us-east-1
·local (no data egress)
·sha256:7d…a81c
Preview · mock data
Detection rules
23 active · 2 info · FP rate · tune
Active rules
edit severity · escalators · suppression · test| # | Rule | Base severity | FP rate (30d) | Fired (30d) | |
|---|---|---|---|---|---|
| #1 | Personal account on managed device | critical | 1.2% | 47 | |
| #2 | YOLO / Bypass mode enabled | critical | 0.0% | 12 | |
| #3 | Full-access / disabled sandbox | high | 0.4% | 18 | |
| #4 | Base-URL / root-CA override (MITM) | critical | 3.1%tune? | 6 | |
| #5 | Plaintext API keys near agent | critical | 5.8%tune? | 32 | |
| #6 | Unvetted MCP server | high | 4.2% | 47 | |
| #7 | MCP auto-approve for write tools | high | 2.1% | 21 | |
| #8 | Broad Bash auto-allow | high | 1.8% | 88 | |
| #9 | Shell-executing hook (LLM-classified) | high | 7.8%tune? | 38 | |
| #22 | IMDS egress reachable | critical | 0.0% | 8 |
FP rate tracked via admin "Not risky" + "Override classification" actions. Published quarterly as the noise-floor SLA (target ≤ 2% on hook classification).