Cursor, or any MCP client needs to know what's actually true on an endpoint — process tree, credentials, blast radius — Puck is the MCP that retrieves ground truth. Read-only. Schema-free. Real-time.

Plug Puck into your existing AI agent surfaces. Your AI calls puck_investigate, Puck investigates the fleet, the structured result flows back through MCP. No new dashboards, no new query language.

Ingest: Your AI calls Puck via the seven MCP tools — puck_investigate, puck_list_skills, puck_get_skill_section, puck_run_check, puck_query_fleet, puck_save_analysis, puck_continue.
Egress: Structured JSON tool results back to your AI; puck_save_analysis writes the report. Outbound case-creation playbooks ship for TheHive and Tines.
Verified clients: Claude Code, Cursor. Any MCP-spec client should work — these are what we test against.

The trust boundary

Two-stage policy gate. Read-only by design.

Your AI generates commands. Puck validates each one twice — at the MCP server before dispatch, and again at the agent before execution — against the same typed allowlist compiled into both binaries. Anything not in the grammar is rejected and logged. See security.md and ADR-022.

Architecture guarantees

  • Read-only always — no writes, no remediation, no modification calls anywhere in the allowlist (ADR-002).
  • Two-stage policy gate — server rejects pre-dispatch, agent rejects pre-execution, both reading the same compiled-in grammar.
  • mTLS to the MCP server — the agent only talks to your MCP server, identified by client-cert CN. No other egress.
  • Typed allowlist embedded at compile timepolicy/policy.toml baked into both binaries. A per-host overrides file can disable compiled-in entries; it cannot author new grammar.
  • No interpreters or shells — python, node, ruby, bash -c are not in the grammar.
  • No kernel driver — no blocking, no fleet-write capability, no ring-0 attack surface.

AI safety

  • Structured MCP tool I/O — every Puck response is typed JSON. The model can't reach outside the tool surface.
  • Audit log before execution — JSON Lines record written before every command, accepted or rejected (ADR-014).
  • Per-investigation cost caps — bounded command count and dollar budget per skill (ADR-013).
  • BYO inference — your API key, your compliance boundary. Endpoint data never hits a Puck-controlled LLM.
  • Roadmap: input sanitization — secret-stripping + prompt-injection escape on the MCP server before responses reach the model.
  • Roadmap: adversarial corpus — command-injection fuzz suite + CI parity gate against agent and server.

Need a continuous, fleet-wide view?

OSS is on-demand by design — your AI drives one investigation at a time. Enterprise adds always-on coverage with a server-side reasoning loop, hivemind propagation across teams, Ed25519-signed plan distribution, Calibrated Detection compiled to your environment, a web console, SSO, and managed inference. Single-tenant in your AWS account, SOC2-ready by design.

See Enterprise →