c14
c14 / m1 - QControl Product Site

QControl · Endpoint runtime for AI agents

Visibility and control for the
agents in your environment.

QControl is endpoint software that takes the AI agent as its unit of observation. Every file the agent reads, every tool call it makes, every outbound request. Captured at the source, joined by construction, and fed into the security stack you already operate.

The agentic AI gap

No layer of your stack was built for the agent.

Every layer of an enterprise security stack was built around something else. Identity around users. The perimeter around flows. EDR around processes and syscalls. AI gateways around requests. None of them see the agent itself.

Identity

Who authenticated. Which agent identity is acting.

Network perimeter

Encrypted flows. Destinations. 5-tuple metadata.

EDR

Process lineage. Syscalls. Filesystem events.

AI gateways

Request-layer policy. What was permitted to leave.

The gap

The AI agent itself: every file it reads, every tool call it makes, every outbound request, attributed to the agent and joined at the source.

How it works

Three verbs in one binary.

01 · DISCOVER

Find every agent on the box.

Process signatures, file fingerprints, and embedded-runtime detection across the most common agentic clients. Catches agents that aren't running yet. Catches agents that have been swallowed into a larger host process.

02 · OBSERVE

See what they're doing.

File reads, network calls, MCP tool invocations, subprocess spawns. Observed at every surface where signal exists, normalized into one stream. The agent is the unit. Anything downstream can consume it.

03 · ENFORCE

Decide what happens next.

Dynamic plugins alter or govern all agent IO. Redact a credential before the agent reads it. Rewrite an outbound request on the wire. Block a destination the agent shouldn't reach. File, exec, network: same hot path, same plugin shape.

Maximum surface area.

Every file an agent reads, every call it makes, every subprocess it spawns leaves traces somewhere. QControl attaches to every surface available and takes whatever signal exists. No framework to instrument.

File activity

What the agent reads, writes, opens. Config files, session state, credentials, anything on disk it touches.

Network behavior

Outbound destinations, request contents, tool definitions, MCP traffic. What the agent sends and to whom.

Tool calls

Every MCP and built-in tool invocation, with arguments. The action layer, not the prompt layer.

Process execution

Shells, subprocesses, scripts. Anything the agent spawns to do work outside itself.

From observation to enforcement

Every surface QControl sees, plugins can govern.

Plugins decide what crosses every surface QControl watches: file reads, outbound requests, tool calls. The same plugin shape can observe, block, annotate, or rewrite.

Tag every tool call for the audit trail.

When the agent invokes an MCP tool, a plugin attaches deployment-specific context (user identity, session, risk tier) before the event reaches the SIEM. 

// In a plugin
on_tool_call(call) {
  call.attributes["user.email"]   = whoami();
  call.attributes["session.id"]   = current_session();
  call.attributes["risk.tier"]    = classify(call.tool);
  return call;
}

Refuse the read for paths the agent shouldn't see.

The agent calls open() on a sensitive path: an SSH private key, a dotenv file, a credentials store. The plugin matches the path and returns a block decision before open() returns. The agent receives ENOENT, and from its view the file does not exist. 

// In a plugin
on_file_open(path) {
  if (path.starts_with("~/.ssh") ||
      path.contains("/.env")   ||
      path.ends_with("/credentials")) {
    return QCONTROL_FILE_BLOCK_WITH(ENOENT);
  }
  return QCONTROL_PASS;
}

Strip a secret from the prompt before it leaves the box.

The agent composes a request that happens to contain an API token. Before the HTTPS request leaves the endpoint, a plugin matches the pattern in the body and replaces it with a placeholder. 

// In a plugin
on_http_request(req) {
  if (req.host == "api.anthropic.com") {
    req.body = redact_secrets(req.body);
  }
  return req;
}

See it in your environment.

One binary. Ten minutes to install. Works against the agents already running on your machine.