c16
c16 / wf5.m1 - Agent Control Plane — hi-fi (wf5.m1) / Integrations·control-plane-v1/integrations·draft

Engineering · Integrations

2 connectors live, 8 ready to wire — but an export now would inherit 1 blind spot

127.0.0.1 · local-only

Export-gap warning — 1 unmonitored agent

completeness · SOC / GRC

Exporting now would carry blind spots: 1 installed agent report no telemetry, so its behavior isn't captured in any sink below. Every connector would land an incomplete picture — 7 of 8 agents covered.

not exported: Zed Agent

Live connectors

2running

qcontrol stream · findings export

Projected connectors

8off

4 purposes · SIEM / identity / GRC / alerting

Events available to export

52.4k

from 7 monitored agents · 61 sessions

Coverage gap

blind
1/ 8 agents

unmonitored · inherited by every sink

Live — working today

running

qcontrol event stream

live

Local ingest of agent activity into the control plane — already capturing everything the projected connectors below would draw from, for the 7 monitored agents only.

52.4k

events

7

monitored

61

sessions

source: /api/stats · 7 of 8 agents instrumented

Findings export

live

7 findings exportable right now (2 high, 3 medium) — pull the worklist into a file or hand it to a downstream tool.

fields: severity · title · framework · entity_id · remediation

Projected outbound connectors

off by default · ranked · payload & coverage shown

Outbound destinations are governance integrations — push posture and evidence to the systems your SOC, GRC, and identity teams already run. Each connector shows the real local payload it would carry and the coverage gap it would inherit; payload counts describe readiness, not transmitted volume.

SIEM / detection

recommended first
would carry52.4k events + 7 findings — all telemetry plus the full finding worklist into the SOC pipeline

Splunk

off

would stream all 52.4k events + 7 findings into your SOC detection pipeline

coverage gap: omits 1 unmonitored agent (Zed Agent)

Microsoft Sentinel

off

would forward all 52.4k events + 7 findings as analytics-rule input

coverage gap: omits 1 unmonitored agent (Zed Agent)

Identity / IdP

next
would carry5 of 8 agents (org_id present) — only agents already bound to an org identity map to your IdP for revoke / deprovision

Okta / Entra ID

off

would map the 5 agent identities carrying an org_id to your IdP for revocation and deprovisioning

coverage gap: 3 agents have no org_id (incl. 1 shadow) — not mappable

GRC / evidence archive

next
would carry100% append-only (52.4k events) — every captured event lands immutably for long-horizon compliance evidence

Amazon S3 (Iceberg)

off

would append 100% of captured events (52.4k) to an immutable, append-only evidence table

coverage gap: omits 1 unmonitored agent (Zed Agent)

Snowflake

off

would land 100% of captured events (52.4k) for long-horizon GRC querying

coverage gap: omits 1 unmonitored agent (Zed Agent)

Alerting / ticketing

supporting
would carry2 high findings only — high-severity findings only — not the full event stream

PagerDuty

off

would page on high findings only (2 open now)

coverage gap: omits 1 unmonitored agent (Zed Agent)

Slack

off

would notify a channel on high findings only (2 open now)

coverage gap: omits 1 unmonitored agent (Zed Agent)

Jira

off

would open a ticket per high finding (2 open now)

coverage gap: omits 1 unmonitored agent (Zed Agent)

Local-only today — nothing leaves the box

qcontrol binds 127.0.0.1 — nothing leaves this machine unless you export it. The 8 connectors above are projected and off by default; the 52.4k events and 7 findings counted here describe local readiness, not transmitted volume — and every count is bounded to the 7 monitored agents.

Do next