Documentation

Behavioral detection

Detection engine overview — multi-step causal reasoning and enforcement. For attack scenarios and labs, start elsewhere.

Not the starting page

What TURI does on Mac (with 10 min labs) · POC scorecard · Secure baseline

What attacks look like in the graph

Rules match causal chains in a behavioral graph, not isolated log lines. Three canonical attack patterns with reproducible labs live on the scenarios page.

CausalGraph · in-process DAG

How events become a behavioral graph

Rules traverse backward from ★ toward ancestors

readFromspawnedByconnectedToProcess executionCredential accessPackage installExternal connection

Process, file, network, and semantic events are linked into a causal graph per session

Node types

Process (exec)
File entity
Network endpoint
Semantic (install, intent)

= IRExecutionEngine startNode

--- = missing / violation edge

Rule explorer (optional)

Detection rules

Reverse Shell Detection

Detects reverse shell attempts spawned outside an approved execution context

MITRE ATT&CK

T1059.004T1071.001
Shell / RCEaction: quarantinecritical

How the engine works

Two enforcement planes

Synchronous (system extension): process governance, file access control, and supply-chain gating — decisions in ~2ms. Behavioral (host app): builds a causal graph from telemetry, fires detection rules, and propagates verdicts to the sync layer via a zero-copy bridge.

Pipeline

Behavioral detection runs in the host app (async). Synchronous AUTH decisions in the ES extension still apply on the same events.

  • Step 1

    System telemetry

    Endpoint Security and Network Extension capture process, file, and network activity in real time.

  • Step 2

    Action classification

    Raw system events are mapped to semantic actions — file reads, process spawns, network connections, AI tool usage.

  • Step 3

    Behavioral correlation

    Actions are linked into a causal graph per session, building a running behavioral score for each agent.

  • Step 4

    Detection engine

    Graph-based rules evaluate multi-step attack patterns. Structural checks verify provenance, lineage, and integrity.

  • Step 5

    Verdict enforcement

    Scores and enforcement decisions propagate to the sync layer via a zero-copy bridge, taking effect on the next system call.

Rule tiers

Rules are organized by complexity — from atomic single-event detections to multi-step causal chains requiring graph traversal. Rules can be managed locally or synced from fleet policy.

1

Tier 1

Atomic detections

Single-event or short-sequence patterns that indicate immediate threats.

5 sampled5 block
1.5

Tier 1.5

Supply-chain integrity

Graph structural checks: provenance verification, lockfile drift, lineage validation.

2 sampled1 block
2

Tier 2

Multi-step causal chains

Backward graph traversal linking credential access, process spawns, and network egress.

5 sampled3 block
3+

Tier 3+

Graph integrity & egress truth

Session fragmentation, orphaned execution, unverified egress, capability drift.

2 sampled2 block

Detection approaches

IR sequence

Multi-step chain

filtertraverseUntilwithin(60s)
start → networkConnectExternal
← traverse readSensitiveFile
expect chain matched

Walks backward on the causal DAG from the latest event.

Graph invariant

Structural truth

Orphan exec, missing provenance, egress — evaluated on the DAG shape, not sequence alone.

Session score → enforcement

VerdictCache bridge

max capped at 200

Low

Alert

Med

Throttle

High

Quarantine

Critical

Terminate

Applied on next AUTH_EXEC / NE flow after behavioral ingest

When a rule fires

Actions escalate severity → enforcement layer applies the decision on the next system call

Terminate session

critical

Active execution terminated when behavioral score exceeds critical threshold

Quarantine

critical

Session isolated; subsequent actions denied by sync enforcement layer

Ask user

medium

Human-in-the-loop prompt; observation mode shows smart alert only

Throttle

high

Rate-limited execution for high-velocity agent flows

Alert

low

Logged and notified — does not block execution alone

Taint file

low

File flagged for downstream enforcement checks

Severity escalation: alert → throttle → quarantine → terminate

Signal categories

Action classification · 5 signal categories

Process & execution

6 signals

Process spawning, binary execution, privilege changes, and runtime lifecycle events

Files & secrets

7 signals

File reads and writes, credential access, keychain queries, and security artifact modifications

Network

5 signals

External and internal connections, DNS queries, data transfer patterns, and beaconing detection

Persistence & system

4 signals

Launch agent creation, daemon modification, security control changes, and system policy edits

AI / LLM

3 signals

AI tool execution, prompt activity, and LLM-initiated data access patterns

25+ semantic action types across all categories

Rule catalog

Representative detection rules with severity and category filters.

14 rules sampled
11 enforcement rules
Mode:
Category:

Tier 1

Tier 1 — Atomic detections

Single-event or short-sequence patterns that indicate immediate threats.

5
Shell / RCEcritical

Reverse Shell Detection

Detects reverse shell attempts spawned outside an approved execution context

T1059.004T1071.001
quarantine
Privilegecritical

Privilege Escalation Boundary

Detects execution crossing a trust boundary without authorization

T1068T1548
killSession
Exfiltrationcritical

Data Exfiltration Detection

Detects credential or sensitive file access followed by external network connection

T1552.001T1041
quarantine
Exfiltrationcritical

Cross-Process Dataflow Attack

Detects untrusted file drops followed by network egress across process boundaries

T1105T1041
quarantine
Integritycritical

Runtime Library Injection

Detects dynamic library injection or loading that bypasses code signing

T1574.006T1055
killSession

Tier 1.5

Tier 1.5 — Supply-chain integrity

Graph structural checks: provenance verification, lockfile drift, lineage validation.

2
Supply chainhigh

Missing Dependency Provenance

Detects package execution without a verified install event in the causal graph

T1195.002
quarantine
Supply chainhigh

Supply Chain Trust Boundary Violation

Detects forged or unverifiable supply-chain lineage in the dependency graph

T1195.001T1195.002
alert

Tier 2

Tier 2 — Multi-step causal chains

Backward graph traversal linking credential access, process spawns, and network egress.

5
Exfiltrationhigh

Secret Read to External Network

Detects credential file access correlated with non-allowlisted outbound connections

T1552.001T1041T1048
quarantine
Supply chainmedium

Transitive Package Execution

Detects rapid runtime pivot after package manager install — common postinstall attack pattern

T1195.002T1059.007
alert
Shell / RCEmedium

Polyglot Runtime Pivot

Detects execution pivoting between runtime languages — a common staging technique

T1059.002T1059.004T1059.006
alert
AI governancehigh

Prompt-to-Network Execution

Detects AI tool execution immediately followed by external network activity

T1071.001T1059
askUser
AI governancehigh

Agent Self Modification

Detects AI agent attempting to modify its own configuration or security artifacts

T1562.001T1565
askUser

Tier 3+

Tier 3+ — Graph integrity & egress truth

Session fragmentation, orphaned execution, unverified egress, capability drift.

2
Graph truthhigh

Orphaned Capability Execution

Detects execution without a verified session root or causal lineage in the graph

T1036
quarantine
Graph truthhigh

Unverified Lineage Egress

Blocks outbound connections from processes with unverifiable causal chains

T1048T1071
quarantine

Conflict resolution & human-in-the-loop

When multiple rules fire, the engine resolves conflicts by severity priority. Observation mode surfaces detections as smart alerts without blocking execution — letting you tune before enforcing.

Attack scenarios · Evaluation · Architecture