Skip to content
Tyr

AI detection

Tyr applies different policies to “Cursor” vs “a random shell script” vs “the user’s editor”. This page explains how it tells them apart.

Fingerprint inputs

When a new process appears, tyrd collects:

  1. Executable path and its sha256.
  2. Cmdline (first N args, truncated).
  3. Environment markers — presence of CLAUDE_*, OPENAI_API_KEY, ANTHROPIC_API_KEY, CURSOR_*, etc.
  4. Outbound TLS SNI (if --tls-capture is on) once the process makes its first HTTPS call.
  5. Parent process lineage — was this spawned by VS Code? by a terminal? by another known agent?

Known-agent table

A built-in table classifies common AI agents:

Agent typeFingerprint (examples)
cursorexe path contains cursor; env has CURSOR_TRACE_ID
copilotexe is github-copilot-language-server or under VS Code extension dir
claude-codeexe is claude CLI; or node process with @anthropic-ai/claude-code
codexOpenAI Codex CLI
autogenPython process importing autogen with LLM env vars
langgraphPython process importing langgraph
aiderexe named aider with .aider.chat.history.md created
clineVS Code extension subprocess under saoudrizwan.claude-dev

The list evolves — see crates/tyr-common/src/mappings.rs for the canonical source.

Unknown processes

A process that doesn’t match any known agent is tagged agent_type = "unknown". What happens next depends on tyrd’s unregistered_agents config:

  • audit (default) — treated as unknown-but-observed, events flow, policy is the daemon’s base.
  • quarantine — a built-in strict base policy applies until an admin promotes it.
  • deny — all governed syscalls blocked.

Admin overrides

From the UI or CLI, admins can:

  • Rename a discovered agent (display_name).
  • Merge duplicates.
  • Manually reclassify (e.g. “this looks unknown but it’s our custom agent X”).
  • Archive long-gone processes.

Why not just look at the process name?

Because binaries can be renamed. The fingerprint combines path, sha, env markers, and network SNI — it’s harder to spoof all four simultaneously, and a mismatch (e.g. “binary claims to be cursor but is calling evil.example.com”) is itself a signal.

Future work

  • Behavioral fingerprints — syscall patterns over time.
  • Signed attestation for known agents (cooperative vendors ship a signature we can verify).
  • Model provider tagging beyond SNI — request body inspection (opt-in, local only).

→ Next: Writing policies · TLS capture